Create a gist now

Instantly share code, notes, and snippets.

@eQu1NoX /defcon-2015-sploit.py Secret
Last active Aug 29, 2015

What would you like to do?
import os
from pwn import *
context.arch = "amd64"
template = """
section .text
global _start
_start:
mov rax, %s
mov rbx, %s
mov rcx, %s
mov rdx, %s
mov rsi, %s
mov rdi, %s
mov r8, %s
mov r9, %s
mov r10, %s
mov r11, %s
mov r12, %s
mov r13, %s
mov r14, %s
mov r15, %s
%s
mov rax, 60
xor rdi, rdi
syscall
"""
def cleanup(disas):
d = []
disas = disas.split("\n")
for each_line in disas:
each_line = each_line.strip()
parts = each_line.split()
if len(each_line) == 0:
continue
elif parts[-1] in ["ret", "nop"]:
d.append(parts[-1])
continue
d.append(' '.join([parts[-2], parts[-1]]))
return '\n'.join(d)
def main():
r = remote("catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me", 9999)
registers = {}
order = []
r.recvline()
for i in xrange(14):
line = r.recvline().strip()
line = line.split("=")
registers[line[0]] = int(line[1], 16)
order.append(line[0])
print registers
r.recvline()
line = r.recvuntil("bytes: \n").split()
length = int(line[-2])
data = r.recv()
disas = disasm(data)
disas = cleanup(disas)
print disas
asm_ins = template %(registers["rax"],
registers["rbx"],
registers["rcx"],
registers["rdx"],
registers["rsi"],
registers["rdi"],
registers["r8"],
registers["r9"],
registers["r10"],
registers["r11"],
registers["r12"],
registers["r13"],
registers["r14"],
registers["r15"],
disas)
open("blah.nasm", "w").write(asm_ins)
os.system("nasm -f elf64 -o blah.o blah.nasm")
os.system("ld -o blah blah.o")
os.system("~/pin-64/pin -t ~/pin-64/source/tools/ManualExamples/obj-intel64/emulate.so -- ./blah > X")
registers = open("X", "r").read()
print registers
r.send(registers)
print r.recvline()
if __name__ == '__main__':
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment